New Mac Malware Manages to Spy on Encrypted Browser Traffic

This blog was written by Douglas McKee.

There’s a new cyberattack targeted at Mac OS users—a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing.

How does this attack work?

First, the Trojan is digitally signed with a previously valid Apple certificate. It initially relies on social engineering, first phishing for credentials through either email or by displaying a full-screen alert that claims there’s an urgent OS X update waiting to be installed. Once it gets access, the Trojan makes the necessary changes it needs to infiltrate the user’s browsing activity.

It elevates the privileges of the current user to a permanent administrator and bypasses additional password prompts, keeping the rest of the infection process quiet. DoK also replaces existing login entries with its own so it runs when the user logs onto the computer. Then, it redirects all traffic to the Dark Web through a malicious proxy server and installs its own root certificate on the machine. From there, the attacker can carry out a man-in-the-middle attack and decrypt the user’s HTTPS traffic by pretending to be whichever website the victim attempts to access.

Since browsers typically alert users of compromised website connections, how are they not catching this attack? Because of the bad root certificate.

How do you protect yourself?

Apple mitigated the risk by revoking the certificate used in the attack. But there’s still more you can do to protect yourself from this attack and others like it.

NEVER open attachments or click on links from unknown senders. Also, check the source of the email and ensure legitimacy. Always be cautious whenever you’re asked to provide credentials.

Whenever possible, Apple users should only install apps from the Apple app store to ensure they’re only using applications that Apple has screened and approved.

To learn more about this cyberattack and others like it, make sure to follow @McAfee and @McAfee_Business.

Leave a Comment

14 − seven =