Attention Apple users: New attack steals banking creds

Iphone security

A recently discovered malware targeting MacOS, named OSX/DOK, is now targeting unsuspecting Apple Mac users and attempting to steal their banking access credentials.

The malware, initially discovered by researchers at Check Point Software Technologies, reportedly affects all versions of OSX, had a valid developer certificate, and targeted users via a widespread phishing attack. According to Check Point, once an OSX/Dok infection is complete, the “attackers gain complete access to all victim communication, including communication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server.”

While Apple took steps to clamp down on earlier outbreaks, the attackers keep trying to resurrect the malware and are employing new tactics, as detailed in the blog post OSX/Dok Refuses to Go Away and It’s After Your Money.

The new attack, like most attacks nowadays, comes via a phishing attack. What makes this phishing attack different is that it is targeting MacOS users. This attack also utilizes a man-in-the-middle attack; a good overview of such attacks can be found here, and the malware also has a valid Apple developer certificate. The attackers may be buying many certificates so that they can easily replace any certificates revoked by Apple rather quickly. Hopefully, Apple finds a way to end this cat and mouse game because it would weaken the effectiveness of the attack considerably. Without these valid certificates, the malware wouldn’t be able to automatically bypass GateKeeper, which is designed to block with the installation of unsigned applications without some additional user intervention.

The malware also attempts to adjust user settings so that security updates are disabled. The software also installs a TOR service so the comprised users system can then be controlled over the dark web via a command and control system.

Finally, comprised systems have their web traffic directed to fake banking sites. “As we can see, the proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as ‘credit-suisse’, ‘globalance-bank’, ‘cbhbank’, etc.) or other financial entities, to the local proxy that the malware had set up on the local machine. The proxy will then redirect it to the malicious C&C [Command and Control] server on TOR (currently is “m665veffg3tqxoza.onion”). This way, once the victim tries to visit any of the listed sites, they will be redirected to a fake website on the attacker’s C&C server,” Check Point wrote.

While this attack mainly targets European users and it’s not clear how successful it has been at obtaining any banking credentials, it does show that Apple’s OSX / MacOS default security posture can be successfully challenged.

RELATED LINKS

Cloud-based security services set to soar

Negative consequences of IoT could extend beyond cybersecurity

What elements go into Apple iOS security?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: