HTML/FakeAlert.MD!tr
Analysis
HTML/FakeAlert.MD!tr is a generic detection for an HTML phishing page. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- The official looking website contains hyperlinks that looks like it points to the legitimate Microsoft support websites. However, underneath it points to malicious websites altogether. The remote sites are listed below:
- hxxp://{Removed}microsoftsupport.com/chrome-assests/bootstrap.css
- hxxp://{Removed}microsoftsupport.com/chrome-assests/jquery-1.js
- hxxp://{Removed}microsoftsupport.com/chrome-assests/translator.css
- hxxp://{Removed}microsoftsupport.com/chrome-assests/alert.css
- hxxp://{Removed}microsoftsupport.com/chrome-assests/style.css
- hxxp://{Removed}microsoftsupport.com/chrome-assests/iframe.js
- hxxp://{Removed}microsoftsupport.com/WYoQh/chrome-assests/retreaver.js
- hxxp://{Removed}microsoftsupport.com/chrome-assests/retreaver.js
- hxxp://{Removed}microsoftsupport.com/UjjaZ/chrome-assests/alert.css
- hxxp://{Removed}microsoftsupport.com
- This site also presents an alert message claiming that the user's computer is infected with malware. Next, it asks the user to call a specific phone number to prevent further damage to user?s system.
- Below are some examples of web pages that are detected as HTML/FakeAlert.MD!tr:
- Figure 1: Prompt message.
- Figure 2: Fake Microsoft support website.
- Figure 3: Prompt message.
- Figure 4: Prompt message.
- Figure 5: Prompt message.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |