What is the The "Roboto Condensed" font was not found Pop-Up?

https://www.bleepstatic.com/swr-guid...ome-edited.png

A new attack method discovered by MalwareBreakdown that is being seen on the web is called The Roboto Condensed font was not found pop-up. This popup is part of a social engineering attack that uses javascript to display an alert stating that you are missing a font required to properly view a site.

There are two ways this attack will be conducted. The first method is when you visit a site that has been hacked so that javascript is injected into every web page on the site. Then when a visitor goes to this page, the Javascript will scramble the text on the web site so it is unreadable. The script will then display a fake Chrome or Firefox alert that states you need to install the Chrome or Mozille Font Pack in order to properly see the site. The Chrome version of this method can be seen above.

The second method is to just display an alert on the page stating that the Hoeflertext font is missing and them prompt you to download a font pack. Once you download the font pack, the alert will change to instructions on how to install it. You can see examples of the Chrome and Firefox alerts below.

https://www.bleepstatic.com/swr-guid...rome-alert.jpg

https://www.bleepstatic.com/swr-guid...illa-alert.jpg

Either way the alert is displayed, the text of alert is the same. This alert states that your version of Chrome or Firefox does not have the Roboto Condensed font installed and then prompts you to download a fake "Chrome Font Pack" or "Mozilla Font Pack" in order to install the Roboto Condensed font and see the page properly. The names of the downloads that have been distributed by this attack include chromefp60.exe & mozillafp60.exe.

The downloaded file, though, is actually a malware installer that will install malware such as Ursnif, Miners, and Trojan.Downloaders.

The full text of the Chrome alert is:

The "Roboto Condensed" font was not found.

The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Chrome Font Pack".
Manufacturer:Google Inc. All Rights Reserved.
Current version:Chrome Font Pack 54.0.2785.89
Latest version:Chrome Font Pack 60.0.3112.90

The full text of the Mozilla alert is:

The "Roboto Condensed" font was not found.

The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Mozilla Font Pack".
Manufacturer: Mozilla Corporation.
Current version: Mozilla Font Pack 53.0.2785.89
Latest version: Mozilla Font Pack 60.0.3112.90

Am I infected if I see the Roboto Condensed Font or Chrome & Mozilla Font Pack Update Pop-Up?

The simple answer is maybe, but if you are, it's not what is causing this popup to appear. You will find sites that state you are infected if you see the Roboto Condensed Font Pack popup. This is not true.

The only reason you are seeing this popup on a site is because the site was hacked and javascript was injected to display this popup. You can see an example of the injected javascript in the image below.

https://www.bleepstatic.com/swr-guid...javascript.jpg

With that said, if you did happen to run the downloaded chromefp60.exe or mozillafp60.exe, or whatever program was downloaded when you clicked on the Update button, then you most likely are infected and should scan your computer with an anti-virus program.

What happens if I Run the downloaded Chrome or Mozilla Font Pack?

When you run thechromefp60.exe & mozillafp60.exe programs, or another file downloaded from the Chrome Font Update popup, your computer will become infected with some sort of malware. Currently these attacks are installing Miners, the Ursnif keylogger, and Trojan.Downloaders.

Therefore, if you have mistakenly executed the chromefp60.exe or mozillafp60.exe files, then you should immediatlely scan your computer with an anti-virus program to be safe.

If a web site I own shows the Roboto Condensed Pop-Up, What Should I Do?

If you own a web site that has been hacked so that it displays the Roboto Condensed pop-up, it is important that you examine your web site's source files and configuration in order to determine how the code is being injected. Unfortunately, full instructions on how to perform forensics on a site is outside the scope of this article, but here are a few things you can try:

• Examine your site's .htaccess files to see if there are any php_value auto_prepend_file or php_value auto_append_file entries inside them. These settings can be used to inect a PHP file into all of the pages on a site so that they inject javascript or perform other actions.

• Examine your site's .htaccess files for RewriteCond states that check the referrer. An example of this is RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]. These types of entries are typically used to perform an action when a visitor is referred from a search engine result page.

• If you are running WordPress, compare your theme files, plugins, and WordPress source against a backup to see if there are any unknown javascript entries or PHP includes.

• Check the version of Wordpress, Magento, Joomla, etc that you are running and see if there are any known vulnerabilities for that version. Then upgrade your software to the latest version.

• Look for strange PHP files under your web site's folder to see if they are possibly being used by the hacker.

While this list of steps is by no means exhaustive, it should give you a starting point in determining how your site was hacked.

Very cheeky!