Threat actors luring in victims with fake browser updates.

18.10.23

Threat Intelligence Alerts

Proofpoint, a cyber security company, has been keeping a close eye on some threat actors that are targeting everyday businesses. These threats come in the form of fake browser updates. Imagine you’re browsing the internet, and suddenly, a pop-up message from a trusted browser like Chrome, Firefox, or Edge appears, telling you that your browser needs an update. When you click on it, you download malicious malware instead of a real update.

Proofpoint’s research shows that one group, called TA569, has been using this trick for over five years to spread harmful SocGholish malware. Lately, other bad actors have started copying this method. They all have a unique way of doing it but rely on the same trick to lure people in.
This is a big deal because it takes advantage of our trust in our web browsers and the websites we visit. These bad actors add hidden code to websites, making them show these fake update messages. When you click on them, they take you to a site they control and make it look like a legitimate browser update. Then, they sneakily download malware onto your device without you realising it.

These fake browser update attacks work so well because cybercriminals are using our understanding of online safety against us. In security training, we’re told to be cautious and only accept updates or click on links from websites or people we know and trust. We’re also encouraged to verify that the sites we visit are legitimate. These fake browser updates use this training because they compromise trusted websites. They use malicious JavaScript requests to check things in the background and replace the actual website with a fake one that appears to be a legitimate browser update. So, to an ordinary user, it still looks like the same old website they intended to visit, now asking them to update their browser.

When it comes to these threats, Proofpoint hasn’t identified any bad actors directly sending emails with harmful links. Instead, these compromised website URLs show up in various email traffic differently. They can be in regular emails sent to everyday users who have no idea the websites are compromised. These fake updates can also appear in monitoring emails, like Google alerts, or in mass email campaigns, like those sending out newsletters. This means that these emails are considered harmful when the website is compromised.

It’s important to understand that these fake browser update threats are not just a problem with email. Users can stumble upon these malicious sites from various sources, like search engines, social media sites, or simply by typing in a web address. They could then get lured into downloading the malicious malware.

Another issue with these attacks is that each campaign cleverly filters its traffic to hide from researchers and delay detection. All their methods are effective at staying hidden. While this might limit how far their malicious stuff spreads, it lets these bad actors keep control of the compromised sites for more extended periods. This creates a challenge for those trying to respond to the threat. With multiple campaigns and changing harmful content, responders must determine what to look for and find the right clues of compromise when the download happens.

To stay safe and prevent falling victim to fake browser update attacks, here are some practical steps users can take:

Following these precautions and staying vigilant can reduce the risk of falling for fake browser update attacks and keep your business and personal data safe.

So, the bottom line is, be careful when you see a browser update message, especially if it pops up on a website you weren’t expecting it from. It could be a trap set by cybercriminals.

Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates | Proofpoint US

Fake Browser Updates Used in Malware Distribution – Infosecurity Magazine (infosecurity-magazine.com)