IT Support For Kenosha, Racine and Lake Counties

New Fake Google Chrome Update Campaign Targets Vulnerable Websites

New Fake Google Chrome Update Campaign Targets Vulnerable Websites - Absolute Computer System

The cybersecurity landscape is always evolving. The constant security threats mean cybersecurity services need to change as well.

One such threat that has cybersecurity experts scrambling is a fake Chrome update. This new attack involves injecting malicious code into websites. It prompts users to update their web browsers via a deceptive popup message. A new iteration of this campaign has been active since April 2024.

A compromised website presents visitors with a fake popup message. It appears a few seconds after the page loads. Clicking on the provided link redirects users to malicious URLs. They’re designed to start a malware download, like a remote access Trojan. One of the most notorious malware is the SocGholish.

This fake Chrome campaign has compromised 341 websites. All these sites display the fake browser update popup.

Understanding the Fake Update Campaign

The infection process starts with the injection of malicious code into vulnerable websites. Users will see a deceptive popup message on the compromised site. The popup warns of an “Exploit Chrome Detect.” It also says the Chrome browser needs updating. The popup comes complete with a large blue “Update” button.

One cyber security services company reported the popup appeared to all users. Whether they’re using Chrome or not. This underscores its deceptive and amateurish nature.

Clicking the “Update” button redirects users to one of several malicious URLs. These are:

  • hxxps://photoshop-adobe[.]shop/download/dwnl.php
  • hxxps://brow-ser-update[.]top/download/dwnl.php
  • hxxps://tinyurl[.]com/uoiqwje3

The links delivered malicious downloads from server 185.196.9[.]156. It’s under the file name GoogleChrome-x86.msix. The file is no longer operational though.

Researchers noted that cybersecurity attackers gained access to the WordPress admin interface. They installed a plugin and uploaded the malicious popup code via WP’s “Import” feature.