Fake Security Certificate Updates: A New Twist to an Old Trick

Hackers are now using fake security certificate updates to trick people to installing malware on their devices. Learn how the ruse works and how to avoid becoming a victim.

For more than a decade, hackers have been using fake updates to spread malware. For example, there have been fake Adobe Flash Player updates, fake Firefox updates, and even fake patches for the Spectre and Meltdown vulnerabilities in computer chipsets. Cybercriminals have recently added a new twist to this old trick. They are now using fake security certificate updates to trick people into installing malware.


The Ruse

Here is how the ruse works: When people visit a compromised website, they receive an alert that claims the site’s security certificate is out of date. The visitors are told they need to install an updated security certificate to proceed. However, in reality, they would be installing malware.

The security researchers who discovered this newest scam found it on a variety of websites, including on the sites for a zoo and an auto-parts store. The sites were legitimate, but they had been compromised. In these sites, hackers had inserted code that superimposed an inline frame (iframe — an embedded HTML document) over the legitimate web page. As a result, visitors saw the legitimate site’s web address in their web browsers but instead of seeing the original web page, they saw the iframe. The iframe contained the warning “Security Certificate is out of date” as well as an “Install (Recommended)” button that the visitors were supposed to click to get an updated security certificate. People who clicked the button had their devices infected with either the Mokes or Buerak malware.

Mokes and Buerak run in the background, so people are typically unaware that their devices are infected. Both malware programs create a backdoor, enabling hackers to remotely execute code on the devices. The programs are also designed to carry out malevolent activities that enable cybercriminals to steal personal data and spy on people. For example, Mokes and Buerak can record keystrokes, copy and send files to remote servers, and record video and audio clips. While Buerak infects only Windows devices, Mokes is able to compromise devices running a variety of popular operating systems, including Windows, MacOS, OS X, and Linux.


How to Avoid Becoming a Victim

A little bit of knowledge about security certificates can go a long way in helping people avoid this scam. In an HTTPS website, a security certificate (also known as an SSL certificate) is used to verify the owner’s identity. Certificate Authorities (CAs) are responsible for issuing security certificates to websites. These certificates expire after a specified time period. When a certificate is nearing its expiration date or has expired, it is the responsibility of the website owner to renew it. Website visitors do not have the authority to make this request. Nor do they have the ability to install an updated certificate by clicking a button.

If a website’s security certificate is expired, you might see a message stating that fact. However, it will not tell you to click a link to get an updated one. If it does, do not click it. Instead, close the web page. By doing so, you will avoid installing malware on your device.

https flickr photo by Sean MacEntee shared under a Creative Commons (BY) license