You should always pay attention to the URLs you click on, even if they supposedly lead to legitimate websites. As a fact, malware is often spread via websites impersonating other well-known ones. Recently, cybersecurity firm ESET found new ones mimicking the Microsoft Store and Spotify.

According to Lawrence Abrams, threat actors are now using these fake websites to steal credit card information and passwords. So far, ESET has found a fake Microsoft Store, Spotify, and an online document converter. Hackers seem to be targeting South America for the moment, but it wouldn’t come as a surprise if more regions become targets for these attacks.

Based on ESET’s report, these websites are spreading Ficker malware. Ficker is an information-stealing Trojan released on Russian hacking forums back in January when its developer began renting out the malware to other threat actors.

Ficker steals information and user credentials that are saved in web browsers, messaging apps, and FTP clients. The malware can also exfiltrate documents, take screenshots of your running apps, and steal from a user’s cryptocurrency wallet.

Jiri Kropac, Head of Threat Detection Laboratories at ESET, told BleepingComputer that the attack is carried out through malicious advertising promoting what appear to be legitimate applications.

For instance, one of the ads used in this attack promotes an online Chess application, which you can see below.

fake chess ad speading malware heimdal security

Image Source: BleepingComputer

Nevertheless, when users click on the ad, they are redirected to a fake Microsoft Store page for a fake online chess app called ‘xChess 3’, which is automatically downloaded from an Amazon AWS server.

fake microsoft store chess ad heimdal security

Image Source: BleepingComputer

The downloaded zip file is called ‘xChess_v.709.zip’ [VirusTotal], which is actually the ‘Ficker’ or ‘FickerStealer’, information theft malware in disguise, as shown in BleepingComputer’s Any.Run report.

Other ads in this malware campaign claim to be from Spotify or an online document converter. When accessed, their landing pages will also automatically download a zip file containing the Ficker malware.

facke spotify page spreading ficker malware heimdal security

Image Source: BleepingComputer

If you come across any websites like the ones mentioned above, make sure it has the correct URL and certificate information.

Given Ficker malware’s extensive functionality, if you are a victim of this attack, you are advised to immediately change your online credentials, check firewalls for suspicious port forwarding rules, and perform a thorough antivirus scan of your computer to check for additional malware.

featured photo for heimdal news
2021.04.20 QUICK READ

Scammers Continue to Use Google Alerts to Spread Malware

cover photo for heimdal security news
2021.03.25 QUICK READ

Chinese Hackers Used Fake Facebook Accounts in Effort to Spread Malware

Heimdal Featured Image
2021.03.19 QUICK READ

A New Malware Is Stealing Google, Apple, and Facebook Accounts

security alert ransomware financial malware
2017.02.15 QUICK READ

Alert: Compromised Websites Spread Ransomware and Financial Malware

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP