False Firefox Update page Spreading Malware
Security experts reveal that a latest malware spreading drive is adopting a false copy of the "Firefox Updated" page, to make the users install a fake antivirus program, as reported by Softpedia on 27th July, 2010.
The false page is an identical copy of the page, which users find in Firefox, after updating their versions. A latest update version is used by the scammers, which advises the user that their Flash version requires an update.
As per the report of F-Secure, the user does not even require to click on the provided link, since a dialog box appears instantly after the page is downloaded, and asks the user to save the malicious ff-update.exe file on their system.
As soon as the user saves and runs the update, he gets a fake anti-virus product called "SecurityTool", which says "mspaint.exe" is infected with Virus.DOS.Glew.4245. This malware also tries to get the credit card details via mspaint.exe to get connected to the distant host.
According to the report, the said page has already been obstructed by the security experts, however this does not suggest that no other malware will pop-up, providing other variants of false AV. So the experts advise the users to be careful.
While commenting on the strategy applied by the cyber crooks, the researchers revealed that scammers are taking advantage of the faith which the users have on Mozilla, by developing false copies of "whatsnew" page. Such social engineering threat is not different from what the cyber criminals do to copy the authentic online banking website.
When a browser is updated, Firefox 3.5.3, Mozilla always checks whether the Falsh Player is up-to-date, or not. If it detects an old version of the player, a warning message pos-up on the "whatsnew" page, which asks the users to download the latest version. The cyber criminals are exploiting this.
Security experts at F-Secure added that, it seems like the scammers are getting bored of their old methods of infecting malware into users' computer. Earlier it used to be a false scanning page, leading to a warning, followed by a false AV. Now it has changed into a Firefox 'Just Update' page. For some reason, the criminals can't decide whether it would become a Firefox or Flash Player, making it a mix of both.
Related article: Flaws Detected in Yahoo Music Jukebox
» SPAMfighter News - 09-08-2010