The Mac scareware is primarily delivered by email to trick victims into installing fake cleaning software, according to the report, which notes that anyone who thinks Macs are invulnerable to malware are “sadly deluded”.
However, the report acknowledges that Mac malware is still rarely seen in the wild in significant volume and that is the first time Mac malware has appeared in the list of most common types of malware.
MAC.OSX.AMCleaner, the report said, is very much like FakeAlert and tries to trick victims into buying unneeded services.
During the third quarter, WatchGuard saw this Mac scareware affect many countries all over the world, with a few variations. In one variation, the malware opens an HTML page that is stored in its contents. In another, it is a full application that shows false scan results. In both instances, the malware prompts victims to purchase a fake malware cleaning service.
Anyone who follows the link to buy the cleaner is taken to a malicious domain and prompted to download and install the bogus cleaning software. When the malicious installer is run, it is actually signed with a valid Apple-issued certificate. This valid certificate allows the malware to bypass macOS protections such as Gatekeeper, and helps trick the victim into thinking it is safe to run the software.
“Though digital signatures are a good way to help software manufacturers prove the authenticity and legitimacy of their software, they are not panaceas. We have repeatedly seen sophisticated attackers steal legitimate digital certificates or infiltrate the software supply chain in order to sign their own malware with legitimate signatures,” the report said.
WatchGuard does not appear to have found any malicious activity associated with the malware though, with the report saying there is a good chance that this threat is more along the lines of greyware, rather than truly malicious software.
Greyware is a class of malware that does not necessarily hide on your computer or steal information, but is really just worthless software that some unethical, but technically legitimate, company might trick recipients into paying for.
Another key finding of the WatchGuard report is that 6.8% of the world’s top 100,000 websites still accept old, insecure versions of the secure sockets layer (SSL) encryption protocol.
Despite SSL 2.0 and SSL 3.0 being deprecated by the Internet Engineering Task Force (IETF), more than 5,300 websites in the top 100,000 still accept SSL 2.0 and SSL 3.0 encryption. Also, 20.9% of the top 100,000 websites still do not use web encryption at all.
The report notes that the industry will soon deprecate TLS 1.0 and TLS 1.1 because of security concerns, adding the warning that in some cases, just leaving one of these legacy protocols enabled on a web server can leave visitors vulnerable to various security issues that may allow attackers to intercept their data.
Websites that support older SSL/TLS protocols, the report said, are “even more dangerous than sites that don’t support TLS at all” because they can fool the user into thinking the connection is secure when it really is not.
Other findings of the report include that, for the second time, APAC reported more total malware hits than Emea or the US; that cryptominers remain popular with Razy evolving into a cryptominer in the third quarter and accounting for 4% of all malware blocked by WatchGuard antivirus service worldwide; and that password stealing tool Mimikatz was the most popular malware in the third quarter.
It also found that attackers continue to go after web applications with cross-site scripting attacks, which accounted for 39.3% of the top 10 exploits in the third quarter, primarily targeting web applications.
“Outside of a few surprising finds, like Mac scareware in our top 10 malware list, we saw attackers stick to what they know in the third quarter by reusing and modifying old attacks like cross-site scripting, Mimikatz and cryptominers,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies.
“It’s a good reminder that the vast majority of attacks aren’t ultra-advanced zero-days and can be prevented by using a layered security approach with advanced malware detection capabilities and investing in secure Wi-Fi and MFA [multi-factor authentication] solutions.”
However, Nachreiner said the number of major websites that are still using the insecure SSL protocol is cause for concern. “This is a basic security best practice that should be implemented across 99.9% of the internet by now, but it’s not and is putting hundreds of thousands of users at risk,” he said.