More malware targeting Mac users
A Malwarebytes update explains the most recent attack, in which a fake Symantec blog has been created and used to entice people into downloading and installing the OSX.Proton malware.
Mac users continue to be in a good security environment overall, [edit: unless you've upgraded to High Sierra, apparently] however cannot be complacent. This exploit is noteworthy in terms of how well-crafted the website and malware are - there is little to arouse suspicion and the site even includes legitimate content lifted from Symantec.
If the malware is installed, admin credentials including passwords are captured and sent in plain text. The malware targets Keychain (where OSX stores passwords you have chosen to save) and password vaults if it finds the master password.
While this specific site will have been removed, other attacks featuring OSX.Proton and similar malware will continue to spread - other recent examples include infected versions of Handbrake and Elmedia Player.
To prevent this type of attack you can:
- Carefully check the source of applications you are installing
- Check with your IT support team / provider before installing AV software or system "cleaning" utilities
- Run antivirus / antimalware on your Mac - though yes, there is still debate on the pros and cons to this.
To minimise the impact we recommend that you:
- Use a password vault such as 1Password, but do not store your master password in Keychain
- Use different passwords for different services
- Use two factor authentication (2FA)
- Consider any other sensitive information that may have been saved to keychain for example Credit card information.
See also the CERT NZ website for security advisories