EITest uses “Font Wasn’t Found” scheme to compromise Google Chrome


If you prefer to use Google Chrome for browsing the Internet, you have to be aware of EITest malware campaign, which attempts to make you download a file that is presented as a font update package. The reason why you have to prevent this from happening is very simple – this file is actually riddled with adware and having those types of threats on the computer leads to it slowing down and crashing. There’s also a danger of having your personal information stolen – this includes passwords, phone number, credit card data, IP address and home address.

EITest was first reported by security researchers from Proofpoint. According to them, it only targets Windows computers in a certain number of countries, and you can only come upon it if you get to a compromised webpage via a referrer – for example, through the results given to you by a search engine. EITest adds its scripts to the source code of the site and they then control the incoming traffic. Another script is loaded after that and sent to the user himself. It changes HTML tags to “& # o”, which leads to “�” characters taking over the entire page.

Infiltration Process

Those are usually displayed when there’re some problems with rendering fonts and characters, so it’s very easy to believe that your browser simply doesn’t have all the tools that’re needed to view the page properly. Especially considering the fact the Pop-Up window that you receive has a Chrome logo and appears to be legit. That’s exactly what people behind EITest count on – you being tricked into downloading their creation. They usually compromise sites that are made using WordPress or Joomla! and exploit their vulnerabilities. The small amount of user traffic is stolen from those pages and used to present potential victims with a pop-up window.

EITest was made public in 2014 and it’s known for a fact that its developers rent traffic to con artists that use exploit kits to abuse the vulnerabilities in Flash, Internet Explorer, Silverlight and many other applications. When this happens, malicious programs are stealthily put on the computer, without you even knowing anything about it. But the scheme that’s currently used asks to press a “Download” button first, which may lead to a reduced amount of downloads. On the other hand, it can be argued that the more authentic everything appears, the higher are the chances of someone falling into a trap. So everything depends on the perspective.

As far as the contents of the update package go, it contains the Fleercivet malware that redirects you to various sites and also displays ads which generate traffic and bring money to its creators. It was previously known as Simby (in early 2015) and Clicool (in late 2015 and in 2016). So don’t believe everything you see – if the webpage isn’t displayed the way it’s supposed to, it doesn’t necessarily mean that there’s something wrong with your browser. Cybercriminals often use deceptive techniques and are ready for anything to make you download a program that can make them richer. Keep that in mind every time you receive an offer to update your browser out of the blue.


Please enter your comment!
Please enter your name here