Compromised sites push “Roboto Condensed font was not found” virus

by Ugnius Kiguolis - - 2017-10-06

“Roboto Condensed font was not found” scam tricks users into installing dangerous software

Social engineering attacks are on the rise in 2017, and one of the most efficient techniques to force computer users to install malware is to trick them into thinking that a certain file, update, or an essential program is missing on their computer. “The Roboto Condensed font was not found” scam^[1] is an example of such fraudulent method that tricks computer users into installing malware on their computers.

Earlier, these deceptive ads pushed Monero miners^[2], malware downloaders, and keyloggers, although experts believe that it could be used to promote other kinds of malware in a rotation. Some experts believe that it could be used for distribution of Locky^[3], Cerber or BTCWare ransomware.

However, it seems that this scam is used for a slightly different purpose than “The HoeflerText wasn’t found” scam. “The Roboto Condensed font was not found” was detected pushing adware bundles to victims.

Fake font pack now clutters victim’s computer with ad-supported junkware

Technical analysis of the social engineering attack shows that operators behind this campaign are using InstallCapital (pay-per-install software monetization organization) software bundles. Once installed and launched, these suspicious programs start connecting to various domains and receiving encrypted configuration files from them. Consequently, more software infiltrates the system without user’s knowledge.

It has been discovered that installing the fake font pack from “Roboto Condensed font was not found” pop-up dropped well-known spyware-type programs on the system:

It won’t take long until these programs will hijack browser settings and perform other modifications to the system. Usually, they meddle with DNS and Internet properties and start showing deceptive ads on the screen. Some of these ads falsely inform the victim about missing updates or errors on the system that can be fixed only using particular programs.

Avoid ads suggesting to install missing font packs

Installation of the so-called font pack can compromise your computer to a point where attempts to use it can become a nerve-wracking experience. Pop-up ads, alerts and system slowdowns are just a few problems you might run into.
There are two main font scams circulating on the world wide web today – “Roboto Condensed Font was not found” and “The HoeflerText Font wasn’t found” scam^[4]. They appear on websites compromised by criminals that inject a specific code into them.

As soon as the victim visits such page, part of it appears corrupted and then the pop-up offering a missing font pack appears on the screen. The message suggests that the user can’t see the page correctly because user’s computer lacks a specific font used in the compromised website.

VirusActivity experts report^[5] that both social engineering attacks aim at Google Chrome and Mozilla Firefox users mainly.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Lawrence Abrams. Fake Roboto Condensed Font Pack Update Infects Users with Malware. BleepingComputer. News, Reviews, and Technical Support.
^ Robert Abel. Silent Monero miners here to stay and steal your CPU cycles, and soon GPU cycles. SC Magazine. Breaking News on Cybersecurity, Cybercrime, Industry Insight and Security Product Reviews.
^ Danny Palmer. Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Lee Mathews. Ransomware Attack Pushes Fake Font Update On Google Chrome Users. Forbes. News Site that Covers Business, Investing, Technology, Entrepreneurship, Leadership, and Lifestyle Topics.
^ VirusActivity. VirusActivity. Malware and Spyware News.