New Mac Malware Manages to Spy on Encrypted Browser Traffic

By on

This blog was written by Douglas McKee.

There’s a new cyberattack targeted at Mac OS users—a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing.

How does this attack work?

First, the Trojan is digitally signed with a previously valid Apple certificate. It initially relies on social engineering, first phishing for credentials through either email or by displaying a full-screen alert that claims there’s an urgent OS X update waiting to be installed. Once it gets access, the Trojan makes the necessary changes it needs to infiltrate the user’s browsing activity.

It elevates the privileges of the current user to a permanent administrator and bypasses additional password prompts, keeping the rest of the infection process quiet. DoK also replaces existing login entries with its own so it runs when the user logs onto the computer. Then, it redirects all traffic to the Dark Web through a malicious proxy server and installs its own root certificate on the machine. From there, the attacker can carry out a man-in-the-middle attack and decrypt the user’s HTTPS traffic by pretending to be whichever website the victim attempts to access.

Since browsers typically alert users of compromised website connections, how are they not catching this attack? Because of the bad root certificate.

How do you protect yourself?

Apple mitigated the risk by revoking the certificate used in the attack. But there’s still more you can do to protect yourself from this attack and others like it.

NEVER open attachments or click on links from unknown senders. Also, check the source of the email and ensure legitimacy. Always be cautious whenever you’re asked to provide credentials.

Whenever possible, Apple users should only install apps from the Apple app store to ensure they’re only using applications that Apple has screened and approved.

To learn more about this cyberattack and others like it, make sure to follow @McAfee and @McAfee_Business.

Leave a Comment

Similar articles

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720). ...
Read Blog
For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!” Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they ...
Read Blog