While macOS is often touted as “safer” on the cybersecurity front compared to Windows-based systems, cybercriminals are in fact increasingly targeting Apple’s ecosystem.
The number of attacks on macOS users through malicious and potentially unwanted programs has been increasing annually since 2012, and in 2018 it exceeded 4 million attacks, according to telemetry from Kaspersky released on Wednesday. The pace is staying steady so far this year: During the first half of 2019, the firm registered 1.8 million malware attacks on Macs.
The trojan downloader Shlayer, which downloads and installs various adware (mainly from the Bnodlero family), is the No. 1 threat seen taking aim at macOS, according to the report. It’s making use of people’s thirst for pirated content.
“If you try to search for sites where you can watch or download a popular movie or TV series for free, the very first search results will lead to resources that request you to update Flash Player in order to view content,” the firm explained. “It is these updates that contain Shlayer.”
With the exception of Shlayer, the rest of the top ten is filled out by various unwanted software belonging to the adware class, which display ads in system notifications, web page banners, search results pages, the browser and so on.
The adware samples making the rounds include Bnodlero, which installs ad extensions into a browser, and changes the default search engine and homepage. In addition, it can download and install extra adware. The Pirrit adware family meanwhile goes even further and installs a proxy server on the victim’s machine to intercept traffic from the browser. And, the Cimpli adware uses advanced stealth tactics, such as becoming purposely inactive if it detects an installed security solution in macOS.
Two other malware families that were seen attacking macOS in the first half of the year include a trojan called Spynion and another trojan, Vidsler.
The former is distributed along with several free macOS apps, mainly from sites such as MacUpdate, VersionTracker and Softpedia.
“While the app is being installed on the victim’s computer, a malicious component is downloaded and installed,” according to the report. “The Spynion’s main objective is to monitor user activity on the network and transfer intercepted confidential data to the attackers’ servers. The trojan also has backdoor functionality, i.e., it allows attackers to remotely connect to the user’s macOS.”
Vidsler meanwhile is distributed via banner ad links, under the pretext of requiring the user to update video codecs or download a new version of a video player.
“In terms of functionality, Vidsler is similar to Shlayer: It downloads, installs, and runs other software, most often from the FkCodec AdWare family,” Kaspersky explained.
New variants that have appeared this year include a previously unknown macOS malware from the North Korea-linked APT known as Lazarus Group, which attacked the financial sector earlier this year, the company said.
“An extremely dangerous (but also an extremely rare) threat is a targeted attack on macOS and iOS users, mainly business users,” according to the report. “Several well-known cybercriminal groups are currently working to develop malware for these operating systems, but the likelihood that a random user will be the target of such programs is extremely small. However, if you work in a financial institution, such as, for example, a bank, and your MacBook or iPhone is a corporate device, then the chances that you will be targeted increase considerably.”
Geographically speaking, the top three most-targeted countries remained the same between 2018 and 2019: The United States came in first place (24.4 percent), Germany came in second (14.6 percent), and France came in third (12.4 percent).
Phishing for Apple IDs
Beyond malware, Kasperksy also detected nearly 6 million phishing attacks on macOS users in the first half of 2019. Of these, 11.80 percent targeted corporate users.
“The data that has been collected over the last four years suggests that the number of phishing attacks on macOS users is definitely growing, and quite rapidly at that,” according to the report. “While in 2015 we registered a total of 852,293 attacks, in 2016 this figure grew by 86 percent to over 1.5 million, and in 2017 it skyrocketed to 4 million. In 2018, the number of attacks continued to grow, crossing the 7.3 million mark. At this point we can see that during the first half of 2019 alone, 5.93 million attacks were committed, which means that the number of attacks may exceed 16 million by the end of the year if the current trend continues.”
The phishing pages visited by MacOS users most often pretended to be banking services (39.95 percent), the second popular being global internet portals (21.31 percent) and social networks came in third in 2019 (12.3 percent).
There are also rafts of fake web pages that mimic Apple’s official pages or simply mention the brand.
“The attackers continue to mainly target Apple IDs, which are the users’ key to gaining access to Apple’s infrastructure,” according to the report. “Apple IDs are relatively easy to monetize. For example, they can be sold to other criminals. Perhaps the theft of this type of data is now the most dangerous threat macOS users face, in terms of the balance between the probability of the attack and the damage in the event of its success. Moreover, our statistics show that this type of attack is likely to be on the rise in the near future.”
Links to these sites are usually sent in emails that allegedly come from Apple Support. The recipient is threatened that their account will be locked unless they click the link and log in to confirm the information that has been specified in their profile. In another tactic, the email might thank the user for purchasing an Apple device or app on the App Store. The customer is then invited to learn more about the product (or cancel the purchase) by clicking a link that leads to a phishing page. Here, the victim is required to enter their Apple ID login and password, which, of course, will be sent to the attackers.
The countries with the largest share of unique macOS users who experienced phishing attacks in the first half of the year were Brazil (30.87 percent), India (22.08 percent), and France (22.02 percent).
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.