Hackers are using malicious ads to dupe victims into downloading bogus Web-browser updates, just a few days after real security updates from Mozilla Firefox and Google Chrome.
The scam begins with a typical scareware tactic. Victims land on a malicious Web page and are (wrongly) informed that their browsers are outdated, researchers at StopMalvertising reported. The victims are then offered a link to download a patch for the browser being used.
Users who click the link will download a malicious JavaScript code containing a Trojan. Once inside, the Trojan points the browser to a new homepage, also full of malware, Trend Micro discovered.
Visitors to the malicious sites on mobile devices risk infection from malware that secretly sends premium text messages, essentially robbing victims through their service providers.
For years, scammers have been taking advantage of new product launches, updates and the hype and fear that surround them. Recently, scammers took advantage of interest around the iPhone 5 and even Hurricane Sandy.
Users can stop themselves from becoming victims by keeping abreast of their browser's updating protocols and only downloading files from trusted sources.
Scammers rely on victims who overlook details and behave irrationally, motivated by fear or a bargain. Always make sure the URL is familiar, and that the domain name in the address bar is the legitimate one.
Firefox prompts users for an update via an alert, not a popup browser window, and Chrome updates itself automatically.
Although other browsers are not affected in this particular hack, Safari users should know that Apple updates its native browser as a part of its bigger OS updates.
Internet Explorer updates through the onboard Windows Update, never through the browser.