Links to the malicious pages are spread via Facebook spam

Feb 6, 2016 09:00 GMT  ·  By

There's a fake Flash Player update scam doing the rounds on the Internet, tricking users into installing a legitimate update, but also bundling the Adobe Flash Player package with scareware.

The researchers from the SANS Technology Institute discovered this new campaign, and they explain that the fake Flash Player update is presumably being served via malicious advertising.

At first, users are pestered with a popup that alerts them to update their current Flash version.

"They do not rely on a vulnerability in the operating system," said Johannes Ullrich, the SANS researcher that discovered this campaign. "Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update)."

Clicking the OK button on this popup takes users to another page, where they download a fake Flash Player update package.

The fake Flash update package is signed with a valid Apple certificate

Surprisingly, this file doesn't trigger any warnings from Mac's GateKeeper because it was signed by an official Apple developer certificate issued to someone named Maksim Noskov. This means that Apple will allow you to run this malicious package without raising one single alarm flag.

Mr. Ullrich said that while the malicious Flash update package actually contained a valid, authentic and legitimate Adobe Flash update file, it also came bundled with malware.

The malware he discovered is part of the scareware category, which shows popups with apocalyptic messages, telling users their computer is infected and that they need to call a phone number to have it analyzed by a professional.

These are classic tech support scams, in which Malwarebytes has seen an increase over the past year. Until recent times, scareware has been prevalent and usually targeted Windows users alone.