A snippet of malicous code designed to crash Mac OS machines is being delivered through drive-by downloads as part of a campaign designed to trick users into calling a fake tech support service, security researchers warn.
Tech support scams have been around for a long time and have used numerous attack methods, yet this newly discovered tactic stands out because it attempts to scare users into calling for assistance by using a denial-of-service attack instead of flooding their desktops with the usual set of fake alerts.
Previously seen tech support scams were either part of the ‘browlock’ category, when they are delivered through the browser, or are considered screen lockers, should malware be downloaded onto the targeted machine.
Recently, however, security researchers observed a trend where scammers cause the targeted machines to crash. One such attack was observed in November, when the cybercriminals behind it were leveraging a specific HTML5 API (history.pushState) to cause the browser to freeze.
Malwarebytes Labs security researchers now reveal that attackers are targeting Apple’s Safari browser on Macs through a newly registered scam website that began making the rounds late last year.
On machines running older operating system versions, the denial of service (DoS) attack would freeze the machine without requiring user interaction. As soon as the user visited the malicious site, the malicious code on the webpage generates a series of email drafts, eventually causing the machine to run out of memory and freeze.
However, the security researchers determined that the attack started with the malicious page first determining the OS X version, courtesy of an integrated user agent check. Next, the site would push two different versions of a denial-of-service malware.
A quick look at the code revealed that the first variant was meant to continuously draft emails, but that it lacked the functionality to actually send them. However, by drafting the messages incrementally, the code would eventually cover the previously opened windows and eventually ended up crashing the machine.
The attack, the security researchers reveal, is ineffective against machines running macOS Sierra 10.12.2 or above, likley because the underlying issues were patched in a recent release. While Mac users running the up-to-date OS aren’t affected by the “Mail app DoS,” older operating system versions are still affected.
The second attack variant was observed opening up iTunes instead, and the security researchers say that even macOS Sierra 10.12.2 users are at risk. The malicious code used in this attack can still open iTunes without a prompt being displayed in Safari.
*Updated to clarify that this attack is browser-based and that malware is not installed on Mac systems in this attack scenario