A new phishing campaign targeting Mac systems employs scareware tactics to steal Apple IDs and passwords from unsuspecting users.
Identified by LayerX Labs, the attack involves compromised websites displaying fake security warnings claiming that the user’s computer has been “compromised” and “locked,” and prompting users to enter username and password.
“Apple Security Warning. MacOS has been locked due to unusual activity, try signing in again with your Apple_ID and password,” the display message reads with a prompt to enter Apple account credentials.
The campaign redirects victims to the phishing pages–with the malicious scareware code–via compromised domain “parking” pages, LayerX said in a blog post.
Use of scareware
Screenshots shared by LayerX revealed the use of “scareware” in the campaign. Scareware refers to a malicious software causing a pop-up alert or fake antivirus warning that a user’s device is infected with a virus or its security is compromised and that they should complete an action to fix the issue.
In this case the scareware is deployed at the actor-controlled phishing sites that victims are taken to. On visiting the website, users get a fake pop-up alert “Apple security warning,” prompting them to enter their Apple ID and password. Simultaneously, the webpage of the site freezes, creating an illusion that the entire computer is locked.
LayerX research pointed out that the campaign is particularly difficult to stop because of various factors, including being hosted on a Microsoft Platform, adding credibility, using legitimate and trusted hosting service, and using randomized, and quickly changing subdomains.
“In the past few weeks, we’ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack,” Thomas Richard, red team practice director at Black Duck said in a comment to CSO. “The ruse they use is a fairly old one and quite common.”
Such random popups saying “your computer is compromised” should always be treated with suspicion, as antivirus services will never ask you to enter a username and password to remove a threat, Richard added.
The campaign previously targeted Windows users
According to LayerX researchers, the campaign has been seen targeting Mac users only in the last few months. Initially, it targeted Windows users by masquerading as Microsoft security alerts.
Designed to steal user credentials, threat actors have apparently shifted focus to Mac users owing to new security features being rolled out by Microsoft, Chrome, and Firefox, researchers added.
“Phishing attacks are evolving, and despite the fact that Macs are traditionally less susceptible to viruses, Mac users are no exception to many modern threats,” Darren Guccione, CEO and co-founder at Keeper Security told CSO. “Cybercriminals are opportunistic–when one attack vector gets blocked, they pivot to the next.”
This campaign demonstrates how quickly attackers adapt, leveraging trusted infrastructure and sophisticated deception to bypass traditional security measures, Guccione added. The researchers noted that the new Mac-targeted attacks required only minor adjustments to the hackers’ existing infrastructure, primarily involving text modifications and slight code changes to target macOS and Safari users.