Here’s how the new attack works:
If you go to a website that doesn’t display text properly, you may get a popup telling you that the font can’t be displayed, instructing you to download a Chrome font pack. The exact verbage is “The Hoefler Text font wasn’t found.”
The problem is that it’s not actually a font pack at all, but a Trojan, which can be used to install all manner of invasive software, including Spora ransomware.
The main problem is that Chrome does not (yet) recognize the threat, and won’t give you any warnings, but there are three tells to keep an eye out for:
• First, the popup you get says you’re running Chrome version 53, regardless of the version you’re actually using.
• Second, the popup says it’s going to install Chrome Font.exe, but when you hover over the download button, you’ll see that the actual filename does not match, and is Chrome Font v7.5.1.exe
• Finally, and this is the biggest of the three tells, if you proceed to click the button, you’ll get another popup informing you that this file isn’t downloaded very often.
The last one is significant because if this was a legitimate issue, the file would be downloaded on a regular basis.
Undoubtedly, it won’t take long for Google to catch up, and you’ll get additional warnings when you encounter this file. But when the researchers found the Malware, they tested it against 59 different antivirus programs and found that only 9 of them were able to detect this threat.
For the time being, the best defense is vigilance if and where you find webpages that aren’t displaying text properly.