Fake alerts about outdated security certificates lead to malware

Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an “Install (Recommended)” button pointing to the malware.

The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users’ desire to keep themselves safe online.

The scheme

The malicious alerts have been spotted on a number of compromised and variously themed websites, and the earliest infections found date back to January 16, 2020, Kaspersky Lab researchers have shared.

The spoofed notifications are delivered in an overlaid iframe that loads the content from a third-party source. The fact that the browser’s address bar shows the compromised site’s URL even while showing the fake alert makes the warning seem legitimate.

Users who fall for the trick and click on the “Install (Recommended)” button are served with malware. In past attacks this was either the Buerak downloader Trojan or the Mokes backdoor, but any type of malware can be delivered in future campaigns.

A new twist on an old trick

Malware peddlers have been using fake alerts urging users to download a new version of specific, widely used software (e.g., Adobe Flash Player, Google Chrome) for years, but alerts about outdated security certificates are just a new twist on a very old trick.

Kaspersky’s warning also comes at a moment when users’ chance to see security-certificate-related alerts is higher than usual, as the Let’s Encrypt certificate authority started revoking millions of TLS/SSL certificates on Wednesday.