Kaspersky researchers have uncovered a new method of distributing malware: under the guise of fake security certificates.
When users attempt to enter an infected site, an iframe appears stating the site’s security certificate is out of date and the connection cannot be completed. In order to proceed, it is recommended that they install a new certificate. However, what’s actually installed is malware on the victim’s computer.
So far, two types of Trojans have been downloaded as a result of this type of attack: Mokes and Buerak. The former provides backdoor access to the victim’s device, while the latter downloads additional malware on the infected device.
Backdoors are a very dangerous type of malware. Their functionality allows threat actors to gain control over an infected machine for malicious purposes. At the same time, the user might not even suspect that the machine is being exploited.
Cybercriminals have, in the past, used updates for legitimate applications as a means of spreading malware, but the use of false security certificates is new, first noticed by Kaspersky researchers this year.
“People are particularly susceptible to this type of attack because it appears on legitimate websites, ones they’ve possibly already visited,” says Victoria Vlasova, security expert at Kaspersky. “What’s more, the address listed in the iframe is, in fact, the real address of the website. The natural instinct then is to “install” the recommended certificate, so they can view the content they want to. However, users should always be wary when prompted to download something by an online source — chances are, it’s not necessary.”