TAG | malware
Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.
When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.
At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.
In a new attack, some websites have been set up to show visitors a slash page that says the vicim’s computer has been blocked because is has been used to access illegal pornographic content. The user is then presented a link to pay an instant “fine” of $300 to the scammers.
This is a new variant of “ransomware”. The most common of which is “fake AV”. A fake anti-virus website or software will claim to scan your computer for free, then charge you to remove malware that it has “detected”.
Details and screenshots here.
Arstechnica reports on the discovery of signed malware designed for surveillance on the Mac laptop of an Angolan activist.
The malware was a trojan that the activist obtained through a spear phishing email attack. The news here is that the malware was signed with a valid Apple Developer ID.
The idea is that having all code signed should substantially reduce the amount of malware on the platform. This works because creating a valid Apple Developer ID requires significant effort, and may expose the identity of the hacker unless they take steps to hide their identity. This is not trivial as the Developer ID requires contact information and payment of fees.
The second advantage of signed code is that the Developer’s certificate can be quickly revoked, so the software will be detected as invalid and automatically blocked on every Mac world wide. This limits the amount of damage a given Malware can do, and forces the attacker to create a new Apple Developer ID every time they are detected.
This has been seen to work fairly well in practice, but it is not perfect. If a target is valuable enough, a Developer ID can be set up just to go after that one person or small group. The malware is targeted to just them, so the likelihood of detection is low. In this case, it would continue to be recognized as a legitimates signed valid application for a very long time.
In the case of the Angolan activist, it was discovered at a human rights conference where the attendees were learning how to secure their devices against government monitoring.
For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more “wild west” areas would be home to most of the malware and other attacks.
Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.
So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!