What is a fake software update?
A fake software update is a notification that tells users they need to urgently update software on their device. When they click on the update link on a landing page, they unwittingly introduce malware into their device.
One of the common ways that scammers evade detection and bypass security mechanisms and security experts is by scaring users into deploying malicious code and other malware onto their own devices.
These attacks usually use fake messages that notify users that their software requires updating. Using scare words, they prompt users to download and install disguised malicious programs and malware. Unlike fake browser extensions that can only access activity on the specific browser, this type of malware poses a higher level of risk since it sits on a computer or device and has access to everything that happens on that device.
When creating fake software updates, criminals usually utilize social engineering elements like icons and logos, designed to make users think a message came from their system or a service provider they trust (Google, Adobe, Apple, etc.). They often target frequently updated software products to reduce suspicion and security concerns.
The process used to trick users often includes the following steps:
- A deceptive ad is served to a user. These ads usually appear as a message notification or play/download button.
- Once users click on the message or ad, they are redirected to landing pages that fool users, leading them to believe that software on their device needs to be updated
- On the landing pages, users are prompted to download and install malicious software, allowing criminals to gain access to their computers. Users are often unaware that someone has access control of their device or that there are infected systems on it.
Examples of fake software and systems updates
Cybercriminals impersonate trusted systems and service providers including Windows, Adobe, and Google to convince users to install their malware on both computers and mobile devices.
Fake Windows Update
Fake Microsoft messages are a popular way to sneak malware into a user’s computer. The messages prompt users to install updates for fake versions of Microsoft Office programs, such as Microsoft Exchange and other programs on the Microsoft web.
Criminals are often looking for access to a .NET function called Common Language Runtime (CLR). CLR actually enables application virtual machines that manage security, memory, and exception handling. Therefore, .NET function is a prime target for criminals.
Microsoft offers some protection tools like KeePass Password Safe, a free and open-source password manager primarily for Windows. However, some attacks are able to get around those tools leaving users vulnerable.
Fake Android Software Update
Android phones are more open than IOS-based phones, with more user options. This characteristic has many advantages, but it also has disadvantages. Since users are free to install more applications on their devices, they are also more vulnerable to various types of attacks and ransomware tools.
Fake Chrome Update
Google Chrome is one of the most popular web browsers. If a pop-up appears to a user while on a website telling him or her about a Google software update application, it looks natural and non-threatening. However, these types of messages are often the source of web-based malware campaigns. Real Google software updates can be verified on a variety of Google channels.
Fake Flash Player Update
One of the most popular tactics in this category is fake Flash updates, which often succeed in getting a non-technical user to install malware despite the fact that Adobe retired Flash several years ago. Users can be sure that a pop-up with an update link for their Flash Player is a fake update.
Other examples
This is by no means an exhaustive list of programs that criminals use to install malware through fake notification updates. Notifications may also ask users to update their BIOS version, batch file, files related to specific programs installed on the computer, or target systems used on the device or in a virtual environment.
One example of such a threat is Magnitude Exploit Kit, which is a ransomware tool used to drive users to compromised websites and then infect their devices with ransomware. It isn’t a new ransomware tool, but it’s still an active threat. Security researchers have found that the Magnitude Exploit Kit has two vulnerabilities to exploit the Chrome browser, and Chrome users who install it may receive a ransom note.
What can a fake software/system update do?
Once a fake system or software update has been installed, a device may be infected by malware, experience a ransomware attack, be unknowingly exploited for cryptocurrency mining, mitigate privacy and security, or even attack an entire network.
Every attack is unique, but many include various behavior-monitoring capabilities like sniffing and keylogging. Such techniques are used to collect usernames, passwords, credit card numbers, and other private information, even ones that are protected with encryption keys.
In other cases, the infected device is only the beginning. Once installed in a specific device, the malware’s command and control sends out malicious code through the victim’s computer that spreads to other computers, creating a botnet, or a network of infected machines that can all be used to harvest sensitive data.
How to detect fake software update ads?
Identifying the various clickbait tactics, or the misleading content in a fake software ad or landing page requires sophisticated software and AI working in conjunction.
The social engineering elements of this type of scam make them harder to detect, and if the various layers are siloed, detection can be nearly impossible. GeoEdge’s detection overcomes this hurdle by aggregating the data and insights from each level and assessing them holistically to detect fake software updates. It cross-checks data points from multiple detection engines and extracts machine-readable information from system pops, landing pages and creative ad assets. The data extracted can then be analyzed using insights from machine learning models trained to detect and identify ads promoting fake updates.
“Our detection engine will combine a piece of text that is used with a specific image and check to see if it includes a call to a domain that is similar to a scam we’ve identified in the past. If we see such patterns, we will automatically deem the ad fraudulent and prevent it from being served to a user,” says Amnon Siev, CEO at GeoEdge.
How to block fake software updates?
One of the most effective ways to block fake updates is by blocking the ad campaigns that drive users to install them and replacing them with safe ads in real time.
Publishers don’t want users to be exposed to malicious ads, but they also don’t want to lose ad yield by blocking too many ads. Yet, it can be difficult, if not impossible, for them to address the problem alone. The attacks are simply too frequent, and a pop-up touting the latest version of software is often so convincing that, like other threats, it simply stays below the radar.
GeoEdge makes it easier. Publishers simply implement a piece of code in their website that intercepts the malicious ads and replaces them with good ads in real-time. They don’t lose revenue, aren’t susceptible to human error, and don’t expose viewers to threats. GeoEdge also notifies the ad exchange that sent the bad ad so that it can update its exclusion list, and provide better protection across the web for all users.
