Blog

Share this Post:

Say you head to your favorite blog on Google chrome, click an interesting article and this is what you see:

��������� �������� ��� ����� ������ ��� �� ���

You’re going to be confused right? Well, that’s exactly what hackers are hoping for. If you come to a page that looks like this, there’s a good chance the next thing you’ll see is a popup saying “The Hoefler Text Font Was Not Found” in a box with the real Google Chrome logo and instructions telling you to “Update the ‘Chrome Font Pack’”. Now most of us, if we didn’t know better, would click to download the pack, hoping that would make the blog readable.

Well, we are here to make sure you know better, and don’t click that download button.

Over the last month hackers have been targeting Google Chrome users with this “Fake Font” scam. This scam ends with users installing malware, specifically ad fraud malware called Fleercivet, onto their computers under the disguise of a “font pack”.

How is this happening?

Hackers have been placing bits of JavaScript into websites that will modify the website’s text rendering function. This is what causes the symbols to appear where there should be letters and words.  

Because this font and website is “unreadable” the prompt to upgrade the fonts becomes logical. Especially when the download prompt is formatted just like every legitimate Google Chrome download, and given the fact that Hoefler is a real font.

But it’s important to note that Chrome should be set to auto-update, and if it’s not you will see the three little dots in the top right corner in a different color (green, orange, or red) when there is an update. Before you ever update from a popup you should go to the browser itself and check it directly.

We’re going to offer some insight below on how to see this for the scam that it is. But the biggest and most important point here is this: you should pretty much never install something when prompted to by a random web site.  We know the world isn’t always that simple—that telling a legit Windows or Chrome update prompt from a bogus web site popup isn’t always easy. But erring on the side of caution if you’re not 100% sure why you’re being prompted to install something is always the right move.

How can you spot this scam?

Check the file name:

The downloaded file will be named “Chrome_Font.exe” but the download instructions – a popup that looks something like the image below – will show the file name as being “Chrome Font v7.5.1.exe. These file names should be the same if it’s a legitimate download.

Check your version of Chrome:

The download dialog box for this particular scam will always will say “Chrome Version 53” even if you aren’t running version 53. If you’re unsure on how to check your version of Chrome here are some instructions. (Just as an example I am currently running Chrome Version 56.0.2924.87)

Pay attention to warnings:

Even if you fail to be deterred by, or notice, the above red flags, you may receive a warning saying “This File Isn’t Downloaded Often”. Please pay attention to this!

Although Chrome doesn’t flag this as malware, virustotal now shows that 47/58 antivirus softwares view the file as malware, when just a week ago only 9/58 viewed it as such.
We recommend that you download with caution any time it’s from a source on the internet. As this scam illustrates, even something as innocent as a “font file” can be malicious. And as always, make sure your security procedures are up to date. If you’re unsure what good security looks like, have a peek at what we do for our clients. If you’re unsure if you’re browsing the web safely, reach out to see if we can help!