This week: Sneaky malware, fishy phish, and more

Windows malware attacks Macs, a strange phishing scam arises, 617M stolen accounts are for sale, and Trump wants more AI.

Phishing scam has fishy URLs

There’s a phishing campaign afoot that tries scamming users into believing their email accounts have been compromised. The phishing email claims multiple verification errors have caused the users’ accounts to be blacklisted and the only fix is an immediate login with the proper credentials. The email provides a link that reads CONFIRM YOUR EMAIL, and when users click on it, they are taken to a fake login page based on their particular email service. If they enter their credentials, the info is sent back to the malware’s C&C (command-and-control server).

A twist to this otherwise-typical phishing campaign is that the emails include URLs ranging from 400 to almost 1,000 characters long. Experts don’t yet understand the reason to include such a long URL, venturing early guesses that perhaps it is to deliberately add confusion or perhaps hide info within the long URL string. In any event, be wary of any email you receive claiming your account has been blacklisted.

Windows malware meant for Macs

In a move that circumvents the macOS Gatekeeper protocol, a series of malicious executables are making their way onto the machines of Mac users who install cracked software. Using the open source Mono framework, the threat actors created info stealers and adware for Macs, but as Windows EXE binaries. A set of these malicious files have been found bundled with cracked software distributed on torrent websites. When users download the pirated software, the malware gets around Gatekeeper thanks to its Windows status. Not recognizing the file as native to Mac, Gatekeeper does not check the file’s notarization status or Developer ID signature

So far, the planted malware in the bundles triggers a payload of ads and steals all hardware and software information on that particular machine, sending the info back to its C&C. While the damage is relatively minimal with this malware, threat actors could create Windows EXE binaries for more harmful cyberattacks, including ransomware. As always, all users are strongly advised to stay away from cracked software.

Google cracks down on fake apps

In a post on the Android Developers Blog this week, a Google Play product manager reported that in 2018 they rejected over 55% more app submissions than in 2017. Also, they suspended over 66% more apps than they did last year. Citing a concerted effort last year to improve their “abuse detection technologies and systems,” Google Play brought in more hands on deck, increasing operators, engineers, policy experts, and more. The post goes on to report that in addition to stopping bad apps in the Play Store, Google Play Protect scans 50 billion apps on users’ devices every day, searching for anything malicious. While Google seems to have improved detection techniques, malware and fake apps still do sneak their way into the Google Play Store, as we reported just two weeks ago.

“Google's Play store is like the golden goose for cybercriminals.” says Luis Corrons, Avast security evangelist. “Even though the Android platform allows users to install apps from outside the official store, this option is turned off by default. Getting a malicious app into the store gives you access to hundreds of millions of potential victims, which is why Google makes big efforts to keep the store clean. Corrons continues, “Even still, malicious apps will inevitably make it in – for example, an app can be developed that has a certain behavior until a certain date or event takes place. The result may be that a seemingly innocent app suddenly becomes a dangerous threat.”

Trump issues exec order for AI

This past Monday, the president of the United States issued an executive order to launch the American AI Initiative, which will “focus the resources of the Federal government to develop AI in order to increase our Nation’s prosperity, enhance our national and economic security, and improve quality of life for the American people” according to the official White House summary. The initiative will emphasize five key areas to accelerate a national AI program: investing in AI research and development, unleashing federal resources to AI experts, setting AI governance standards, building the AI workforce, and engaging internationally while still keeping our AI advantage. The official name of the order itself is the Executive Order on Maintaining American Leadership in Artificial Intelligence.

Could you be one of the 617 million?

Available for purchase from the Dream Market cyber-souk in Tor network are no less than 617 million accounts containing names, email addresses, and hashed passwords. The info was allegedly harvested from 16 hacked websites: Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp. Depending on the website of origin, some of the accounts contain extra details like location, but there does not appear to be any payment info in the data breach. The seller has priced each website’s data trove separately, but altogether the amount comes to just under $20,000. Had the stolen info contained payment data, the price would have been much, much higher.

“With all the data breaches that happen these days, not being affected by one of them is almost impossible,” explains Corrons. “To avoid problems, the best practice is to enable 2-factor authentication whenever possible. And, of course, if you have an account that could have been compromised, change passwords immediately just to be safe.”

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at And get all the latest news on today's cyberthreats and how to beat them at

--> -->