This week has brought some nasty malware Trojans and a very
sophisticated phishing attack to the Mac platform. Here are the details you
need to know. Lets break these down.
OSX/Dok
The Good: Apple has revoked the developer certificate that allowed this Trojan to get past Gatekeeper. They have also updated their XProtect silent malware signature system, so that Mac OS will not allow it to install now. Be sure to run any Apple Security updates from the App Store, accessed from the Apple in the upper left hand corner of your screen.
The Bad: If you
have been infected, you need to read below for what OSX/Dok has done to your
computer, and you should change ANY passwords you may have used since you were
infected.
Malwarebytes Anti-Malware for Mac (FREE) will detect the
important components of OSX/Dok, and disable the active infection. However
there will still be lingering issues. Per Malwarebytes
“When it comes to the
other changes that are not easily reversed, which introduce vulnerabilities and
potential behavior changes, additional measures will be needed. For people who
don’t know their way around in the Terminal and the arcane corners of the
system, it would be wise to seek the assistance of an expert, or erase the hard
drive and restore the system from a backup made prior to infection.”
The Ugly: Early in the week, the first Trojan named
OSX/Dok was discovered. It is apparently spread via email, pretending to be
from the IRS. Messages like “Something is wrong with your tax return, please
fill in this document” Users would attempt to open the document, only to have
an error appear that the document “could not be opened”. Meanwhile the malware
would then copy files to the computer, which eventually would result in the
following popup, covering all other windows on the screen.
Once the popup appeared, you could not do anything except
manually power off, or accept the message and install a fake update. Once
installed, all of your web traffic is routed to a malicious server first. That
means anything you do on or across the internet is first seen by the hackers. Your
bank login, they have that now …. Your email password, that too. If you were
infected, follow the link above for Malwarebytes, change all your passwords,
and consider restoring your computer from a previous backup.
OSX/Bella:
A variant of OSX/Dok was discovered, and had
been labeled OSX/Bella – Its transmission was exactly like OSX/Dok and used the
same developers certificate. It however installed different tools. Malwarebytes
has been updated to detect OSX/Bella as well. Follow the same precautions as
OSX/Dok above.
Google Phishing Scam:
The Good: Google was made aware of the issue and took down
the fake pages within hours. A statement from them reads
“We’ve removed the fake
pages and our abuse team is working to prevent this kind of spoofing from
happening again. If you think you may have accidentally given out your account
information, please reset your
password.”
The Bad: If you
were hit with this and followed through, you need to do a number of things.
First and foremost, change your passwords now. You can use a password manager
like 1Password to help you come up with hard to guess passwords, and remember
them all for you.
Second you need to check your google account for 3rd
party access and remove any you do not recognize. Go to the Permissions page,
and revoke any access you are not sure
of.
Third, you may want to consider using Google Chrome as your
browser, and install Password Alert. It will warn you if you attempt to enter
your Google password into any site that trying to impersonate Google.
The Ugly: The scam starts like most, with an email. This
particular scam directed people to open a Google Document that someone had
shared with them. It included a link to Google Docs, but then took you to a
authentication page asking you to grant Google Docs access to your Gmail
account. The problem was this was a fake non-Google web app with a fake name of
googledocs. The authentication page looks real, as it’s a real Google page, but
you are really granting access to a 3rd party. See the following
video of the scam in action.
https://twitter.com/zachlatta/status/859843151757955072/photo/1
If you clicked the link, your account has likely sent the same spam to everyone in your address book. Be sure to follow the solutions in “The Bad” above.
https://twitter.com/zachlatta/status/859843151757955072/photo/1
If you clicked the link, your account has likely sent the same spam to everyone in your address book. Be sure to follow the solutions in “The Bad” above.
0 comments:
Post a Comment