Sometimes hackers opt for a stealthy approach. Other times, their attempts are downright brazen. That’s definitely the case with a newly launched malware campaign that seeks to spread “Proton Mac,” a strain of malware designed to steal passwords from Mac users.
The hackers registered a domain very similar to Symantec’s blog, mirrored its content and then created a fake post about a new version of CoinThief, which was moderately successful back in 2014.
After going into a bit of faux analysis about this nonexistent threat, the post recommended downloading a nonexistent piece of software called “Symantec Malware Detector” which it claimed was the best means of protecting against the new version of CoinThief. Unfortunately, “Symantec Malware Detector” is actually Proton Mac in disguise.
It’s a good scam, and it’s proven to be highly effective thus far. Its effectiveness is due in no small part to the fact that references to the post have been tweeted, initially by fake Twitter accounts, and later, by a growing number of legitimate ones.
Although the fake blog is quite good, it doesn’t stand up to intense scrutiny. For one thing, the email address used to register the domain isn’t a Symantec address. For another, their SSL certificate comes from Comodo, rather than Symantec’s own certificate authority. Unfortunately, the overwhelming majority of users don’t look that closely at websites they visit, so they are unlikely to recognize the fake for what it is.
If you have downloaded “Symantec Malware Detector,’ then you’ve got Proton Mac running on your machine right now.
It’s designed to log your username and password in plain text, sending this and any other PII (Personally Identifiable Information) on your machine to a hidden file. It will also capture browser auto-fill data, keychain files and the like, and send all of this to the hackers controlling the software.
If you have been infected, you should treat all online passwords as having been compromised and change them immediately, once you have verified that the malware has been completely removed from your system. Enabling two-factor authentication will also help make you more secure.