A long-running phishing campaign that initially targeted Windows users has recently shifted to macOS users, according to Israeli cybersecurity firm LayerX. The attackers employed scareware techniques, tricking users into providing login credentials by displaying fake Microsoft security alerts. These alerts made it appear as though the victim’s computer had been compromised, freezing webpages and prompting the user to enter their Windows username and password. This scam relied on compromised websites that redirected users to malicious phishing pages, leading victims to believe they were facing a real security issue.
The attackers hosted their phishing sites on the legitimate Windows.net platform, part of Microsoft’s Azure hosting service, which added an extra layer of legitimacy to the fake alerts. By using a trusted service with a good reputation score, the attackers were able to bypass typical anti-phishing defenses. Additionally, they employed randomized subdomains and anti-bot measures like CAPTCHA to hinder automated detection tools. These efforts made the phishing pages appear highly professional, further increasing the likelihood that users would fall for the scam without suspicion.
When new anti-scareware features were introduced in popular browsers like Chrome, Firefox, and Microsoft Edge, attacks targeting Windows users dropped by around 90%.
To bypass these improved defenses, the attackers adapted their campaign to target macOS users, who lacked similar protection at the time. Within two weeks of these browser updates, the first macOS-specific phishing attempts were detected. The malicious code was adjusted to target the Safari browser, while the phishing pages maintained the same structure as the ones used for Windows, only with minor tweaks to cater to macOS users.
LayerX warns that this attack could pose a significant risk to enterprise environments, as the compromise of corporate accounts can lead to severe data exposure.
The transition from targeting individual Windows users to macOS highlights the sophistication and persistence of this threat. Personal account compromises typically affect only the individual user, but when corporate or enterprise accounts are breached, the consequences can extend to the entire organization. This shift underscores the campaign’s adaptive nature, suggesting that the attackers may continue to evolve their tactics to evade security measures and threaten organizations on a larger scale.
