(Credit: LayerX)
Hackers are targeting Mac users by sending fake Apple security warnings that are intended to scare them into thinking their computers have been locked down.
According to security vendor LayerX, the "scareware" campaign has been hosted on malicious sites designed to resemble the official domains of major companies. An unsuspecting victim can encounter the attack if they mistype a web address. For example, we encountered the attack when we typed aplee[.]com into our browser instead of apple.com.
According to LayerX, the hacker compromises parked domains that contain such typos to forward unsuspecting users to the malicious site. That produces warnings pretending to come from Apple Security that claim your Mac computer has been hit with spyware.
To make the scareware seem legitimate, the pop-ups from Apple Security will continue to reappear even after you close them or click “deny” or “allow.” The malicious page will also expand to full screen, making it look like the computer has been taken over.
In addition, the page can trigger an audio file that says, "Important security message: Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contain an identity theft virus. To unlock the computer, please call support immediately."
We encountered the scareware on Safari and Chrome. The attack was particularly unnerving on Chrome because the scareware was able to freeze our mouse cursor and expand the browser window to full screen. This seemingly prevented us from doing anything on our Mac unless we called the customer support number provided. Meanwhile, the audio file continued to play, urging us to use the provided Apple support telephone number.
Fortunately, we were able to exit full-screen mode by long-pressing the Esc button on our Mac. We then closed the window, pulling the plug on the scareware.
Presumably, the hacker is trying to trick users into paying for sham tech support. In our case, we tried calling the telephone numbers provided but were only disconnected. In other instances, the malicious pages try to fool users into giving up their screen name and password.
LayerX is raising alarm bells about the scareware, noting: “While phishing campaigns targeting Mac users have existed before, they have rarely reached this level of sophistication.”
LayerX adds that the scareware campaign previously targeted Windows users through the same clever tricks. But the hacker behind the attack pivoted to Macs after Microsoft in February introduced an anti-scareware feature for the Edge browser that uses an AI model to identify the scam through a web page.
“Following the introduction of these browser protections, LayerX observed a drastic 90% drop in Windows-targeted attacks,” the security vendor said. But LayerX expects the scareware to return to Windows as the hacker adapts.
“Our prediction is that in the coming weeks or months, we will see a resurgent wave of attacks based on this infrastructure as it probes and tests for weak spots in Microsoft’s new defenses,” the company added.
Jaron Bradley, a director at the cybersecurity company Jamf, added: "Users should never enter their iCloud credentials outside of the official Apple website. They should also be cautious when encountering flashing warnings that prompt them to call a phone number to resolve a supposed threat. These calls often lead to scammers who promise to fix a fake issue in exchange for a fee and credit card information."