After a flurry of activity, it went dormant. Now, it seems to have returned, and this time, it’s targeting Firefox users. The basic form of the attack is unchanged, however. From the user’s perspective, it looks like this:
You surf to a webpage that is unreadable. You get a popup message that says “The HoeflerText” font was not found. The message box helpfully provides an update button that supposedly allows you to install the font on your computer.
When you click the button, though, rather than getting the font, you get a banking trojan called Zeus Panda. It will then log your password, and it can initiate rogue transactions in your name.
Unfortunately for the hackers, they didn’t bother to change the name of the font. “HoeflerText” was the exact bogus font name they used a few months ago when they targeted Chrome users, and by now, is quite well known.
Even if it weren’t, this is a fairly crude, heavy-handed attack that only fools a small percentage of users.
The simplest way to avoid having the malware installed is to simply close the browser window any time you see a page load that contains garbage characters and asks you to install a new font, regardless of the font name. It’s almost certainly a trap.
If you do inadvertently click to install the font, contact a member of your IT staff immediately, and don’t do anything else with or on the PC until the malware is removed.
Remember, once this malware is armed with your credentials, it can initiate transactions on its own. From the bank’s perspective, every transaction this malware initiates appears to be perfectly legitimate, which can cause you no end of trouble, and be extremely difficult to reverse.