The recently disclosed microprocessor vulnerabilities – Meltdown and Spectre – have had software and hardware firms working hard to develop patches. Cybercriminals have also been busy developing phishing campaigns that push fake Meltdown and Spectre patches.
It should not come as a surprise that cybercriminals are capitalizing on the rush to secure computers and patch the vulnerabilities. The vulnerabilities can potentially be exploited to gain access to highly sensitive information, the flaws have been widely publicized, and many users are fearful that the flaws will be exploited.
Many software companies have been developing and releasing software updates, including Google, Microsoft, and Firefox. With so many updates to apply, and concern that the vulnerabilities may be exploited if systems are not rapidly patched, this is an ideal opportunity for cybercriminals.
One of the easiest ways for criminals to push their fake Meltdown and Spectre patches is via phishing emails. Researchers at Malwarebytes have already discovered one domain that is being used to download fake Meltdown and Spectre patches. Links to the website are sent out in phishing emails, with a zip file downloaded from the site that claims to be a patch.
Rather than patching the vulnerability and protecting users, the zip file contains a file called Intel-AMD-SecurityPatch-10-1-v1.exe, which is a malware variant called SmokeLoader. SmokeLoader is an information stealer that can also download additional payloads.
After discovering the website, Malwarebytes contacted Comodo and Cloudflare and the malicious site was rapidly taken offline; however, this is likely to be one of many websites that push fake Meltdown and Spectre patches.
This phishing scam shows that care must be taken when downloading any file or visiting a website linked from an email. If contact is made by a company via email requesting urgent action to address a vulnerability, always visit the vendors website directly, and never use the link in the email. The correct URL can be found by performing a simple Google search if the address is not known.
Just because the link contains the vendor’s name and the URL starts with HTTPS, it does not mean the site is genuine. As Malwarebytes points out, “There are very few legitimate cases when vendors will directly contact you to apply updates.” Chances are, the email is a scam.