Visiting reputable websites is always a good way to ensure you stay away from scams and malware. However, a recent flaw in tens of thousands of legitimate sites has allowed hackers to turn them into prime malware distributors through a fake Google Chrome update page.
Hackers Are Using Compromised WordPress Websites to Show Fake Chrome Updates
As reported byc/side, hackers have found a way to access popular WordPress websites and change them to become malware distributors. The company believes that hackers gain access to these websites through outdated plugins containing unpatched security risks.
If you visit one of these compromised websites, it will not load the main page. Instead, it will direct you to a fake Google Chrome update page. This page claims that your browser is outdated and that you’ll need to install an update to view the website.
If you click the “Update” button, you’ll end up downloading one of two malware packages. If you’re using macOS, it will serve you the AMOS malware; meanwhile, Windows users end up getting the SocGholish strain. The former steals private information from your computer, while the latter acts as a staging ground to download more malware packages, such as ransomware.
After noticing the initial attacks, c/side performed more research to see how far the campaign had reached. At the time of writing, the company reported that over 10,000 WordPress websites had been infected, and there may have been many more that avoided detection.
Because this malware campaign can target websites with no prior history of malicious activity, it’s important to stay vigilant against it, even if you’re accessing a once-trusted website. Google Chrome will never ask you to update it as you’re visiting a website, so if you see an update page like the one above, it’s a safe bet that it’s fake. If you own a WordPress website, now’s a good time to make sure your plugins are updated.
If you’d like to read more on how to avoid falling for this trick, check out our guide onspotting a fake Google Chrome alert, as identifying a phony update page shares many of the same methods.
