Wednesday, January 25, 2012

Fake missing plugin warnings used for spam/spyware

A key element for a successful spam/malicious page is to establish trust with the visitor so that he will perform the requested actions. Users trust their browser, but not necessarily the content (i.e. web page) that it displays. A trick that I've blogged about earlier, is to fool the user into thinking that certain elements on the page are actually from the browser.

Recently, I've seen several websites showing a fake warning for a missing plugin. The fake warning is designed to look the same as the real warning shown by Firefox when the page requires a plugin that is not installed: a yellow bar at the top of the page with a link to install the plugin on the right, and a blue icon on the left.

Legitimate Firefox warning for a missing Adobe Shockwave plugin

On allostreaming.biz (French language), the fake warning is for a "missing" VLC plugin. You can tell that the warning is part of the page, and not part of the browser, because the scroll bar goes to the top of the warning, whereas the real warning is above the scroll bar (see the image above).

Fake warning for missing plugin
A look at the source code shows that the warning is indeed HTML from the page:

HTML code for the fake warning
The "VLC plugin" is the classic pay-per-install bundle, where the spammer gets paid for tricking the users into installing spyware/adware.

The spammers are using the same fake warning on all browsers, which is also a giveaway as browsers other than Firefox don't actually have the same warning for missing plugins. Anyway, the attack will likely fool users of other browsers into installing this adware/spyware.

No comments: