Attack Spotlight: Fake Browser Updates

December 23, 2019
Gretel Egan

Our latest Attack Spotlight—available now—explores credible-looking (but malicious) browser update windows that display on otherwise trustworthy websites. Share our free security awareness materials to alert your employees to this threat. 

Defend Against Online Malware

The Proofpoint global intelligence platform analyzes billions of data points a day to deliver unmatched visibility into attack patterns and methods. This fall, we saw a dramatic rise in websites compromised with SocGholish (also known as “FakeUpdates”) HTML injects.

These injections let attackers display malicious, fake browser update windows. These attacks are notable because they reflect the user’s environment: The displayed content matches the user’s browser and, in some cases, is geotargeted.

When downloaded, the script fingerprints the system and (if the user’s geolocation is targeted) executes the next-stage malware, delivering specific malware based on the presence or absence of Active Directory. Recent, highly publicized Bitpaymer infections were also associated with SocGholish activity.

Compromised Industry Sites Pose a Challenge

Threat actors have been opportunistically targeting vulnerable content management systems, including WordPress and Drupal. However, many of the compromised sites contain industry-specific content. Because website operators are unaware of the compromise, they can unwittingly subject partners and customers to the fake browser updates by inviting them to view content on their site. 

Though any organization’s users could encounter compromised websites, we have seen frequent exposure to SocGholish in the following industries:

  • Healthcare
  • Financial investing
  • Manufacturing
  • Education

Download Our Free Security Awareness Materials Today

These fake updates (and other malicious pop-ups) can look realistic and credible. It’s critical to make users aware of this type of threat, especially since attackers return to this attack method again and again.

Use our latest Attack Spotlight resources to get your users up to speed. The following free materials are now available:

  • Ready-to-use email content for communicating to your employees
  • A security awareness PDF that shows examples of fake updates and details the threat in easy-to-understand terms
  • A short awareness module with action-oriented tips for identifying and avoiding fake browser updates

If you haven’t used these tools in the past, be sure to visit our Attack Spotlight archive. You’ll find free resources about other trending attacks, including those related to lookalike domains, fraudulent shipping notifications, and lures that mimic popular cloud applications.