Researchers have discovered a website tricking users into downloading a fake Firefox update. The site conducts a phony security scan and prompts the victim to install malware on their machine.
The site, which has been shut down, contained a Mozilla Firefox logo and a malicious executable file. Visitors to the site were greeted with a fake scan, a technique commonly used to push rogue antivirus software. After the bogus scan, the site suggests the user update their browser in order to be more protected from “different Internet dangers.”
The user is prompted to download the executable file, which GFI detected as Trojan.Win32.Generic!BT. Once the malicious program is installed, the malware opens new windows or tabs in browsers that direct to different survey pages.
“Based on multiple tests, minutes after the said pages load, this executable connects to various websites to download and install random programs, some of which may be legitimate,” said Jovi Umawing of GFI in the company’s blog. GFI Labs also identified several other websites running similar scams.
The technique, while not as widely used as fake antivirus or phishing, is not new.
A similar phony browser update scam was detected by Symantec in 2010. In that attack, according to Symantec, a dialogue box apparently forced Firefox and Chrome update notification windows to pop up. Once downloaded, the executable looks like a variation of Security Tool, a scareware application that displays exaggerated pop-ups.
“If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit,” wrote Symantec researcher Parveen Vashishtha.
Phoenix, which is heavily protected against detection by antivirus software, exploits vulnerabilities in Web browsers to deliver additional malware into the system.
Attackers have also attempted to trick users into installing bogus Microsoft security updates.