macOS Security Basics series – The One About a Phishing Trip

The second entry in the Mac Security Basics series covers phishing, a popular tactic that threat actors commonly rely on to compromise devices, laterally move throughout networks and exfiltrate sensitive data. Its prevalence within many Apple-centric threats is the driving force to discuss the variety of attack types and what solutions are available to minimize this threat to your users, privacy and data.

March 1 2022 by

Jesus Vigo

Regardless of your level of cybersecurity knowledge or years of experience supporting IT, we’ve all come across some form of phishing attempt at one time or another. It might have been a text message from your “bank” asking you to reply with your MFA code, a phone call claiming that the “IRS” is going to arrest you for back taxes owed unless you pay them right this minute or (who can forget?) the famous email from the “exiled foreign prince” who wants to give you millions of dollars if you just provide your bank account to help transfer his money out of his country.

“With a thousand lies
And a good disguise
Hit 'em
right between the eyes” – You’re Gonna Go Far, Kid by The Offspring

Are you sensing a pattern here? All phishing campaigns have one common goal: separating you from something you have. What that is, ultimately varies by the campaign. In most cases though, sooner or later it comes down to money.

And when money’s involved, you’d best believe that malicious threat actors will stop at nothing short of lies, deception, intimidation and/or playing with your emotions to convince you — the target — to cave in and hand over the money, or the information they need to get to the money.

Lord of the Flies

In the 1973 horror classic “The Exorcist,” Father Lancaster Merrin provides his assistant with some words of advice before facing down a terrible evil, declaring, “The demon is a liar. He will lie to confuse us. But he will also mix lies with the truth to attack us. The attack is psychological — and powerful.” These words ring out, eerily echoing a warning against the variety of methods threat actors will utilize — centering around social engineering — when trying to ensnare their target in a web of lies.

  • Phishing: The process of attempting to acquire sensitive information from unsuspecting targets by means involving lies, deception, trickery, abuse of confidence or any other such practice that otherwise serves the purpose of convincing targets as to the legitimacy of the actor, leading them to divulge confidential data or access to it.
    • Email: One of the most common forms of phishing. Malicious actors send emails to users, impersonating a brand name, individual or known entity, enticing targets to click on documents or links or perform an action.
    • HTTPS: Similar to the above, this method attempts to further establish legitimacy through the use of HTTPS encoded links. Generally considered “safe” to click on, malicious actors aim to create a false sense of security, resulting in targets willingly clicking on faked links.
    • Spear: Utilizing email as a delivery method, this attack focuses less on a general audience in favor of a specific group in their attempts to compromise them. Often, malicious actors employ information gathering and research practices, such as open-source intelligence (OSINT), to identify real users and their PII, weaponizing that in their phishing emails to create an air of legitimacy or urgency.
    • Angler: Pivoting from more common forms of phishing, this method uses notifications and/or direct messaging features from apps, such as social media platforms, to entice targets into performing the task or action a malicious actor requests.
    • Clone: Another attack method that is scoped to a particular group. In this case, malicious actors will research which types of apps and services are in use by a specific group or organization to craft emails that appear as though they were sent from the developer.
    • Pop-up: A take on an older practice involving pop-up messages, modernized for notifications, as some websites will prompt users to “Allow” the site to display small alerts to keep users informed. This form of attack actually installs malicious code on the target user’s device, if allowed.
  • Whaling: Think spearfishing with a corporate twist. Also known as “CEO fraud,” this attack type impersonates the identity of an organization’s CEO or other leadership roles in order to convince targets to perform the requested task or provide information as if it were coming directly from senior leadership.
  • Vishing: Voice phishing occurs when a phone is used to contact a target and create a sense of urgency, requesting them to perform an action that may go against their best interests. Similar to the IRS phone scam mentioned above.
  • Smishing: Another modernized attack method, this time leveraging SMS, or texts, to deliver messages requesting that a target perform an action. Often, they are accompanied by shortened links to malicious websites that assist in gathering sensitive data and/or installing malware on the target’s device.
  • Pharming: This attack type is directed at IT operations, as opposed to end-users. Specifically, malicious actors compromise an organization’s DNS and poison the records that translate URLs into IP addresses so that when users attempt to connect to a website, they will be unknowingly redirected to a malicious website instead.
  • Evil twin: A wireless attack that uses a fake Wi-Fi hotspot that is created to look similar to an existing one. Malicious actors use this fake network to intercept (eavesdrop) and capture data transfers (Man-in-the-Middle) of unsuspecting users that are connected to it instead of the legitimate network.
  • Watering hole: Drawing its name from nature, where predators wait until their prey gather to drink water before striking, this type of attack is part surveillance, part offensive and casts a wide net of targets. The former sees malicious actors identifying which types of websites targets often visit, then compromise those sites. The latter occurs as targets visit the compromised website, leading to their devices eventually becoming compromised, as well.

Now dance, |=()¢|{3r, dance!

