Bogus Flash Player update targets millions of Mac users with adware

The concept of using stenography to place malware in images is not a new one, however, it can still be very effective when used properly. It is this reality that researchers have discovered in a massive campaign is currently affecting Mac users by the millions. The research was a joint effort between Confiant and Malwarebytes, according to a blog post by Confiant, and it exposed how Mac users are being exposed to Shlayer malware.

How the campaign operates is by hiding the malware in such a way that it is thought to be a Flash Player update. The Mac user clicks on the image (which is an advertisement) and is then tricked into being redirected to the download page of the Shlayer malware (shown as the Flash update). Not only does the malware itself do damage, but according to Jerome Segura of Malwarebytes, it acts as a “dropper for additional payloads, most notably Adware,” and consequently, users “may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.”

The blog post by Confiant showed the following statistics about the adware attack, which will be quoted below:

At its peak the full scale of this specific attack triggered over 5 million times per day. The revenue impact of those 5 million malicious impressions needs to be measured from a multitude of different facets. You have the publisher who loses money directly from the interrupted user sessions, and loses future money from the increased ad blocking usage and user trust loss. There are the ad exchanges who had their inventory access cut off while they battled the infection and will have had some publishers pull their inventory out permanently. The advertisers will get hit with the resulting ad fraud from the infected devices. And let’s not disregard the user, who now has an infected device.

Estimated all together, Confiant benchmarks the cost impact for just that Jan. 11 peak alone to have been over $1.2 million. When you consider that this was just one of multiple hundreds attacks Confiant has caught and blocked over the past month alone, the scale of the issues facing the digital ad industry becomes clearer.

The post makes it clear that the threat actor, dubbed VeryMal, is a deviant trickster who is able to quickly change tactics and attack methodology. The focus currently has been on infecting Mac/IOS users in the United States with adware, but now that their operation is being revealed, they will likely change their attack patterns. At the moment the best thing that users, of any form of Internet-connected technology, can do is practice safe browsing and always be suspicious of updates or proposed downloads not initiated by the user. Having a strong malware-blocking and clean-up software is also a must if you do accidentally infect your device.

Stay vigilant out there, the Internet is only as safe as you allow it to be.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

IFA 2019: All the top smartphone announcements and unveilings

IFA 2019, this year’s version of the annual consumer electronics trade show, did not disappoint. Is one of these smartphones…

10 hours ago

Outlook connectivity: Troubleshooting and solving common issues

IT professionals all dread getting this fevered message from employees and clients: “I’m having Outlook connectivity issues!” Here’s what you…

15 hours ago

Using tags with Azure runbook automation to control your costs

Here’s a script designed to start and stop virtual machines based on tags associated at the resource group level. It…

18 hours ago

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

3 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

4 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

4 days ago