When users attempt to enter an infected site, an iframe appears stating the site’s security certificate is out of date and the connection cannot be completed. In order to proceed, it is recommended that they install a new certificate. However, what’s actually installed is malware on the victim’s computer.
So far, two types of Trojans have been downloaded as a result of this type of attack: Mokes and Buerak. The former provides backdoor access to the victim’s device, while the latter downloads additional malware on the infected device.
Backdoors are a very dangerous type of malware. Their functionality allows threat actors to gain control over an infected machines for malicious purposes. At the same time, user might not even suspect that its machine is being exploited.
Cybercriminals have, in the past, used updates for legitimate applications as a means of spreading malware, but the use of false security certificates is new, first noticed by Kaspersky researchers this year.
“People are particularly susceptible to this type of attack because it appears on legitimate websites, ones they’ve possibly already visited. What’s more, the address listed in the iframe is, in fact, the real address of the website. The natural instinct then is to “install” the recommended certificate, so they can view the content they want to. However, users should always be wary when prompted to download something by an online source — chances are, it’s not necessary,” says Victoria Vlasova, security expert at Kaspersky.
Kaspersky products successfully detect and block the threat.
To avoid downloading potentially harmful malware on your device, Kaspersky experts recommend:
- Double-check the format of the URL and the spelling of the company name
- Manually type the website address in your browser rather than visiting via a link