Thursday, May 4, 2017

Beware, 2 New Trojan Malwares and 1 sophisticated phishing attack currently circulating

This week has brought some nasty malware Trojans and a very sophisticated phishing attack to the Mac platform. Here are the details you need to know.  Lets break these down.


The Good: Apple has revoked the developer certificate that allowed this Trojan to get past Gatekeeper. They have also updated their XProtect silent malware signature system, so that Mac OS will not allow it to install now. Be sure to run any Apple Security updates from the App Store, accessed from the Apple in the upper left hand corner of your screen.

The Bad: If you have been infected, you need to read below for what OSX/Dok has done to your computer, and you should change ANY passwords you may have used since you were infected.

Malwarebytes Anti-Malware for Mac (FREE) will detect the important components of OSX/Dok, and disable the active infection. However there will still be lingering issues. Per Malwarebytes 

When it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.

The Ugly:  Early in the week, the first Trojan named OSX/Dok was discovered. It is apparently spread via email, pretending to be from the IRS. Messages like “Something is wrong with your tax return, please fill in this document” Users would attempt to open the document, only to have an error appear that the document “could not be opened”. Meanwhile the malware would then copy files to the computer, which eventually would result in the following popup, covering all other windows on the screen.

Once the popup appeared, you could not do anything except manually power off, or accept the message and install a fake update. Once installed, all of your web traffic is routed to a malicious server first. That means anything you do on or across the internet is first seen by the hackers. Your bank login, they have that now …. Your email password, that too. If you were infected, follow the link above for Malwarebytes, change all your passwords, and consider restoring your computer from a previous backup.


A variant of OSX/Dok was discovered, and had been labeled OSX/Bella – Its transmission was exactly like OSX/Dok and used the same developers certificate. It however installed different tools. Malwarebytes has been updated to detect OSX/Bella as well. Follow the same precautions as OSX/Dok above.

Google Phishing Scam:

The Good: Google was made aware of the issue and took down the fake pages within hours. A statement from them reads

We’ve removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password.”

The Bad: If you were hit with this and followed through, you need to do a number of things. First and foremost, change your passwords now. You can use a password manager like 1Password to help you come up with hard to guess passwords, and remember them all for you.

Second you need to check your google account for 3rd party access and remove any you do not recognize. Go to the Permissions page, and  revoke any access you are not sure of.

Third, you may want to consider using Google Chrome as your browser, and install Password Alert. It will warn you if you attempt to enter your Google password into any site that trying to impersonate Google.

The Ugly: The scam starts like most, with an email. This particular scam directed people to open a Google Document that someone had shared with them. It included a link to Google Docs, but then took you to a authentication page asking you to grant Google Docs access to your Gmail account. The problem was this was a fake non-Google web app with a fake name of googledocs. The authentication page looks real, as it’s a real Google page, but you are really granting access to a 3rd party. See the following video of the scam in action.

If you clicked the link, your account has likely sent the same spam to everyone in your address book. Be sure to follow the solutions in “The Bad” above.