Firefox users should be aware of HoeflerText scam too

Not so long ago misleading “HoeflerText font was not found” ads has been spotted spreading Spora ransomware virus. This social engineering technique was aimed at Google Chrome users.[1] When people entered a crafted website, they received a pop-up window asking to install “Chrome Font Pack” in order to see the content of the site. These notifications looked the same way as original Chrome alerts. Thus, there’s no surprise that many computer users have been tricked. The success of this malware distribution strategy hasn’t left unnoticed. A new wave of HoeflerText scam has been just noticed distributing Panda Banker virus, which is a variant of infamous Zeus banking Trojan. Cyber criminals adopted this social engineering technique and started attacking both Google Chrome and Mozilla Firefox users.

HoeflerText scam attacks Mozilla Firefox

At the beginning of May 2017, a researcher from ProofPoint company, known as Kafeine, tweeted[2] about discovering a new social engineering[3] campaign which distributes dangerous banking trojan. In order to launch a successful attack, cyber criminals need to trick people into visiting a crafted website. Then, users receive a pop-up message informing that “HoeflerText font was not found.” The alert says that site is displayed incorrectly, but users can fix this problem by updating “Mozilla Font Pack.” The message also includes details about manufacturer and version of the browser. Thus, users can get easily tricked into clicking “Update” button.

What happens then? After clicking this dangerous button, a regular download window shows up. It informs that user is installing “” file. However, this ZIP archive does not include any updates for Mozilla. It hides a malicious “Mozilla_Font_v7.87.js” file. Once the download starts, the malevolent website gives instructions how to install these updates. As soon as victim runs a JavaScript file, malware is saved and executed on the computer. Since then, victim’s privacy, login details, and money are in danger.

It’s still unknown how attackers distribute the link to this infected website. Originally Panda Banker has been spread via malicious email attachments. Thus, such link might appear in target’s inbox and convince to click particular link or button. However, malware researchers also suspect that cyber-criminals might use malvertising[4] and exploit kits. Therefore, it’s time to strengthen your computer’s security, update Mozilla and Chrome,[5] and be more vigilant with received emails.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions