Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mac Crashing Attack Method Used in Tech Support Scam

A snippet of malicous code designed to crash Mac OS machines is being delivered through drive-by downloads as part of a campaign designed to trick users into calling a fake tech support service, security researchers warn.

A snippet of malicous code designed to crash Mac OS machines is being delivered through drive-by downloads as part of a campaign designed to trick users into calling a fake tech support service, security researchers warn.

Tech support scams have been around for a long time and have used numerous attack methods, yet this newly discovered tactic stands out because it attempts to scare users into calling for assistance by using a denial-of-service attack instead of flooding their desktops with the usual set of fake alerts.

Previously seen tech support scams were either part of the ‘browlock’ category, when they are delivered through the browser, or are considered screen lockers, should malware be downloaded onto the targeted machine.

Recently, however, security researchers observed a trend where scammers cause the targeted machines to crash. One such attack was observed in November, when the cybercriminals behind it were leveraging a specific HTML5 API (history.pushState) to cause the browser to freeze.

Malwarebytes Labs security researchers now reveal that attackers are targeting Apple’s Safari browser on Macs through a newly registered scam website that began making the rounds late last year.

On machines running older operating system versions, the denial of service (DoS) attack would freeze the machine without requiring user interaction. As soon as the user visited the malicious site, the malicious code on the webpage generates a series of email drafts, eventually causing the machine to run out of memory and freeze.

However, the security researchers determined that the attack started with the malicious page first determining the OS X version, courtesy of an integrated user agent check. Next, the site would push two different versions of a denial-of-service malware.

A quick look at the code revealed that the first variant was meant to continuously draft emails, but that it lacked the functionality to actually send them. However, by drafting the messages incrementally, the code would eventually cover the previously opened windows and eventually ended up crashing the machine.

The attack, the security researchers reveal, is ineffective against machines running macOS Sierra 10.12.2 or above, likley because the underlying issues were patched in a recent release. While Mac users running the up-to-date OS aren’t affected by the “Mail app DoS,” older operating system versions are still affected.

The second attack variant was observed opening up iTunes instead, and the security researchers say that even macOS Sierra 10.12.2 users are at risk. The malicious code used in this attack can still open iTunes without a prompt being displayed in Safari.

*Updated to clarify that this attack is browser-based and that malware is not installed on Mac systems in this attack scenario

Related: U.S. Indicts 61 in Indian Call Center Scam

Related: Phishing Attacks Hit the C-Suite With High Value Scams

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.