Beware of The Fake Chrome "HoeflerText" font wasn't found Pop-Up

  • December 31, 1969

What is the The "HoeflerText" font wasn't found Pop-Up?

A common attack that is being seen on the web over the past 2 months is something called The "HoeflerText" font wasn't found pop-up. This popup is part of an attack called EITest, which injects javascript into a hacked web site that you are visiting in order to display the popup.

The attack works like this. If you visit a site that has been hacked to show the EITest attack, and come to that site through a search engine result and are are using Chrome, then the Javascript will scramble the text on the web site so it is unreadable and then display the fake Chrome alert shown above.

This alert states that your version of Chrome does not have the HoeflerText font installed and then prompts you to download a fake "Chrome Font Pack" in order to install the font and see the page properly. The downloaded file, though, is actually a malware installer that will install malware such as the Spora Ransomware or Fleercivet.

The full text of the alert is:

The "HoeflerText" font wasn't found

The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".

Manufacturer: Google Inc. All Rights Reserved
Current version: Chrome Font Pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21

A demonstration of this attack can be seen in the video below. A big thanks to Kafeine of ProofPoint and Malware Don't Need Coffee fame for helping with some Fiddler mojo I used for the video.


Am I infected if I see the HoeflerText Font or Chrome Font Update Pop-Up?

The simple answer is maybe, but if you are, it's not what is causing this popup to appear. Many sites are stating that if you see the HoeflerText Font popup then you are infected with adware or some other virus. This is simply untrue.

The only reason you are seeing this popup on a site is because the site was hacked and the EITest javascript that was injected is displaying the popup. You can see an example of the injected javascript in the image below.

Source Code of Hacked Page

With that said, if you did happen to run the downloaded Chrome_Font.exe, or whatever program was downloaded when you clicked on the Update button, then you most likely are infected and should scan your computer with an anti-virus program.

What happens if I Ran the Chrome_Font.exe download?

When you run the Chrome_Font.exe program, or another file downloaded from the Chrome Font Update popup, your computer will become infected with some sort of malware. Currently the EITest attacks are installing the Spora Ransomware, which will encrypt all the data files on your computer and then demand a ransom to get them back. Previous variants installed other types of ransomware or the Fleercivet Ad Clicker.

Therefore, if you have mistakenly executed the Chrome_Font.exe file, then you should immediatlely scan your computer with an anti-virus program to be safe.

If a web site I own shows the HoeflerText Pop-Up, What Should I Do?

If you own a web site that has been hacked so that it displays the HoeflerText EITest pop-up, it is important that you examine your web site's source files and configuration in order to determine how the code is being injected. Unfortunately, full instructions on how to perform forensics on a site is outside the scope of this article, but here are a few things you can try:

  1. Examine your site's .htaccess files to see if there are any php_value auto_prepend_file or php_value auto_append_file entries inside them. These settings can be used to inect a PHP file into all of the pages on a site so that they inject javascript or perform other actions.

  2. Examine your site's .htaccess files for RewriteCond states that check the referrer. An example of this is RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]. These types of entries are typically used to perform an action when a visitor is referred from a search engine result page.

  3. If you are running WordPress, compare your theme files, plugins, and WordPress source against a backup to see if there are any unknown javascript entries or PHP includes.

  4. Check the version of Wordpress, Magento, Joomla, etc that you are running and see if there are any known vulnerabilities for that version. Then upgrade your software to the latest version.

  5. Look for strange PHP files under your web site's folder to see if they are possibly being used by the hacker.

While this list of steps is by no means exhaustive, it should give you a starting point in determining how your site was hacked. If anyone has any other recommendations, please let me know and I will get them added.


Remember Me
Sign in anonymously