{"id":2461,"date":"2025-03-24T11:52:01","date_gmt":"2025-03-24T11:52:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2461"},"modified":"2025-03-24T11:52:01","modified_gmt":"2025-03-24T11:52:01","slug":"new-phishing-campaign-uses-scareware-to-steal-apple-credentials","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2461","title":{"rendered":"New phishing campaign uses scareware to steal Apple credentials"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A new phishing campaign targeting Mac systems employs scareware tactics to steal Apple IDs and passwords from unsuspecting users.<\/p>\n

Identified by LayerX Labs, the attack involves compromised websites displaying fake security warnings claiming that the user\u2019s computer has been \u201ccompromised\u201d and \u201clocked,\u201d and prompting users to enter username and password.<\/p>\n

\u201cApple Security Warning. MacOS has been locked due to unusual activity, try signing in again with your Apple_ID and password,\u201d the display message reads with a prompt to enter Apple account credentials.<\/p>\n

The campaign redirects victims to the phishing pages\u2013with the malicious scareware code\u2013via compromised domain \u201cparking<\/a>\u201d pages, LayerX said in a blog post<\/a>.<\/p>\n

<\/a>Use of scareware<\/h2>\n

Screenshots shared by LayerX revealed the use of\u00a0 \u201cscareware\u201d in the campaign. Scareware refers to a malicious software causing a pop-up alert or fake antivirus warning that a user\u2019s device is infected with a virus or its security is compromised and that they should complete an action to fix the issue.<\/p>\n

In this case the scareware is deployed at the actor-controlled phishing sites that victims are taken to. On visiting the website, users get a fake pop-up alert \u201cApple security warning,\u201d prompting them to enter their Apple ID and password. Simultaneously, the webpage of the site freezes, creating an illusion that the entire computer is locked.<\/p>\n

LayerX research pointed out that the campaign is particularly difficult to stop because of various factors, including being hosted on a Microsoft Platform, adding credibility, using legitimate and trusted hosting service, and using randomized, and quickly changing subdomains.<\/p>\n

\u201cIn the past few weeks, we\u2019ve seen an uptick in browser-based phishing attacks that use legitimate hosting services to trick users into falling for the attack,\u201d Thomas Richard, red team practice director at Black Duck said in a comment to CSO. \u201cThe ruse they use is a fairly old one and quite common.\u201d<\/p>\n

Such random popups saying \u201cyour computer is compromised\u201d should always be treated with suspicion, as antivirus services will never ask you to enter a username and password to remove a threat, Richard added.<\/p>\n

The campaign previously targeted Windows users<\/h2>\n

According to LayerX researchers, the campaign has been seen targeting Mac users only in the last few months. Initially, it targeted Windows users by masquerading as Microsoft security alerts.<\/p>\n

Designed to steal user credentials, threat actors have apparently shifted focus to Mac users owing to new security features being rolled out by Microsoft, Chrome, and Firefox, researchers added.<\/p>\n

\u201cPhishing attacks are evolving, and despite the fact that Macs are traditionally less susceptible to viruses, Mac users are no exception to many modern threats,\u201d Darren Guccione, CEO and co-founder at Keeper Security told CSO. \u201cCybercriminals are opportunistic\u2013when one attack vector gets blocked, they pivot to the next.\u201d<\/p>\n

This campaign demonstrates how quickly attackers adapt, leveraging trusted infrastructure and sophisticated deception to bypass traditional security measures, Guccione added. The researchers noted that the new Mac-targeted attacks required only minor adjustments to the hackers\u2019 existing infrastructure, primarily involving text modifications and slight code changes to target macOS and Safari users.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A new phishing campaign targeting Mac systems employs scareware tactics to steal Apple IDs and passwords from unsuspecting users. Identified by LayerX Labs, the attack involves compromised websites displaying fake security warnings claiming that the user\u2019s computer has been \u201ccompromised\u201d and \u201clocked,\u201d and prompting users to enter username and password. \u201cApple Security Warning. MacOS has […]<\/p>\n","protected":false},"author":0,"featured_media":2462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2461"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2461"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2461\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2462"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}