Urgent warning to Mac users over fake browser updates that can steal your passwords – here’s how to spot them

Mac users should be wary of fake browser updates that could steal your passwords, cybersecurity experts warn.

A new malware campaign targeting Apple products is tricking users into downloading a ‘browser update’ that essentially contains a ‘one hit smash-and-grab’ virus.

Cybercriminals even create malicious advertisements Googling that pose as well-known and legitimate technology brands to lure potential targets.

Once you visit the website, fake pop-ups will ask you to download a browser update to view the site.

Worryingly, the fake prompts are extremely convincing, and even a smart user can be fooled if they don’t know what to look for.

The malware, which cybersecurity researchers have dubbed ClearFake, is a new version of the widely used Atomic Stealer attack.

However, this earlier version only targeted Windows machines, while this new attack targets Mac OS and is more advanced in its techniques.

Previously, hackers hid the virus in fake versions of popular software such as Microsoft Office, which they claimed had been ‘cracked’ for free download.

Now hackers are buying ads on Google, most likely through hijacked websites, to lure users to fake websites.

Users are then asked to update their browser to view the page and are given instructions on how to open the file.

Once the target runs the program, the virus steals the user’s data and sends it to a remote command and control server, where criminals can collect it and monetize it.

Once users visit the fake website, they are asked to install a browser update that secretly contains the malware

Users are given instructions on how to download the malicious file, which immediately begins stealing information from their computer

Jérôme Segura, a researcher at Malwarebytes who has been tracking the malware, says it is “one of the most common and dangerous social engineering programs.”

Hidden in the virus’s code, the researchers found commands to extract users’ passwords, autofill data, user information, wallets, browser cookies, and keychain data.

Mr Segura said: ‘This could very well be the first time that we see one of the most important social engineering campaigns, previously reserved for Windows, expand not only in terms of geolocation, but also in terms of operating system.’

Researchers reported that a Telegram channel operated by the creators of the virus has emerged.

For $1,000 (£797) per month, criminals can rent the malware on a subscription basis and deploy it as they wish.

Malwarebytes discovered that one ‘threat actor’ was distributing malware purchased on the channel through hundreds of compromised websites.

Security vendor SentinelOne, which has also been tracking the attack since it was discovered, said the channel had more than 300 members in May.

Interestingly enough, SentinelOne researchers note that the virus does not stick around on a target’s computer, but instead uses a ‘one-hit smash and grab’ methodology.

The fake updates are tailored specifically for Mac and target Safari and Chrome, the two most popular Mac web browsers

Hidden within the code, researchers discovered commands to steal users’ passwords, wallets, browser cookies and more

Fake browser updates on Windows systems are not uncommon and have been around for years, but these types of attacks have not yet been used to attack Mac systems.

This warning comes amid a broader increase in the threat to Macs online, as reports note a 1,000 percent increase in the number of threat actors targeting Apple products since 2019.

To stay safe online, Malwarebytes recommends Mac users download a web security tool that can block the malicious infrastructure used for the attack.

Furthermore, users should be careful when following links to untrusted sites and check carefully before downloading content.

MailOnline has contacted Apple and Google for comment.