A persistent cybersecurity threat has emerged in the form of fake Chrome update popups, which have been active since late April 2024. Hackers inject malicious code into compromised websites, displaying deceptive popups that prompt users to update their browsers. When users click on the provided link, they are directed to malicious URLs designed to download harmful software, such as remote access trojans or infostealers. This campaign has affected 341 websites to date.
The deceptive popups, written in poor English, appear even to users not using the Chrome browser, highlighting the amateurish nature of the scam. Once the user clicks the “Update” button, they are taken to URLs that initiate malware downloads, with the primary aim of distributing SocGholish, a notorious type of malware. Although some malicious URLs are no longer operational, the threat persists as attackers continue to exploit website vulnerabilities.
Researchers have identified that attackers gain access to WordPress admin interfaces, install plugins, and upload malicious code using the “Import” feature. This method allows them to evade detection by file scanners, as the malicious code is stored within the WordPress database. This tactic has been seen in other WordPress infection campaigns, underscoring the importance of securing website plugins and maintaining up-to-date software.
To protect against such threats, it is recommended to employ a “use it or lose it” policy on websites, generate strong and unique passwords, use two-factor authentication, and restrict access to sensitive pages. Keeping website software patched and up-to-date and using a web application firewall are crucial measures. By following these practices, website administrators can reduce the risk of falling victim to fake update popups and other cyber threats.
Reference:
