After years of enjoying relative security through obscurity, many attack vectors have recently proved successful on Apple Mac, opening the Mac up to future attack. A refection of this is the final quarter of 2016, when Mac OS malware samples increased by 247% according to McAfee. Even though threats are still much lower than for Windows OS users, Mac users cannot afford to be blissfully complacent as they may have been in the past.
Several reasons account for less malware attacks on Mac:
- Less footprint – there are far fewer Apple Macs than Windows PC computers. Criminals focus on where the volumes are. And the gap is even growing slightly – 2016 shipments of Apple Mac were slightly lower than the previous year and their proportion of the overall PC market fell to 7.1%.
- All macOS applications need to be approved by Apple and digitally signed. Apple’s Gatekeeper application blocks all non-approved applications. There is a process by which developers obtain Apple approval. These approvals mean it is more difficult for malicious applications to be installed and execute. In addition, approved applications execute in a sandbox, isolating them from critical OS systems and data, thus limiting potential harm.
- Known malicious applications are contained in a blacklist on OS X (called Xprotect) and prevented from executing.
- Outdated browser plug-ins are restricted, ensuring that only the latest plug-ins with the most up to date security features can run.
Despite these built-in safeguards, there are always ways in which the system can be circumvented by malicious actors. For example, it can take several days for the latest known threats to be added to the Xprotect blacklist, during which time Mac systems are vulnerable. In addition, it is relatively easy for anyone to become an approved Apple developer, and they can then create and execute malicious code before it is identified.
Many of the attack vectors we have often seen in Windows environments have now been shown to be successful on Mac.
Office macros: This is malicious code delivered as an Office macro which users are fooled into executing. Office macros were disabled by default on Mac, however they have been re-enabled since 2011. Macros are still a threat on Windows environments, and are also capable of being malicious on Mac.
Phishing attacks: Mac systems are equally vulnerable to this threat as Windows PCs.
Stealing browser passwords and taking screenshots: Xagent is malware developed by the Russian group APT28, and has capability of harvesting Mac browser passwords, taking screenshots and stealing iPhone backups stored on the Mac.
Ransomware: KeRanger is an example of Mac ransomware which encrypts files in the Mac “Users” directory and sends a demand for Bitcoin to the user. The ransomware was packaged with a version of BitTorrent in order to get installed on the Mac. Criminals are likely to increase their efforts in searching for ways of installing and executing ransomware on the Mac.
Stealing the Keychain: The Keychain is the Mac password management system, saving users from having to re-enter passwords. Clearly the keychain is a valuable target for cyber criminals. MacDownloader is an example of malware aimed at stealing the keychain. It tricked Mac users into installing it by masquerading as an Adobe Flash update.
Screen capture: By capturing screens, criminals are able to steal passwords, bank account numbers and other sensitive data. Fruitfly is an example of Mac screen capture malware.
Man-in-the-middle attack: An old error in SSL encryption implementation meant that data transmissions were susceptible to a man in the middle attack. This error was fixed in 2014.
Denial of Service attack: A malicious actor can generate a denial of service attack by trying up resources on the Mac so that it runs out of memory. Recently insidious tech support scammers succeeded in executing DoS attacks on Mac users by triggering the opening of multiple emails or instances of iTunes until the system runs out of memory.
Even though the threats to Mac users are nowhere near as great as those facing Windows users, many of the same attack vectors have been shown to be possible and Mac users should not be insouciant. The old adage that you don’t need to outrun the predator, you just need to outrun the person next to you, doesn’t apply to Mac users anymore. Particularly when dealing with sensitive data and in sensitive environments, such as when remotely connecting into a corporate environment, Mac users need to ensure they use the most advanced security software.