sensitive information . The new program , dubbed OSX/Dok by researchers from Check Point Software Technologies , was distributed via email phishing campaignsAttack.Phishingto users in Europe . One of the rogue emails was craftedAttack.Phishingto look as if it was sentAttack.Phishingby a Swiss government agency warning recipients about apparent errors in their tax returns . The malware was attached to the email as a file called Dokument.zip . Once installed on a Mac , OSX/Dok displaysAttack.Phishinga fake and persistent notification about a system security update that needs to be installed . Users who agree to install the update will be prompted for their administrator password . Once the malware obtains elevated privileges , it will make the active user a permanent administrator so the OS will never ask for the password again when the malware executes privileged commands in the background . Dok will also modify the system 's network settings to route web traffic through a proxy server controlled by the attackers and located on the Tor anonymity network . In order for this to work , it also installs a Tor client that 's started automatically . The reason why web traffic is routed through a proxy server is to perform a man-in-the-middle ( MitM ) attack and decrypt secure HTTPS connections . This is achieved by installing a rogue root certificate on the system that is then used to decrypt and re-encrypt HTTPS connections when they pass through the proxy . With this method , users will continue to see the SSL visual indicator in their browser when they access HTTPS websites and the browser will not complain about untrusted certificates . The ability to snoop on HTTPS traffic allows attackers to stealAttack.Databreachsensitive information like passwords for email ; social media and online banking accounts ; credit card details entered on shopping websites ; personal and financial information entered into web forms ; and more . With more than half of all web traffic in an average user 's browser now encrypted , it 's not surprising that attackers are resorting to man-in-the-middle techniques to captureAttack.Databreachsensitive data . This and other capabilities make Dok one of the most sophisticated malware programs targeting macOS to date , not counting spy programs created or used by nation states and law enforcement agencies . `` We have been and still are in direct contact with Apple [ employees ] who are very helpful and responsive , '' Yaniv Balmas , Check Point 's malware research team leader , said via email . `` With Apple ’ s cooperation , we believe this specific campaign is now futile and does no longer pose any threat to Mac users . ''
But sometimes that simple precaution is n't enough . A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks . Wordfence , the maker of a security plugin for Wordpress , described the phishing attackAttack.Phishingas beginning with an adversary sendingAttack.Phishingan email to a target ’ s Gmail account . The email typically will originate from someone on the recipient ’ s contact list whose own account had previously been compromised . The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient . When the recipient clicks on the image , a new tab opens with a prompt asking the user to sign into Gmail again . The fully functional phishing page is designed to look exactly likeAttack.PhishingGoogle ’ s page for signing into Gmail . The address bar for the page includes mention of accounts.google.com , leading unwary users to believe the page is harmless , Wordfence CEO Mark Maunder wrote . `` Once you complete sign-in , your account has been compromised , '' he said . In reality , the fake login page that opens upAttack.Phishingwhen a user clicks on the image is actually an inline file created using a scheme called Data URI . When users enter their Gmail username and password on the page , the data is sent to the attacker . The speed at which the attackers sign into a compromised account suggest that the process may be automated , or that they may have a team standing by to access accounts as they get compromised . `` Once they have access to your account , the attacker also has full access to all your emails including sent and received at this point and may download the whole lot , '' Maunder said . What makes the phishing technique dangerous is the way the address bar displaysAttack.Phishinginformation when users click on the screenshot of the attachment , he told Dark Reading . In this case , by including the correct host name and “ https// ” in the address bar , the attackers appear to beAttack.Phishinghaving more success foolingAttack.Phishingvictims into entering their credential data on the fake Gmail login page , he says . Instead , all of the content in the address bar is of the same color and is designed to convince users that the site is harmless . `` If you aren ’ t paying close attention , you will ignore the ‘ data : text/html ’ preamble and assume the URL is safe . '' Google said in a statement that it 's working on mitigations to such an attack . `` We 're aware of this issue and continue to strengthen our defenses against it , '' Google said . `` We help protect users from phishing attacksAttack.Phishingin a variety of ways , including : machine learning based detection of phishing messages , Safe Browsing warnings that notify users of dangerous links in emails and browsers , preventing suspicious account sign-ins , and more . Users can also activate two-step verification for additional account protection . '' Users can also mitigate the risk of their accounts being compromised via phishingAttack.Phishingby enabling two-factor authentication . `` What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present , '' says Robert Capps , vice president of business development at NuData Security . The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit . `` How users interpret these signals should be thoroughly understood , '' he says . `` Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers .
