Beware of Fake Google Chrome Update Pop-Ups that Installs Malware

In the ever-changing cybersecurity landscape, a persistent threat appears in the form of a fake Chrome update. 

Usually, these efforts involve injecting harmful code into a website, which prompts individuals to update their web browsers with a popup message. 

EHA

A new effort has been operating since late April 2024.

When a website is hijacked, visitors receive a deceptive popup message a few seconds after it loads.

By clicking on the offered link, users are led to malicious URLs meant to initiate a malware download, such as a remote access trojan or an infostealer, the most notorious type of malware called  SocGholish.

As of this writing, 341 websites display this fake browser update popup.

Specifics of the New Fake Browser Update Campaign

Malicious code is injected into vulnerable websites as the first step in the infection process for this new fake browser update campaign. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

A few seconds after the webpage loads, users are sent the following deceptive popup message once the website has been compromised:

Deceptive Pop-up Message
Deceptive Pop-up Message

“The message, written in poor English, reads Warning Exploit Chrome Detect. Update Chrome Browser and include a large blue Update button.

Sucuri said to Cyber Security News that the pop-up is displayed even to users who are not using the Chrome browser, highlighting its deceptive (and amateurish) nature.

A user is taken to one of several malicious URLs that are intended to start a malware download when they click the Update button.

The following URLs are a part of this campaign:

  • hxxps://photoshop-adobe[.]shop/download/dwnl.php
  • hxxps://brow-ser-update[.]top/download/dwnl.php
  • hxxps://tinyurl[.]com/uoiqwje3

These URLs were used to deliver malicious downloads from server 185.196.9[.]156 with the common name GoogleChrome-x86.msix, but they are no longer operational.

Sucuri’s SiteCheck remote website scanner detects this threat as malware.fake_update.3.

Threat Detected
Threat Detected

Researchers mention that after gaining access to the WordPress admin interface, the attackers installed the plugin and uploaded the malicious popup code using its “Import” feature.

The campaign highlights the increasing tendency of hackers to use trusted plugins for illicit purposes.

This allows them to avoid being found by file scanners since most plugins keep their data in the WordPress database.

This tactic has been employed in other notable WordPress infection campaigns, such as the VexTrio DNS TXT redirects using the WPCode plugin and the Sign1 malware exploiting the Simple Custom CSS and JS plugin.

Recommendation

  • Employ a “use it or lose it” policy on your website.
  • Generate strong and unique passwords for all of your accounts.
  • Use 2FA and restrict access to your WordPress admin and other sensitive pages.
  • Keep your website software patched and up-to-date.
  • Use a web application firewall.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.