Beware of The Fake "HoeflerText" font wasn't found Pop-Up (Updated)

  • March 7, 2017

What is the The "HoeflerText" font wasn't found Pop-Up?

A common attack that is being seen on the web over the past 2 months is something called The "HoeflerText" font wasn't found pop-up. This popup is part of a social engineering attack that uses javascript to display an alert stating that you are missing a font required to properly view a site.

There are two ways this attack will be conducted. The first method is when you visit a site that has been hacked to show this attack, Javascript will scramble the text on the web site so it is unreadable and then display a fake Chrome or Firefox alert. The Chrome version of this method can be seen above.

The second method is to just display an alert on the page stating that the Hoeflertext font is missing and them prompt you to download a font pack. Once you download the font pack, the alert will change to instructions on how to install it. You can see examples of the Chrome and Firefox alerts below.

Chrome HoeflerText Font Alert

Firefox HoeflerText Font Alert

Either way the alert is displayed, the text of alert is the same. This alert states that your version of Chrome or Firefox does not have the HoeflerText font installed and then prompts you to download a fake "Chrome Font Pack" or "Mozilla Font Pack" in order to install the HoeflerText font and see the page properly. The names of the downloads that have been distributed by this attack include Chrome_Font.exe, Mozilla_Font_v7.87.zip, and Chrome_Font_v7.87.zip.

The downloaded file, though, is actually a malware installer that will install malware such as the Spora Ransomware, the Zeus Panda banking Trojanm, or the Fleercivet clicker.

The full text of the alert is:

The "HoeflerText" font wasn't found

The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".

Manufacturer: Google Inc. All Rights Reserved
Current version: Chrome Font Pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21

A demonstration of this attack can be seen in the video below. A big thanks to Kafeine of ProofPoint and Malware Don't Need Coffee fame for helping with some Fiddler mojo I used for the video.

 

Am I infected if I see the HoeflerText Font or Chrome & Mozilla Font Pack Update Pop-Up?

The simple answer is maybe, but if you are, it's not what is causing this popup to appear. Many sites are stating that if you see the HoeflerText Font popup then you are infected with adware or some other virus. This is simply untrue.

The only reason you are seeing this popup on a site is because the site was hacked and javascript was injected to display this popup. You can see an example of the injected javascript in the image below.

Source Code of Hacked Page

With that said, if you did happen to run the downloaded Chrome_Font.exe, Chrome_Font.exe, Mozilla_Font_v7.87.zip, Chrome_Font_v7.87.zip, or whatever program was downloaded when you clicked on the Update button, then you most likely are infected and should scan your computer with an anti-virus program.

What happens if I Run the downloaded Chrome or Mozilla Font Pack?

When you run the Chrome_Font.exe program, or another file downloaded from the Chrome Font Update popup, your computer will become infected with some sort of malware. Currently the EITest attacks are installing the Spora Ransomware, which will encrypt all the data files on your computer and then demand a ransom to get them back. Previous variants installed other types of ransomware or the Fleercivet Ad Clicker.

Therefore, if you have mistakenly executed the Chrome_Font.exe, Mozilla_Font_v7.87.zip, or Chrome_Font_v7.87.zip files, then you should immediatlely scan your computer with an anti-virus program to be safe.

If a web site I own shows the HoeflerText Pop-Up, What Should I Do?

If you own a web site that has been hacked so that it displays the HoeflerText pop-up, it is important that you examine your web site's source files and configuration in order to determine how the code is being injected. Unfortunately, full instructions on how to perform forensics on a site is outside the scope of this article, but here are a few things you can try:

  1. Examine your site's .htaccess files to see if there are any php_value auto_prepend_file or php_value auto_append_file entries inside them. These settings can be used to inect a PHP file into all of the pages on a site so that they inject javascript or perform other actions.

  2. Examine your site's .htaccess files for RewriteCond states that check the referrer. An example of this is RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]. These types of entries are typically used to perform an action when a visitor is referred from a search engine result page.

  3. If you are running WordPress, compare your theme files, plugins, and WordPress source against a backup to see if there are any unknown javascript entries or PHP includes.

  4. Check the version of Wordpress, Magento, Joomla, etc that you are running and see if there are any known vulnerabilities for that version. Then upgrade your software to the latest version.

  5. Look for strange PHP files under your web site's folder to see if they are possibly being used by the hacker.

While this list of steps is by no means exhaustive, it should give you a starting point in determining how your site was hacked. If anyone has any other recommendations, please let me know and I will get them added.

Login

Remember Me
Sign in anonymously