Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Do not visit these sites, security researchers warn.
There’s a very reasonable argument to suggest that Microsoft devices are more at risk than Apple ones, thanks to the number of Windows users and the accompanying effort that cybercriminals put into attempts to compromise them. That doesn’t mean that Windows is an inherently insecure operating system, however, and Windows 10 users are urged to upgrade, for free, to Windows 11 before security support for the former stops being provided. But I digress. The flip side of this argument is that it does not mean that macOS is a security haven just because there is less concerted effort to compromise devices. If your MacBook Pro gets breached or your data gets stolen, it will be cold comfort knowing that it was a lower-risk environment than your mate with a Windows machine, right? The truth of the matter is that new hacking groups are emerging all the time, along with new Mac malware threats that target your device. Two new criminal enterprises have been identified with one common and dangerous denominator: FrigidStealer Apple data theft attacks. Here’s what you need to know.
New Mac Attack Groups Unveiled By Proofpoint Threat Researchers
The Proofpoint security threat research team has confirmed that two new cybercrime attack groups are actively targeting users of the macOS platform.
In a Feb. 18 report, An Update on Fake Updates, the security researchers detailed how the very dynamic web injection threat landscape has welcomed, if that’s the right word, two new and dangerous threat actors named as TA2726 and TA2727.
“These are traffic sellers and malware distributors and have been observed in multiple web-based attack chains like compromised website campaigns,” the report stated, “including those using fake update-themed lures.” Critically, these hacking groups do not use email-based campaigns but instead rely upon using otherwise legitimate but ultimately compromised websites.
New Mac Infostealer Identified As FrigidStealer Malware
The brand new macOS malware in question has been identified by the Proofpoint researchers as FrigidStealer. This is an out-and-out information stealer, targeting macOS devices and delivered by way of the aforementioned compromised websites using fake update prompts. The threat actors have been observed, the report stated, employing “sophisticated techniques including website compromises, redirection, and user agent filtering, to deliver tailored malware payloads based on geography and operating system.”
Politely referring to the hackers as “creative,” Kunal Agarwal, CEO of dope.security, said that they have “filled the internet with traps and lures to trick the unsuspecting web surfer into putting something malicious on his device, whether it’s FrigidStealer or something else.” None of these attacks can work unless the victim has been lured into ending up somewhere they really shouldn’t be. In the case of FrigidStealer, that’s a website that is seemingly delivering a genuine web browser update. The reality is, of course, far from authentic. The update is nothing but a malware dropper. “For a payload like this to trigger, you first have to end up on a malicious site,” Agarwal said; “But a good web filtering solution should protect the average employee from the worst of it.” Don’t. Visit. These. Sites.
The mitigation advice of don’t visit these websites sounds simple enough. But given the use of social engineering and web injection of genuine sites, is it that easy in practice? I’d argue that, yes, it really should be. After all, with a little bit of user training and awareness, the notion that a browser update prompt would appear on a random site is obviously a huge red flag. Browser updates can be best controlled in an enterprise environment through browser isolation and group policy. End users should be alert for anything unusual, such as an update prompt where one shouldn’t be. So, Mac users, be careful out there. Don’t visit these malicious sites, and if you do find yourself there somehow do not download anything and report it to your security team as soon as possible.
