Warning: Convincing Chrome 'Font Update' a Trojan

John Lister's picture

Chrome browser users have been warned to watch out for a sneaky malware attack. The trick involves a bogus on-screen message that claims the user needs to download a missing font.

The people responsible are using hacked websites on the WordPress platform to operate the scam. They've altered the page so that the text appears to have been corrupted and is made up largely of symbols such as black diamonds and question marks.

The page then displays an on-screen message that's carefully designed to look like a genuine Chrome error message, complete with the correct logos, shapes and even the right shade of blue.

HoeflerText Listed As Missing

According to the message, the web page is displayed incorrectly because the "HoeflerText" font is missing. It says the user needs to update the "Chrome Font Pack." Clicking on the update button actually downloads an executable file and if the user opens this file, malware is installed on their computer.

Examples of the fake error message are as follows (click the links): the "HoeflerText font wasn't found" page and the fake error window - full credit goes to  Mahmoud Al-Qudsi of Neosmart.net for the images.

Exactly what that malware is appears to vary from case to case. In some incidents it is adware, which uses the computer's connection to make bogus 'clicks' on online ads to try and boost online ad revenue for the authors responsible for the malware. In others, it appears to be ransomware that can encrypt the user's files until they pay a fee to unlock them.

According to security writer Mahmoud Al-Qudsi, the malware won't necessarily get caught because it is too new to be on the blacklists of some major security software. The good news is that Chrome itself will give a warning that the "file is not downloaded often" and therefore might be suspicious. According to the author of the article, he has submitted the infected .EXE file to Chrome's Security Team for further investigation. (Source: neosmart.net)

Font Update Unnecessary

There's also a mismatch between the filename listed on the on-screen prompts (Chrome_Font.exe") and the name of the file that actually downloads ("Chrome Font v7.5.1.exe") though it's unlikely most people would spot this. (Source: thenextweb.com)

While the message looks plausible, in reality there is no update mechanism for a "Chrome Font Pack." The way the web browser works is to analyze the content and organization of a page (such as the actual words used and its layout) and then display it on the screen. If a browser is unable to display the specific font preferred by the website designed, it will use the best available alternative.

What's Your Opinion?

Have you come across this erroneous "error message?" Would you have fallen for it if you didn't know about the scam? Could browser makers do more to prevent such scams?

Rate this article: 
Average: 5 (9 votes)


Dennis Faas's picture

I did have a look at the 'error message' warnings and I have to say, they look incredibly convincing. As the article states, there is no need to download a 'font pack' as all web browsers will degrade automatically to the next closest font and still render the page. As always: be vigilant, and don't install anything from a website that you don't recognize or would not have installed had you not visited the page in the first place.

ecash's picture

Thanks for warning..

stephen3588's picture

Question: So if I do get this, what do I do next? Close the tab? And how would I remove this malware so it doesn't happen again? My browsers are protected by WebRoot.

Thanks for a great informative site.


Dennis Faas's picture

You would either close the tab or CTRL + ALT + DEL to bring up task manager, then select the Chrome task and delete it, then restart Chrome.

jwilson1956_4779's picture

Hey, many thanks to you Mr. Faas, Mr. Lister, and Mr. Al Qudsi for this warning. It's good to know where the war parties are at and what they're up to.

stialoui_8721's picture

The binary will not be named "Chrome Font v7.5.1.exe". The version, which is here 7.5.1 is generated base on your IP address. Also, the campaign is sleeping right now. Furthermore, EItest is able to infect users on IE. See https://blog.brillantit.com/exposing-eitest-campaign/ for a detailed analysis of the threat.