05 Aug 2013

Malware Masquerading as Update Pop-Ups or Web Pages

0 Comment

Tech Tip:

Malware Masquerading as Update Pop-Ups or Web Pages

Internet Surfers Beware! A rash of fake update windows have been popping up all across the Internet, fooling users into downloading malware and viruses onto their computers. These pop-up windows will often appear on websites as “necessary” software updates. The attacker creates what appears to be a rather convincing pop-up window or landing page; however, there are a few inconsistencies. Most of the links return back to the attacking domain and all of the links within the page—besides the link to the malware itself—lead the user to broken links on the attacking domain. Unless vigilant, even people who consider themselves “techie” are often fooled.

The attacker’s main goal is to ensure that a successful installation of the malware masquerading as an update occurs, and presents one of two options to the user for maximum return:

  • Option 1 is a pop-up message that requests the user to download an “update” file.
  • Option 2 is the “Download Now” button on a landing page that requests the user to download an “update” file.

In addition to stealing passwords, these files appear to be looking for credentials used in transferring documents, conducting banking and accessing emails.

The easiest way to spot these fake updates is to look at the web address (or URL) from which the links are pulling the “update” to the software in question, which is typically displayed at the top of the pop-up window or can be found by hovering your mouse over a link/button (do not click on the link/button).

  • For example, any update to Flash Player would come from the Adobe website and would have adobe.com somewhere in the address line. See the example below.

flashDid you notice the URL address? Adobe.com is not listed anywhere. This is a malware pop-up!

  • The same also applies to Google Chrome updates. The address chrome.google.com must appear somewhere in the main part of the address.

Chrome2Did you notice that ‘Chrome’ was part of the address?
This “legitimate looking” pop-up was designed to fool you into downloading malware or a virus, as you can see the main address reads ‘cloudfront.net’.

When installing software updates, here are a few things to remember:

  • With Flash and Java, these updates will almost always come from a pop-up in your Windows toolbar (as seen below), NOT from a pop-up in your browser.


  • If you are using Internet Explorer, Firefox or Safari as your web browser and see a window to update the Chrome browser, it is a fake and is designed to get you to download malware or a virus. Since you’re not using Chrome, there would be no way for your web browser (IE, Firefox or Safari) to know it needed to update another browser (Chrome).
  • The primary way to determine if an update is fake is to simply look at the web address in the address bar, which will almost always make it apparent. If the URL does not match the official source of the update window, you know the update is a fake. See the image below.

AdobeDid you notice the update came from qwikster.com and not adobe.com?

  • One final thing to remember is to NEVER click on the “OK” button to close the pop-up when it appears in your browser window. Always use the “X” in the upper right corner or use your task manager to close the window. To use the task manager, hold down the “Ctrl + Alt + Delete” keys then click on the “Task Manager” option to close the window from the application tab.

If you feel you may have been compromised by a fake update or virus, please contact the BMS Hardware Support team immediately. They can scan and detect any viruses or malware you may have mistakenly downloaded. You can contact them via email or call 800-634-7734 ext. 6.

Have you experienced any online phishing scams or malware activity? Let us know below. Your story may help someone else from having the same problem.