Urgent warning to Mac users over fake browser updates that can steal your passwords – here’s how to spot them

Mac users should be wary of fake browser updates that could steal your passwords, cybersecurity experts warn.

A new malware campaign targeting Apple products is tricking users into downloading a ‘browser update’ that essentially contains a ‘one hit smash-and-grab’ virus.

Cybercriminals even create malicious advertisements Googling that pose as well-known and legitimate technology brands to lure potential targets.

Once you visit the website, fake pop-ups will ask you to download a browser update to view the site.

Worryingly, the fake prompts are extremely convincing, and even a smart user can be fooled if they don’t know what to look for.

Can you tell this is fake? Cybercriminals use fake pop-ups to trick users into downloading password-stealing malware

The malware, which cybersecurity researchers have dubbed ClearFake, is a new version of the widely used Atomic Stealer attack.

However, this earlier version only targeted Windows machines, while this new attack targets Mac OS and is more advanced in its techniques.

Previously, hackers hid the virus in fake versions of popular software such as Microsoft Office, which they claimed had been ‘cracked’ for free download.

Now hackers are buying ads on Google, most likely through hijacked websites, to lure users to fake websites.

Users are then asked to update their browser to view the page and are given instructions on how to open the file.

Once the target runs the program, the virus steals the user’s data and sends it to a remote command and control server, where criminals can collect it and monetize it.

Once users visit the fake website, they are asked to install a browser update that secretly contains the malware

Users are given instructions on how to download the malicious file, which immediately begins stealing information from their computer

What is Atomic Stealer and how do you stay safe from it?

Atomic Stealer, also known as AMOS, is a very popular malware that extracts user data from infected devices.

The malware is actively sold via Telegram, where hackers can rent the tool for a month at a time.

Atomic Stealer works on Windows devices and is often accidentally downloaded together with fake files.

Use an antivirus program or a web security service to stay safe.

Also, be very careful when downloading files online and use only trusted sites.

Jérôme Segura, a researcher at Malwarebytes who has been tracking the malware, says it is “one of the most common and dangerous social engineering programs.”

Hidden in the virus’s code, the researchers found commands to extract users’ passwords, autofill data, user information, wallets, browser cookies, and keychain data.

Mr Segura said: ‘This could very well be the first time that we see one of the most important social engineering campaigns, previously reserved for Windows, expand not only in terms of geolocation, but also in terms of operating system.’

Researchers reported that a Telegram channel operated by the creators of the virus has emerged.

For $1,000 (£797) per month, criminals can rent the malware on a subscription basis and deploy it as they wish.

Malwarebytes discovered that one ‘threat actor’ was distributing malware purchased on the channel through hundreds of compromised websites.

Security vendor SentinelOne, which has also been tracking the attack since it was discovered, said the channel had more than 300 members in May.

Interestingly enough, SentinelOne researchers note that the virus does not stick around on a target’s computer, but instead uses a ‘one-hit smash and grab’ methodology.

The fake updates are tailored specifically for Mac and target Safari and Chrome, the two most popular Mac web browsers

Hidden within the code, researchers discovered commands to steal users’ passwords, wallets, browser cookies and more

Fake browser updates on Windows systems are not uncommon and have been around for years, but these types of attacks have not yet been used to attack Mac systems.

This warning comes amid a broader increase in the threat to Macs online, as reports note a 1,000 percent increase in the number of threat actors targeting Apple products since 2019.

To stay safe online, Malwarebytes recommends Mac users download a web security tool that can block the malicious infrastructure used for the attack.

Furthermore, users should be careful when following links to untrusted sites and check carefully before downloading content.

MailOnline has contacted Apple and Google for comment.

HOW TO CHECK IF YOUR EMAIL ADDRESS HAS BEEN COMPROMISED

Am I pwned?

Cybersecurity expert and Microsoft regional director Tory Hunt leads ‘Am I pwned’.

The website allows you to check if your email has been compromised as part of any of the data breaches that have occurred.

If your email address appears, you will need to change your password.

Pwned passwords

To check whether your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.

The search tool compares this to the details of historical data breaches that have made this information publicly visible.

If your password does appear, you are likely at greater risk of being exposed to hacking attacks, fraud, and other cybercrime.

Mr Hunt built the site to help people check whether or not the password they want to use is on a list of known hacked passwords.

The site does not store your password alongside any personally identifiable information and each password is encrypted

Other safety tips

Hunt offers three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and store unique passwords for each service you use.

Then enable two-factor authentication. Finally, stay informed of any breaches

Related Post