Deserved or not, Mac OS X (and now, I suppose, MacOS Sierra) has a reputation for being more secure than Windows. But in 2016, is that reputation still deserved? What security threats exist for the Apple platform, and how are they affecting users?
The Unexpected Appearence of Ransomware on OS X
Ransomware has been around for over ten years. The first documented example was found in Russia between the years 2005 and 2006. TROJ_CRYZIP.A copied the victim’s files to a password protected ZIP file, and deleted the originals. The victim would have to pay $300 in order to acquire the password needed to recover them.
In the years that followed, ransomware spread far beyond the borders of Russia, and is now one of the most serious security threats to face businesses and consumers alike. Each year, thousands of new strains are identified, but the majority of these have been seemingly confined to the Windows and Android operating systems.
OS X just isn’t attractive for ransomware developers.
The biggest reason for this is likely cold-hard numbers. The numbers total market share for OS X as less than 10%. Corporate users, who are targeted by ransomware distributors due to the perception that they’re more likely to pay a ransom in order to recover business-critical files, use OS X at an even lower rate.
As a result, OS X is simply not an enticing target. Mac users represent a tiny needle in a vast digital haystack. Efforts spent on developing and distributing malware for OS X can be best used on targeting Windows users, who are many.
But there are exceptions. Early this year, an unknown actor was able to issue a fake update for Transmission — a wildly-popular BitTorrent client — which was compromised with the KeRanger ransomware variant.
KeRanger was the first viable Mac ransomware. FileCoder was technically first, but was still unfinished by the time it was discovered by security researchers.
Although it represents a troubling milestone in the history of OS X security, in many respects it was a standard crypto-ransomware variant, and acted much like its Windows brethren. It encrypted files using AES and mbedTLS, which is almost impossible to crack. KeRanger also demanded $400 in Bitcoin for the safe retrieval of the user’s files, which is fairly standard for ransomware.
The fact is that KeRanger isn’t going to be the last Mac ransomware. It seems inevitable that future ransomware targeting the platform will also use novel infection techniques. Hackers will infiltrate the updates of established and legitimate applications, and serve ransomware that way. They will insert malicious code onto legitimate websites, as another attack vector.
This puts a significant burden of responsibility (and perhaps even liability) onto the shoulders of app developers and website operators.
Thankfully, that particular model doesn’t work for niche (for lack of a better word) operating systems like OS X and Linux. With both of these operating systems having a market share that registers in the single digits (at least, according to NetMarketshare.com), targeting them will never be an efficient use of hard-won spam networks.
Contagion: When Linux Catches a Cold, Mac OS X Sneezes
Although Mac OS X and Linux are both distinct operating systems, with differences on both a technical level and cultural level, there are some significant similarities. Both share a common UNIX heritage, and are POSIX-compatible. Many of the components that make up Linux can also be found in Mac OS X.
This is a strength. The design decisions that informed the creation of UNIX almost forty years ago are fundamentally sound, and it has resulted in both operating systems being known for their reliability and security .
But there are also downsides. When a security issue is found in one of the common components, both platforms are affected. The most widely recognized example of this was ShellShock, which was first disclosed on the 24th of September, 2014 by French security researcher Stephane Chazelas.
Shellshock was a security vulnerability in the BASH shell , caused by a flaw in how it handled environment variables. When executed, it allowed a malicious third-party to execute their own arbitrary BASH commands. If the vulnerable system was being run as root, the damage could be even more significant.
Hackers and malware distributors used Shellshock as a precursor to further attacks. They would seize control of a machine, and then launch DDOS attacks , or send vast volumes of spam, and various other undesirable actions.
This was (or perhaps, is; tens of thousands of machines remain unpatched, and still vulnerable) a serious problem. Because BASH is a commonality between Linux and OS X, it meant that both of these systems were infected.
This is a trend that has emerged with many of the open source components found in OS X. Thankfully, Apple is notably diligent when it comes to remediation, and fixes are typically released downstream to consumers anywhere between a few hours after disclosure, to a few days.
The Social Element Still Applies to Mac Users
When one looks at issues in computer and information security, it can be easy to get distracted by the technical details, and miss out on the bigger picture. Shellshock and Heartbleed were both able to attract vast amounts of media attention not merely because of the threat they posed, but because they were both technically quite ingenious.
But people forget about the human element in security.
According to the IBM Security Services 2014 Cyber Security Intelligence Index, which painstakingly looks at the cyber-security data of nearly 1,000 IBM Security Services clients, human error is responsible for 95% of all breaches. What falls under the umbrella of “human error” ranges from falling for a social engineering attack, all the way to clicking on a spam email.
Mac users aren’t immune to making mistakes, and they aren’t invulnerable to attacks which are carefully crafted to exploit the human element.
Late last year, MalwareBytes reported on a tech support scam targeting Mac users. In many respects, it was a standard tech support scam, the likes of which we’ve reported about previously . The main “funnel” for victims was a website which warned the user that their computer was flooded with viruses and errors. To add a veneer of legitimacy, the site was even hosted on a domain name similar to the official Apple one, and had a toll-free number for victims to call.
There have been a number of documented examples of phishing attacks that target users entangled in the Apple ecosystem. The vast majority of these aim for iTunes and iCloud accounts. The former is highly prized by attackers who will use them to purchase applications, music, and movies on the victim’s credit card.
The latter can be exploited as a precursor to another attack. Former Wired Senior Staff WRiter Mat Honan experienced this in 2012, when an attacker gained access to his iCloud account and remotely erased the data on his iPhone, iPad, and MacBook.
Evaluating the State of Mac Security
At the start of this article, I asked if Mac OS X’s reputation for security is still deserved. I still believe that to be the case. There are threats — of course there are — but they are far less prolific than those for Windows.
But I should add a caveat. The risks that do exist are perhaps more dangerous than those that exist for Windows, simply because the attacker has to go to more effort in order to infect a machine.
It’s easy to spot malware when it’s presented to you as a spam email filled with spelling mistakes and grammar editors, and from a sender you don’t recognize. When it’s as an update for an application you know, use, and trust? That’s different.
Have you experienced Mac or iOS-targeted malware, or been the victim of a scam targeting Apple users? Tell us about it in the comments!