Checklist 291: Taking Advantage of Your Good Nature

On this week’s Checklist:

• Malware in the Mac App Store?
• Phishing with a blue check
• Charity relief scams

Malware in the App Store!

LifeHacker reports that a security researcher has found a bad actor spreading malware via the Mac App Store:

Alex Kleber discovered seven malware apps hiding in plain sight on the Mac App Store. All seven apps were seemingly made by separate publishers according to the App Store listings, but Kleber discovered they were actually made by a single group based in China.

Of course, the App Store is supposed to have a code review process. But as we’ve seen in the past, app notarization doesn’t always work as intended. That seems to be what happened in this case:

The developers behind the seven malware apps submitted “benign” versions of apps that hid dangerous code in its encrypted database. Once the app passed certification and was available on the App Store, it essentially “morphed” and activated the hidden malware.

And those malicious apps, it turns out, were very popular. All of them ranked in the top 100 most-downloaded apps in the United States App Store — and a couple of them made it to the top 10! The apps are gone from the App Store, naturally, but that doesn’t help the users who installed them. 

If you’ve downloaded any Mac apps recently, take a moment to make sure that you haven’t accidentally installed one of the malicious apps. Here’s a full list of the bad apps and their purported developers:

• PDF Reader for Adobe PDF Files (Sunnet Technology Inc.)
• Word Writer Pro (Netozo Limited)
• Screen Recorder (Safeharbor Technology L Ltd.)
• Webcam Expert (Wildfire Technology Inc.)
• Streaming Browser Video Player (Boulevard Technology Ltd.)
• PDF Editor for Adobe Files (Polarnet Limited)
• PDF Reader (Xu Lu, apparently associated with Sunnet Technology Inc.)

Needless to say, if you have one of these puppies on your system, delete it immediately!

Twitter Support phishing

A friend of The Checklist received a text message the other day from a person claiming to be Twitter Support. The message said that his account would be deactivated unless he took action right away. Being cyber-savvy, our friend spotted the phishing attempt immediately. But others may be fooled — and with good reason.

According to a piece in TechCrunch, these bogus messages are coming from “blue check” users (i.e., accounts verified by Twitter). The bad guys likely obtained access to verified accounts via social engineering. Then, they used the stolen accounts to launch their Twitter Support phishing attacks — sometimes changing the account name to something like “Urgent Support”. 

That adds up to a fairly convincing phishing message. Still, there a few basic tips that can help you avoid being fooled:

• Know that Twitter won’t reach out to you by text. If there’s an account issue, they’ll email you from twitter.com or e.twitter.com. If Twitter texts you, the text will come from 40404.

• Always check link destinations before clicking on them. 

• Look for strange word choices or grammatical errors. These are common in phishing emails — but are extremely rare in official corporate communications!

• Turn on two-factor authentication to protect your account from takeovers.

• Report phishing messages to Twitter to help them protect other users.

How to donate safely

There are lots of bad things happening in the world. There are lots of good people trying to help. And sadly, there are scammers trying to take advantage of that dynamic.

Jessica Barker has written an article on charity and disaster scams. It’s essential reading for anyone who wants to help but doesn’t want to be taken advantage of by a scammer.

Barker’s piece highlights a few red flags to watch out for:

• Emails or phone calls with an unusually strong appeal to urgency — e.g., a food center that needs a donation right now, or a charity that seems desperate for immediate help.

• Requests for unusual forms of payment, such as cryptocurrency, gift cards, Western Union transfers, and so on.

• Any requests for sensitive personal data or financial information.

Barker suggests donating to charities that you know and trust — and whose websites you’ve looked up on your own as opposed to receiving a site URL via a link in an email. 

If you want to donate to an unfamiliar charity, at least do some due diligence first. Look up the name of the charity and keywords like “scam,” “complaint,” or “rating”. You can also find information on trusted charities from government websites or news organizations. 

Want to learn more about digital security and privacy? Listen to our past shows at The Checklist archive!