Fake Flash Update Installs Malicious Browser Extensions That Will Compromise Your PC

Trojans and viruses executed using vulnerabilities found in Flash is nothing new. But cyber criminals keep on using them for the main reason that they're so effective.

Many online users are aware that they need Adobe's Flash player to view certain types of content, like YouTube videos. So if they come across an alert telling them that they need to download the latest Flash update to access certain content, then they'd probably do so without any second thoughts.

Security experts from Zscaler have come across a website that displays a phony window encouraging users to install Adobe Flash Player so that they can view a certain clip. However, what users will actually be downloading is a fake extension for web browsers that depend on the browser that they're using: .XPI for Firefox, .CRX for Google Chrome, or .exe for Internet Explorer.

Once the extensions have been installed, the hacker will be able to gain access to the user's computer.

The current files being pulled are not very dangerous, but that could change in the future. An invisible IFRAME is inserted in each new page loaded. The IFRAME contains advertising from resultsz.com, and contains a username in the URL.

The author could change the remote file at any moment to do much more harm, like stealing cookies to obtain access to the user accounts on any site, stealing username/credentials being entered or previously saved.

-- Julien Sobrier, security expert at Zscaler

Anti-virus programs can do little to solve the threat, because .XPI and .CRX file extensions are not recognized as dangerous by most AVP. In this case, you can keep your computer protected by downloading updates and software only from the actual vendor's website and ignoring such alerts that come from third-party sites, especially ones that look a bit shady.