Fake Google Chrome updates unleash banking trojan

Chris Boyd, a researcher with security firm GFI Software, uncovered the scam, which is a reprise of a similar technique from a few months ago – and the file itself has been spotted on 14 websites since October. In both cases, the propagation technique relies on consumer ignorance.

“’Oh hey, a new Chrome update! I’d better hurry up and download the file from this random website with no apparent connection to anything remotely related to my web browser’”, wrote Boyd. “There are things better left unsaid, and the above is probably floating around near the top somewhere.”

The update alert leads to a website using Google’s official font and displaying the Chrome logo, which urges users to download an executable file: “Update Google Chrome: To make sure that you’re protected by the latest security updates.”

Google itself is somewhat to the rescue, however: if the unsuspecting consumer tried to download the ‘update' from within Chrome itself, Google pops up a warning that the executable file “appears malicious.”

Boyd noted that the file is listed at Malwr.com “which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of [free online malware scanner] VirusTotal as being capable of stealing banking credentials.”

In the latter case, the file appears to be related to the Zeus banking trojan. “Indeed, one of the DNS requests made is to a site by the malware is related to ZBot / Blackhole exploit kit attacks,” Boyd said.

Zeus is the undisputed king of the banking trojan scene, having become widespread and extremely effective. Once it infects a PC, Zeus monitors all outgoing browser requests and collects credentials and personal information entered into any forms – such as login details for online banking. It is also capable of modifying incoming web pages and uses this capability against the PC’s user.

“Put simply, you don’t want this anywhere near your computer and users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page,” Boyd concluded.

What’s hot on Infosecurity Magazine?