Cybercriminals have created fake Google Chrome browser updates that infect Windows users with many kinds of malware in a multi-step but relentless process, Russian antivirus firm Dr. Web has found.
"The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser," Dr. Web researchers said in a blog post yesterday (March 25).
- The best antivirus software: Keep your PC free and clear of malware
- 'Free Netflix' coronavirus offer is actually a scam: Don't click on this
- Latest: LastPass, 1Password and other password managers can be hacked: What to do now
As of this morning (March 26), the malware, which comes in two similar variants, had been downloaded more than 3,000 times, according to logs on the legitimate code repository used to store the malware.
One of the phony installer programs, called "Critical_Update.exe", was created March 13. The other, "Update.exe", was created only yesterday.
How to avoid the phony Google Chrome installer
To make sure you don't fall victim to this attack, install and use some of the best antivirus software, which will eventually detect and block the malware involved. (Only a handful of antivirus brands can easily detect it as of this writing, according to the malware-detection index VirusTotal.)
You could also use Mozilla Firefox exclusively for the next few days until the bulk of the antivirus firms catch up and block the threat. As Microsoft Edge now shares its underpinnings with Chrome, we'd steer clear of that out of caution.
But more importantly, do NOT install anything from a website that informs you that you need to update the Google Chrome browser. Chrome doesn't work that way -- it updates on its own, behind the scenes, and you rarely need to do anything if you've already got it installed.
Stages of attack
The attack operates in several stages. First, the hackers attack vulnerable WordPress-based websites, "from online news blogs to corporate pages," as Dr. Web put it, and insert malicious but invisible JavaScript code to the sites' web pages.
Visitors to the corrupted sites who are using Google Chrome will be silently redirected to bogus Google pages that inform the visitors they need to update their browsers, with a handy button for download.
If the victims fall for the trick and install the "updates," they'll actually be installing TeamViewer, a legitimate remote-desktop tool that gives the hackers real-time remote control of your computer. They'll also install a script that makes sure that the Microsoft Defender antivirus software built into Windows is unaware of what's going on.
Dr. Web researchers said the hackers, using TeamViewer, would then install spyware on the infected computers, or keyloggers to capture passwords and usernames. In fact, the hackers could install pretty much anything on your machine, including ransomware, cryptocurrency stealers or botnet malware.
(Tech-savvy users can try blocking TeamViewer's preferred port, port 5938. But TeamViewer then defaults to using ports 443 and 80, and blocking those would block all web traffic.)
A message to WordPress users
Millions of websites use the free WordPress web-publishing platform, and the core WordPress developers fix security flaws quickly. The problem is that WordPress, an an open platform, has thousands of optional plug-ins that can be written by anyone and then used by website administrators to add features and functions.
Many of those third-party plug-ins have security holes that criminals can discover and exploit, and a few of them are definitely malicious.
If you use WordPress for your blog or website, please keep your core WordPress build updated and be very careful about using plug-ins.
