Apple users warned of dangerous new Mac malware that steals banking credentials


Apple users are being warned about a newly discovered form of Mac malware which is spread via a phishing attack and steals banking credentials.

The malware, dubbed OSX/Dox, was discovered by researchers from Check Point Security and mirrors the websites of some of the world’s leading banks to steal attempt to steal money from users.

The malware is being spread via a combination of phishing and so called Man in the Middle attacks.

Security experts say the Mac malware is extremely difficult to detect as it is able to bypass Apple’s stringent security measures and spy on all communications from the victim.

Check Point said they have seen a recent surge in the malware being used by hackers who are currently playing a game of cat and mouse with Apple.

Check Point say the hackers are “purchasing dozens of Apple certificates to sign on the application bundle and bypass GateKeeper”. As soon as Apple revokes one of the certificates the hackers switch to another, with new certificates being used “on a daily basis”.

“They are aiming at the victim’s banking credentials by mimicking major bank sites. The fake sites prompt the victim to install an application on their mobile devices, which could potentially lead to further infection and data leakage from the mobile platform as well,” Check Point said in a blog post.

Once the malware has been installed on a device it downloads the Tor browser and starts to communicate with servers controlled by the hackers. It then records the location of the infected device and customises the fake banking page depending on the location of the victim, making the attack even more convincing.


Image: Check Point. The very convincing but fake banking page by use by OSX/Dox

The malware then asks victims to login into the fake banking page with their banking credentials and also asks for their mobile number to setup SMS authentication.

Victims are then tricked into downloading a malicious app and the Stack encrypted messaging app.

It is not known why victims are made to download Stack but Check Point researchers speculate that it could be used by the hackers to commit more fraud at later date.

“Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker.”

“Alternatively, the perpetrator might be using Signal temporarily, to acquire install rate statistics and prove the method is working, while planning to install a malicious mobile application with future victims at a later time.”

“Unfortunately, the OSX/Dok malware is still on the loose and its owners continue to invest more and more in its obfuscation by using legitimate Apple certificates,” Check Point researchers wrote.

“The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers.”


Comments are closed.