This week researchers found a piece of malware in the wild , built to stealAttack.Databreachpasswords from the macOS keychain . Named `` MacDownloader '' and posing asAttack.Phishing, what else , a fake Flash Player update , the new malware was found on the Mac of a human rights advocate and believed to originate from Iran . The malware 's code is very sloppy and appears to have been made by an amateur who took pieces of other 's code and repurposed them . The threat report mentions the following : MacDownloader seems to be poorly developed and created towards the end of 2016 , potentially a first attempt from an amateur developer . In multiple cases , the code used has been copied from elsewhere . The simple activity of downloading the remote file appears to have been sourced from a cheat sheet . The main purpose of MacDownloader seems to be to perform an initial profiling of the infected system and collectionAttack.Databreachof credentials from macOS ’ s Keychain password manager – which mirrors the focus of Windows malware developed by the same actors . At this time , it appears the malware is not a threat and the Command & Control server has been taken down . Intego VirusBarrier offers protection from this malware , detected as OSX/MacDownloader . Security researchers found that this malware was originally designed asAttack.Phishinga fake Bitdefender antivirus , but was later repackaged asAttack.Phishinga fake Flash Player update . Once installed , the malware attempts to achieve persistence by use of a poorly implemented shell script , which at the time of writing did not function due to the C & C server being offline . MacDownloader displaysAttack.Phishinga fake Flash Player update that offers an `` Update Flash-Player '' button and a `` Close '' button . Unlike other malware of its kind , clicking the Close button actually exists the installer and nothing malicious is placed on the system . If the Update button is clicked though , a malware dialog will pop-up , which is , of course , fake as well . These dialogues are also rife with basic typos and grammatical errors , indicating that the developer paid little attention to quality control . After a user clicks on OK , the software mimics the System Preferences to request the admin password in order to grab more info on the system . If the user enters their password and clicks OK , the software grabs the info , and then it tries to open a remote connection to : MacDownloader collectsAttack.Databreachuser keychain information and uploads it to said C & C server , including documents the running processes , installed applications and the username and password , which are acquired through a fake System Preferences dialog . The name and password , which in almost all cases are Administrator credentials , give the malware everything it needs to access the keychain information . With accessAttack.Databreachto the keychain the sky is the limit , because email account passwords , social network account details , and much more , are all stored in the keychain .
Android users were the target of new banking malware with screen locking capabilities , which was disguised asAttack.Phishinga weather forecast app on Google Play . Detected by ESET as Trojan.Android/Spy.Banker.HU , the malware was a trojanized version of the otherwise benignAttack.Phishingweather forecast application Good Weather . The malicious app managed to get around Google ’ s security mechanisms and appeared in the store on February 4th , only to be reported by ESET two days later and consequently pulled from the store . During its short lifetime , the app found its way to devices of up to 5000 users . Besides the weather forecast functionalities it adopted from the original legitimate application , the trojan is able to lock and unlock infected devices remotely and interceptAttack.Databreachtext messages . Apart from doing so , the trojan targeted the users of 22 Turkish mobile banking apps , whose credentials were harvestedAttack.Databreachusing phony login forms . The infected device then displaysAttack.Phishinga fake system screen requesting device administrator rights on behalf of fictitious “ System update ” . By enabling these rights , the victim allows the malware to Change the screen-unlock password and Lock the screen . Users who are not alarmed at this point might be pleased with the new weather widget they can add to their home screens . However , in the background , the malware is getting to work sharing device information with its C & C server . Depending on the command it gets in return , it can interceptAttack.Databreachreceived text messages and send them to the server , remotely lock and unlock the device by setting a lock screen password of the attackers ’ choice , and harvestAttack.Databreachbanking credentials . The trojan displaysAttack.Phishinga fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker . Thanks to the permission to interceptAttack.Databreachthe victims ’ text messages , the malware is also able to bypass SMS-based two-factor authentication . As for the device locking , we suspect this function enters the picture when cashing out the compromised bank account , to keep the fraudulent activity hidden from the user . Once locked out , all victims can do is wait until the malware receives a command to unlock the device . If you ’ ve recently installed a weather app from the Play Store , you might want to check if you haven ’ t been one of the victims of this banking trojan . In case you think you might have downloaded an app named Good Weather , check for its icon under your apps . After running anything you ’ ve installed on your mobile device , keep paying attention to what permissions and rights it requests . An app that won ’ t run without advanced permissions that aren ’ t connected to its intended function might be an app you don ’ t want installed on your phone .
Android users were the target of new banking malware with screen locking capabilities , which was disguised asAttack.Phishinga weather forecast app on Google Play . Detected by ESET as Trojan.Android/Spy.Banker.HU , the malware was a trojanized version of the otherwise benignAttack.Phishingweather forecast application Good Weather . The malicious app managed to get around Google ’ s security mechanisms and appeared in the store on February 4th , only to be reported by ESET two days later and consequently pulled from the store . During its short lifetime , the app found its way to devices of up to 5000 users . Besides the weather forecast functionalities it adopted from the original legitimate application , the trojan is able to lock and unlock infected devices remotely and interceptAttack.Databreachtext messages . Apart from doing so , the trojan targeted the users of 22 Turkish mobile banking apps , whose credentials were harvestedAttack.Databreachusing phony login forms . The infected device then displaysAttack.Phishinga fake system screen requesting device administrator rights on behalf of fictitious “ System update ” . By enabling these rights , the victim allows the malware to Change the screen-unlock password and Lock the screen . Users who are not alarmed at this point might be pleased with the new weather widget they can add to their home screens . However , in the background , the malware is getting to work sharing device information with its C & C server . Depending on the command it gets in return , it can interceptAttack.Databreachreceived text messages and send them to the server , remotely lock and unlock the device by setting a lock screen password of the attackers ’ choice , and harvestAttack.Databreachbanking credentials . The trojan displaysAttack.Phishinga fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker . Thanks to the permission to interceptAttack.Databreachthe victims ’ text messages , the malware is also able to bypass SMS-based two-factor authentication . As for the device locking , we suspect this function enters the picture when cashing out the compromised bank account , to keep the fraudulent activity hidden from the user . Once locked out , all victims can do is wait until the malware receives a command to unlock the device . If you ’ ve recently installed a weather app from the Play Store , you might want to check if you haven ’ t been one of the victims of this banking trojan . In case you think you might have downloaded an app named Good Weather , check for its icon under your apps . After running anything you ’ ve installed on your mobile device , keep paying attention to what permissions and rights it requests . An app that won ’ t run without advanced permissions that aren ’ t connected to its intended function might be an app you don ’ t want installed on your phone .