Browser applications such as Google Chrome, Internet Explorer, Safari, Firefox etc are windows to the internet world. You can dive and surf onto the internet using such applications. The whole world is now under your watch through these browser windows.
However there are different kinds of threats also sitting on the other side of these windows. They are ready for you to get distracted so they can make entrance to your world. A little bit of carelessness can cost you your system, your business data or your personal or banking information.
Tech companies are always ready to safeguard us from such threats by making the first move. They will be pushing regular security updates to strengthen the security of their product line so that consumers will have seamless user experience. We as an end users are advised to be in sync with such regular security updates.
But what will happen if this update service is abused by hackers?
These fake downloader campaigns appear to be the work of threat actor TA569, also known as SocGholish. TA569 is known for compromising CMS servers and conditionally injecting and redirecting web traffic to social engineering kits.
“In June and July 2020, thousands of messages were sent to organizations in Canada, France, Germany, Spain, Italy, the United Kingdom, and the United States. In one campaign from early July alone, Proofpoint observed nearly 18,000 messages from this actor. These campaigns featured links to websites compromised with SocGholish HTML injects.” – Proofpoint
These messages include links which led to a spoofed browser update page. The page gives users messages like ‘Your are using an older version of Chrome’ and a download button to update the browser. It exploits the intended recipient’s desire to practice good security hygiene. Clicking on the update button downloads a JavaScript or HTA file which executes the next stage malware.
Below are examples of the fake browser update pages:
