Chrome and Internet Explorer users warned about ‘missing font’ scam used to spread malware


Google Chrome and Internet Explorer users are being warned to be on the lookout for websites that try to trick them into downloading a new update.

The update promises to download the latest font package for their browser but instead installs files laced with malware, including the dangerous Locky ransomware.

The threat was discovered by researcher Brad Duncan from security firm Palo Alto Network’s Unit 42, who wrote about the malware in a blog post.

Mr Duncan explains how hackers use social engineering techniques to direct unsuspecting users to a compromised website.

The website then displays a pop up which reads “The HoeflerText font wasn’t found”.


Users are then asked to click on the ‘Update’ button in order to update their ‘Chrome Font Pack’.

However, clicking on the update button downloads a file called “Font_Chrome.exe” which installs malware onto the victim’s computer, and which can enable cyber criminals to take control of the infected device.

Hoefler 2

This isn’t the first time hackers have tried to use a so called ‘font package’ in order to spread malware.

According to Mr Duncan, this particular technique, known as the EITest campaign, has been around since 2014, in one form or another.

The “Hoefler Text” scam was first discovered earlier this year, while this most recent version was spotted again in late July and continued throughout August.

“By July 2017, the HoeflerText popups delivered Mole ransomware under the file name Font_Chrome.exe. These popups stopped in late July. But by late August 2017, they reappeared, and we saw a different type malware sent under the file name Font_Chrome.exe. Recent examples reviewed by Unit 42 are not ransomware; they are file downloaders,” Duncan said.

If you visit a website and are presented with a message or pop up that asks you to install or update a ‘font package’ or something to that effect, then you should leave the website in question and whatever you do, don’t hit install or update.

As always, make sure all antivirus software is up to date.


Comments are closed.