Urgent warning to Mac users over fake browser updates that can steal your passwords - here's how to spot them

Mac users should be on the lookout for fake browser updates that can steal your passwords, cybersecurity experts have warned.

A new malware campaign targeting Apple products tricks users into downloading a ‘browser update’ which actually contains a ‘one hit smash-and-grab’ virus.

Cybercriminals are even creating malicious ads on Google which impersonate familiar and legitimate tech brands to lure in potential targets.

Once you have entered the website, fake pop-ups will prompt you to download a browser update to view the site.

Worryingly, the fake prompts are extremely convincing, and even a savvy user could be tricked if they don’t know what to look for.

Could you spot that this is fake? Cybercriminals are using fake pop-ups to trick users into downloading password-stealing malware

The malware, which has been dubbed ClearFake by cybersecurity researchers, is a new version of the widely used Atomic Stealer attack.

However, this earlier version only targeted Windows machines, whereas this new attack targets Mac OS and is more sophisticated in its techniques.

Previously, hackers would hide the virus in fake versions of popular software like Microsoft Office which they would claim had been ‘cracked’ for free download.

Now, hackers are buying ads on Google, most likely through hijacked websites, to lure users to fake websites.

Users are then prompted to update their browser to view the page and are instructed on how to open the file.

As soon as the target runs the program, the virus steals the user’s data and sends it to a remote ‘command and control server’ to be collected and monetized by the criminals.

Once users enter the fake website they are prompted to install a browser update which secretly contains the malware

Users are given instructions on how to download the malicious file which immediately begins to steal information from their computer

What is Atomic Stealer and how do you stay safe from it?

Atomic Stealer, also called AMOS, is a very popular malware that extracts user data from infected devices.

The malware is actively sold over Telegram where hackers can rent the tool for a month at a time.

Atomic Stealer works on Windows devices and is often accidentally downloaded along with fake files.

To stay safe, use an anti-virus program or web protection service.

Also, be very careful when downloading files online and only use trusted sites.

<!—->

Jérôme Segura, a researcher at Malwarebytes, who has been tracking the malware, says that this is ‘one of the most prevalent and dangerous social engineering schemes.’

Hidden inside the virus’ code, the researchers found commands to extract users’ passwords, auto-fills, user information, wallets, browser cookies, and keychain data.

Mr Segura said: ‘This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.’

Researchers reported that a Telegram channel operated by the virus’ creators has emerged.

For $1,000 (£797) a month, criminals can rent the malware on a subscription basis and deploy it how they want.

Malwarebytes found that one ‘threat actor’ was distributing malware bought on the channel through hundreds of compromised websites.

Security vendor SentinelOne, which has also been tracking the attack since its discovery, says the channel had over 300 members in May.

Interestingly, SentinelOne researchers note that the virus does not linger on a target’s computer but instead uses a ‘one-hit smash and grab methodology’.

The fake updates have been specifically tailored for Mac and target Safari and Chrome, the two most popular Mac web browsers

Hidden within the code researchers discovered commands to steal users’ passwords, wallets, browser cookies and more

Fake browser updates on Windows systems are not uncommon and have existed for years, but this kind of attack has not yet been used to target Mac systems.

This warning comes amid a broader increase in the danger for Macs online as reports find a 1,000 per cent increase in the number of threat actors targeting Apple products since 2019.

To stay safe online, Malwarebytes recommends that Mac users download a web protection tool which can block the malicious infrastructure used for the attack.

Additionally, users should be careful when following links to non-trusted sites and check carefully before downloading any content.

MailOnline has contacted Apple and Google for comment.

HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED

Have I Been Pwned?

Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.

The website lets you check whether your email has been compromised as part of any of the data breaches that have happened.

If your email address pops up you should change your password.

Pwned Passwords

To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.

The search tool will check it against the details of historical data breaches that made this information publicly visible.

If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.

Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords.

The site does not store your password next to any personally identifiable data and every password is encrypted

Other Safety Tips

Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use.

Next, enable two-factor authentication. Lastly, keep abreast of any breaches

This post first appeared on Dailymail.co.uk