So, with all these types of phishing attacks and findings that indicate “it accounts for 90% (that’s not a typo) of data breaches,” according to Cisco’s 2021 Cyber Security Threat Trends Report, what can Apple users do to protect themselves?

Continuing education

Keeping up on the latest security threat trends is your best friend! Sadly, as with many cybersecurity-related issues, there is no silver bullet solution to keep you free from phishing and related threat types. For enterprises looking to fortify their employee’s knowledge base, services that provide training and assessment have shown to be a critical area that can either strengthen your cybersecurity program or weaken it.

Agency guidance

The FBI is the U.S. agency that is responsible for investigating cybercrimes, and phishing is right within their wheelhouse. Each year, they release an Internet Crime Report which details, among the various pieces of pertinent cybersecurity statistics, information relating to threat trends for the prior year which provides a great resource on what you should be protecting yourself against, how to protect yourself against it and where you should be focusing your protective resources in the future.

Built-in security

Apple includes a number of security features baked right into their macOS- and iOS-based operating systems. Software such as XProtect to detect known malware and their Malware Removal Tool (MRT) to aid users in eradicating malware from their Macs are examples of the threat-protection that, while not fully protecting against all phishing-type threats, can provide some protection against the malware they sometimes drop, or malicious code installed. Another benefit is the Apple ecosystem itself; with threats tied to specific apps hosted in the wild, the App Store is curated, managed and scanned by Apple, so you can trust that apps delivered from here will be free from malicious code.

Patch management

In many instances, phishing involves some form of an additional component. As attacks have grown in sophistication, threat actors have combined multiple threat types into their campaigns, chaining together attacks that go from information gathering to exploiting vulnerabilities to establishing persistence and performing lateral movements until they’ve pushed through to a full-scale data breach. Ensuring that devices are patched to the fullest degree not only closes the door on known vulnerabilities but also minimizes the risk stemming from potential clicking on suspect links or downloading unwanted software.

Email filters

Similar to spam filters, where unsolicited emails are caught before they can reach users’ mailboxes, email filtering works in a similar capacity as it scans for risks stemming from email-based phishing attacks. Oftentimes, these filters also include plug-ins that work within your mail client app, providing end users a means to flag potentially risky content that admins can review to determine legitimacy.

Endpoint protection

By now it should be no mystery that Macs get malware, just like other operating systems. Historical evidence proves that Apple has been and continues to be a target of threat actors due to its incredible growth rate. Compound that with the sheer number of threats in the wild and the case is made for the adoption of purpose-built, efficient endpoint protection that not only monitors your device fleet but detects and prevents known malware while additionally employing behavior analytics to detect potential threats, such as unwanted software, reporting on device health and alerting admins in real-time. Enter Jamf Protect.

Multifactor Authentication (MFA)

MFA, or as Apple refers to it, Two-Factor Authentication (2FA), provides an extra layer of protection against unauthorized users gaining access to your Apple ID and iCloud accounts. By pairing your iPhone with your account, login attempts trigger a notification alert to the paired device, containing a 6-digit code. Only by entering this code will authentication be successful. To streamline the protection of identities, we know Jamf Connect enables SSO access, but an included component, Jamf Unlock, allows pairing your iPhone to further secure your computer by leveraging a trusted, managed device to handle authentication in a safe, secure workflow.

Secure communications

The state of computing today has changed drastically for more organizations in the last few years. With increased adoption rates of Apple mobile devices and a shift to remote/hybrid work environments, the idea that “users working from the main offices were protected” no longer carries the weight it once did. The network perimeter has been eroded, giving rise to working from anywhere, anytime. With it, legacy technology like VPN simply does not offer the same level of security that modern technology, like Jamf Private Access* and Zero Trust Network Access (ZTNA), does. This works by eschewing the explicit access rights that leave open gaps in the security posture in favor of granting users access to only the apps and services they need — and nothing else — to not only encrypt connections to resources but also mitigate threats stemming from compromised devices and services, effectively blocking lateral movements while allowing admins to granularly disable access to only what’s affected without further impacting user performance.

Content filtering

Jamf Threat Defense* is the endpoint protection solution for iOS-based endpoints, keeping them safe with threat detection and mitigating risk from zero-day phishing attacks, all designed with mobile devices in mind. With a small footprint that keeps the end-user experience in line with the fabled Apple look and feel, Jamf Threat Defense* boasts advanced machine learning to identify and prevent known and unknown threats. Coupled with in-network protection that blocks threats from malicious websites in real-time and added features to ensure regulatory compliance to encrypt and protect online privacy, this solution makes it the perfect fit for your model device fleet, regardless of the ownership model deployed.

*As of February 2023, Jamf Threat Defense capabilities are included with Jamf Protect. Jamf Private Access capabilities are included with Jamf Connect.

Friends don’t let friends swim in shark-infested waters without a cage!

Let Jamf’s security prowess be your guide to navigating the treacherous digital waters of the Internet while keeping your users, devices and data safe from predatory threats.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.