Last month security company Proofpoint warned that hackers can inject script into poorly-protected web pages. The script, which targets the Chrome browser on Windows, rewrites the compromised website on the victim’s browser to make the page unreadable and creates a fake issue for the user to resolve.
A popup, which contains the message “The ‘HoeflerText’ font wasn’t found,” urges users to download an update to their computers. The update, however, is actually a malware download.
“The ‘HoeflerText font not found’ malware lure, which targets Google Chrome users on Windows, continues to make the rounds via compromised WordPress sites,” wrote Tod Beardsley, research director at cybersecurity specialist Rapid7. The attack, he noted, gets a lot of design elements right where other malware lures fail. “The prompt is disguised as a seemingly-legitimate popup sourced from the browser,” he explained.
Rapid7 says that hackers are attempting to launch their scam via WordPress sites. “So far, the attacks appear to be limited to compromised WordPress sites — a field that is, unfortunately, rich with targets,” said Tod Beardsley, in the statement. “Chrome users should be aware that legitimate warnings from the Chrome browser will never appear as overlays to a web page. Specifically, Chrome does not offer any functionality for prompting for a missing font download, and all such prompts are sourced from malware or malvertising campaigns.”
The malware campaign began on Dec. 10, 2016, according to Proofpoint, which says that the malicious download is a form of ad fraud malware known as Fleercivet.