Fake software fixes fuel money-stealing malware threat


Online protection firm Proofpoint warns that new and sophisticated malware that impersonates Google Chrome and Microsoft has the potential to steal money from Windows device owners. Multiple groups of cybercriminals are using this malware, including some known for sending spam emails that can infect computers with malware or ransomware.

The malware poses as fake updates in internet browsers like Chrome to trick users into downloading harmful code. Once the code is on the computer, the hackers can access cryptocurrencies, sensitive files and personal information.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

Microsoft laptops (Microsoft) (Kurt “CyberGuy” Knutsson)

How does the fake update malware work?

Proofpoint identified a larger distribution of the malware this month, but the online protection firm believes the campaign has been ongoing since March 2024. The malware poses as fake Google Chrome, Word and OneDrive errors to coerce users into downloading harmful code. These errors prompt the visitor to click a button to copy a PowerShell “fix” into the clipboard, then paste and run it in a Run dialog or PowerShell prompt.

“Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” warns Proofpoint.

When the PowerShell script runs, it checks if the device is a valid target. Then, it downloads more payloads. These steps include clearing the DNS cache, removing clipboard content, showing a fake message, and downloading another remote PowerShell script.

Fake software fixes fuel money-stealing malware threat

ClickFix error message (Proofpoint) (Kurt “CyberGuy” Knutsson)

BEST ANTIVIRUS FOR PCS, MACS, IPHONES AND ANDROIDS – CYBERGUY PICKS

Cryptocurrency theft

This second script checks if it’s running on a virtual machine before downloading an info stealer. Once everything is ready, the hacker can access the victim’s cryptocurrency. This scheme redirects the victim’s funds to the hacker instead of the intended recipient.

Alternative attack method: Email lure

Proofpoint notes that bad actors also use another method called “email lure” to install harmful software. Emails, typically those that appear to be work- or corporate-related, contain an HTML file that resembles Microsoft Word. These emails prompt users to install the “Word Online” extension to view the document correctly.

Similar to the method above, users are prompted to open PowerShell and copy over malicious code. Proofpoint says the deceptive “campaign” is widespread. “The campaign included over 100,000 messages and targeted thousands of organizations globally,” according to the firm.

Fake software fixes fuel money-stealing malware threat

HTML attachment containing instructions on how to copy and paste PowerShell that leads to the installation of malware (Proofpoint) (Kurt “CyberGuy” Knutsson)

DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP

5 ways to protect yourself from harmful software

The fake Chrome and Microsoft Word malware creates a sense of urgency, making users click on the links and unknowingly compromise their devices. There are several steps you can take to protect yourself from such malware.

1) Have strong antivirus software: The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2) Use a VPN: Consider using a VPN to protect against being tracked and to identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices.

3) Monitor your accounts: Regularly review your bank statements, credit card statements and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.

4) Place a fraud alert: Contact one of the three major credit reporting agencies (Equifax, Experian or TransUnion) and request a fraud alert to be placed on your credit file. This will make it more difficult for identity thieves to open new accounts in your name without verification.

5) Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

Kurt’s key takeaways

Hackers have cleverly designed malware that prompts you to install it on your devices. This malware specifically targets Windows users, and I’ve noticed that Windows devices seem to be more susceptible to these kinds of attacks. Recently, Microsoft admitted to a Wi-Fi driver flaw in Windows that allows hackers to hijack your PC simply by being on the same Wi-Fi network. It’s crucial to be cautious when browsing online or connecting to public Wi-Fi.

How do you verify the authenticity of software before downloading and installing it on your device? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels

 Answers to the most asked CyberGuy questions:

Copyright 2024 CyberGuy.com. All rights reserved.



Source link