Chrome: The “HoeflerText” font wasn’t found scam

It is interesting from a purely scientific angle how attackers come up with new methods and schemes to distribute malicious payloads on to user systems.

The "HoeflerText" font wasn't found is a recent attack that changes website text so that it looks as if a font is missing, to get users to download and install an alleged update for Chrome that adds the font to the system.

I talked about this on the private Ghacks forum for supports back in January already. The first report about the attack came from Proofpoint to my best of knowledge.

hoeflertext font wasnt found

The report reveals in detail how the attack works. Most of the technicalities behind the attack are probably not that interesting to the average Chrome user, so here is a short overview of the important tidbits:

  1. The attack requires that the user visits a compromised website.
  2. The attack script on the site checks various criteria -- country, user agent, and referrer -- and will only insert the font wasn't found script in the page if the criteria are met.
  3. If that is the case, the entire page is rewritten by the inserted script so that it looks garbled and becomes unreadable to the user.
  4. A popup is displayed afterwards to prompt the user to download the missing font and install it afterwards on the system. That download is the actual attack payload containing malicious code.

The popup is made to look as if it is an official prompt from the Chrome browser itself. It features a Google logo, and reads:

The "HoeflerText" font wasn't found.

The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".

It displays (fake) manufacturer and Chrome Font Pack version information as well. A click on the update button downloads an executable file (Chrome_font.exe) to the system, and changes the popup to display information on how to run the executable file to update Chrome fonts.

Read also:  Chrome 57: throttling of background tabs begins

Note: The prompts, name of the missing font that is used in the attack, and the file name may be changed at any time by attackers. It goes without saying that you should not click on the update button, nor install the downloaded executable file if you have done so.

What you can do

The only option you have is to wait until the site owner fixes the website to remove the malicious scripts running on it. Once done, it should go back to normal provided the cleaning was thorough.

If you need to access the site immediately, check out the The Wayback Machine to find out if an archived copy of it exists.

Summary
Article Name
Chrome: The "HoeflerText" font wasn't found scam
Description
The "HoeflerText" font wasn't found is a recent attack that changes website text so that it looks as if a font is missing, to get users to download and install an alleged update for Chrome that adds the font to the system.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Chrome: The “HoeflerText” font wasn’t found scam

  1. Nuno February 24, 2017 at 12:39 pm #

    I'd like to share my experience with this scam, but first I must say that I follow your posts for quite a long time and I find them simple, informative and always quite interesting.

    Regarding this scam, I am embarassed to say that it got me!

    The sequence of events was just as described in this post. I consider myself an experienced computer user, but I let my guard down for just a few seconds. (In my defence, I can only say that my young daughter was harassing my to get her some printed coloring images - it was while searching for these "harmless" pictures that I fell for it...)
    It took me only a few seconds to find out something was wrong. I quickly hibernated my laptop and checked the downloaded files using VirusTotal on another PC (I removed the SSD for a few minutes).

    I was shocked to find out that only a handfull of AVs would have caught it in time (this was last feb-17). I was even more troubled by the fact that I would have much of my doc, docx, xls, xlsx and rtf files encrypted! I confirmed this after reboting the infected laptop and terminating the rogue processes.

    Everything ended on a positive note because I had almost full&recent backups and Win7 helped a bit with its "Previous Versions" feature.

    Lesson Learned! ;)

Leave a Reply