It’s conventional wisdom that Macs are more secure than Windows PCs. And while Macs and other platforms have traditionally not been targeted by malware to the same extent as Windows, new malware targeting European Mac users highlights that “security through obscurity” isn’t something careful Apple fans can rely on anymore.
The new malware, dubbed OSX/Dok by researchers at Check Point, is spread through phishing emails that contain attachments with the malware.
According to F-Secure Security Advisor Sean Sullivan, all the phishing emails caught in F-Secure Labs’ spam traps spoof addresses from the Swiss Federal Tax Administration, and were sent by “Stefan Bormann.”
The accompanying .zip attachment is signed by “Seven Muller”, which is a valid developer certificate that’s authenticated by Apple. Any unfortunate users that try to open the attachment will be prompted that the documents cannot be opened. But this is just a decoy while the malware copies itself on the device.
Users will then be prompted that their operating system has a security vulnerability, and that they should enter their password to authorize an update. The prompt is full screen, which pressures users to enter their passwords before they can proceed.
“It’s a clever social engineering trick,” says Sean. “People might think it’s unusual compared to how updates are usually handled. But it might strike them as credible enough to comply without giving it too much thought.”
While the prompt appears convincing (it can show up in German or English, depending on the user’s settings), it is actually part of the malware. Passwords entered here are quickly used to escalate the attacker’s privileges to “pwn” the machine, and establish a connection to the dark web via a proxy controlled by the attackers.
At this point, the attackers have what’s known as a “man-in-the-middle” position, and can access all the data and communications handled by the infected Mac (including any encrypted internet traffic). That means attackers can access login credentials for stuff like social media, email, or online banking accounts. It also puts them in a position where they can tamper with internet traffic, exposing users to further harm.
So what do Mac users do to protect themselves?
“We’ve added detections* to our products to protect Mac users,” says Sean. “But users need to be aware that Mac malware exists and that they need to protect themselves from it – just like Windows users. And attackers are combining malware with social engineering, so it’s worth brushing up on general best practices.”
Here’s a few best practices for Mac users:
- Set your Mac to only allow installations from Apple’s official App Store by default (you can change this as needed).
- Educate yourself on how to spot phishing emails.
- Power users (such as software developers or Mac enthusiasts) can look into more advanced security tools now available for Macs.
*F-Secure SAFE this as Trojan.MAC.Dok.A.
[ Featured image by iphonedigital | Flickr ]
Leave a comment