Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defense to determine whether or not to display the phishing message, among other things.
The scan verifies which antivirus product is on the device. The file being offered as an update is actually a remote access tool called NetSupport Manager.
The cybercriminals behind the campaign have configured the tool in such a way that the user has very little chance of noticing. If the victim executes the file, the attackers gain full access to their computer and they can change the payload delivered to victims at any time.
In addition to the FakeUpdate campaign, the researchers looked at other phishing sites hosted on the infected Parrot TDS sites, although they cannot conclusively link them to that traffic direction system.
How users can avoid being phishing victims:
1. If the site being visited appears different than expected, visitors should leave the page and not download any files or enter any information.
2. Also, updates should be downloaded directly from the browser settings, never through other channels.
How developers can protect servers:
2. Use the latest version of the content management system or CMS.
3. Use the latest versions of installed plugins.
4. Check if there are tasks running automatically on the web server.
5. Verify and configure secure credentials and use unique credentials for each service.
6. Check the administrator accounts on the server, making sure that each of them belong to developers and have strong passwords.
7. Where applicable, configure second factor authentication for all web server administrator accounts.
8. Use available security plugins.
9. Scan all files on the web server with an antivirus program.