"HoeflerText Font Wasn't Found" Malware Attack For Chrome Identified
Malware creators are becoming more and more skillful in their effort to infect our systems. A new kind of malware has appeared recently, which infects websites and tries to persuade visitors to install it in their computer by displaying a "Font wasn’t found" on Google Chrome. Make sure you read this article to see how you can avoid becoming infected with it.
- What is the “Font wasn’t found” attack?
- How the attack works
- What makes this kind of attack dangerous?
- Am I in danger of the “Font wasn’t found” attack?
What is the “Font wasn’t found” malware?
On February 18, 2017, Mahmoud Al-Qudsi of NeoSmart Technologies came across a WordPress website that was infected by a malware. Al-Qudsi did not reveal the name of the website, for obvious reasons.
What’s characteristic in this website was that the text had been replaced by arbitrary symbols. Simultaneously, Chrome displayed a message stating that the "HoefferText" font was supposedly missing.
The "HoeflerText" font wasn't found.
The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".
How the attack works
If an unsuspected user clicks on the Update button, a file named Chrome Font v7.5.1.exe will be downloaded on his computer.
At the same time, another message will open which will try to "help" the user install the downloaded file.
At the time of this writing, Chrome does not recognize the file as malware, but it will display a warning that this file isn’t downloaded often, and may be dangerous.
By uploading the file in Virustotal for a scan, Al-Qudsi found that no one else had uploaded it before. Also, only 9 out of the 59 antivirus engines recognized it as malicious.
At the time of writing this article, there are 40 antivirus engines which have added it to their malware lists.
What makes this kind of attack dangerous?
The "font wasn’t found" attack is quite plausible to fool even relatively experienced users.
First, the HoeflerText is a real font. Regardless of its usage levels in websites, which isn’t known, it’s certainly not a name that was made up for this reason.
Then, in combination with the fact that the not even a single letter appears correctly, something achieved by an infection via JavaScript, a “missing font” case seems possible.
The message is also quite well-designed, and can be convincing that it comes from the browser itself. It has the correct logo, right color in the update button, while its grammar and spelling have no serious problems.
For those using Chrome in English, nothing seems particularly strange.
The only real anomaly is that the message states that the user’s current version of Chrome is 53.0.2785.89, which is a fixed number, regardless of the real version that is currently installed.
Most users, however, aren’t aware at any given moment the current version of Chrome which is running, especially since updates are frequent and are performed automatically. Chrome’s version can be found by clicking on the three-dots-icon () located at the end of the browser’s toolbar, and then navigating to Help -> About Google Chrome.
This will take you to a page which shows Chrome’s current version, and whether there are any updates available.
Alternatively, you could just type chrome://help
in the browser’s address bar and hit Enter- you will be taken to the same page.
At the time of writing this article, the latest version of Google Chrome is 56.0.2924.87. If you’re running an older version, Chrome will let you know that there is a newer version available, if you navigate to the aforementioned page.
Additionally, according to infected users, this malware, once installed, will encrypt documents located in your hard drive. This means that it belongs to the ransomware category of malware, which will ask for ransom in order to unlock the encrypted files.
Am I in danger of the “Font wasn’t found” attack?
Even though this attack is not widely spread, there are cases reported by users in which they either got their systems infected by downloading the malware, or they had their WordPress website infected with it.
Thus, make sure that you never download and install files (especially executables) that you don’t trust; what you could do in these cases, is perform a quick search in the internet to find out more about the possibly harmful file. Also, website administrators should always keep their software updated, so as to never be vulnerable to known vulnerabilities.
Don’t let silly malware attack attempts outsmart you! Let us know your experiences with malware in the comments section below!