The concept of using stenography to place malware in images is not a new one, however, it can still be very effective when used properly. It is this reality that researchers have discovered in a massive campaign is currently affecting Mac users by the millions. The research was a joint effort between Confiant and Malwarebytes, according to a blog post by Confiant, and it exposed how Mac users are being exposed to Shlayer malware.
How the campaign operates is by hiding the malware in such a way that it is thought to be a Flash Player update. The Mac user clicks on the image (which is an advertisement) and is then tricked into being redirected to the download page of the Shlayer malware (shown as the Flash update). Not only does the malware itself do damage, but according to Jerome Segura of Malwarebytes, it acts as a “dropper for additional payloads, most notably Adware,” and consequently, users “may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.”
The blog post by Confiant showed the following statistics about the adware attack, which will be quoted below:
At its peak the full scale of this specific attack triggered over 5 million times per day. The revenue impact of those 5 million malicious impressions needs to be measured from a multitude of different facets. You have the publisher who loses money directly from the interrupted user sessions, and loses future money from the increased ad blocking usage and user trust loss. There are the ad exchanges who had their inventory access cut off while they battled the infection and will have had some publishers pull their inventory out permanently. The advertisers will get hit with the resulting ad fraud from the infected devices. And let’s not disregard the user, who now has an infected device.
Estimated all together, Confiant benchmarks the cost impact for just that Jan. 11 peak alone to have been over $1.2 million. When you consider that this was just one of multiple hundreds attacks Confiant has caught and blocked over the past month alone, the scale of the issues facing the digital ad industry becomes clearer.
The post makes it clear that the threat actor, dubbed VeryMal, is a deviant trickster who is able to quickly change tactics and attack methodology. The focus currently has been on infecting Mac/IOS users in the United States with adware, but now that their operation is being revealed, they will likely change their attack patterns. At the moment the best thing that users, of any form of Internet-connected technology, can do is practice safe browsing and always be suspicious of updates or proposed downloads not initiated by the user. Having a strong malware-blocking and clean-up software is also a must if you do accidentally infect your device.
Stay vigilant out there, the Internet is only as safe as you allow it to be.
Featured image: Pixabay