Skip to Content

Spoofed websites are tricking millions

Cybercriminals will use every trick in the playbook to try and rip us off. Phishing emails, banking Trojans, and credential stealing malware to name a few.

Another scheme scammers are getting better at is spoofing official websites and messages. In fact, cybercriminals are now mimicking a cybersecurity company’s site to spread nasty malware.

The spoofed site looks remarkably official, so it’s easy to be tricked by it.

How scammers are spreading Proton malware

We’re talking about a spoofed website that is mimicking a blog by Symantec. The fraudulent site shows information that is also posted on the real Symantec blog. But there’s a twist. The fake site also pushes a malicious link that, if clicked on, will infect your gadget with OSX.Proton malware.

Symantec is warning people about the fake blog that points readers to fake security software dubbed, “Symantec Malware Detector.” The software allegedly detects and removes infections caused by a new variant of “CoinThief” malware. However, there isn’t a new variant of CoinThief malware, this is a scam.

Anyone who tries to download Symantec Malware Detector will actually be downloading OSX.Proton malware. According to Symantec, OSX.Proton is a Trojan horse that opens a backdoor, steals information, and downloads potentially malicious files onto the victim’s gadget.

Here’s how the scam works

A user downloads the fake Symantec Malware Detector software and when it runs, a window displaying the Symantec logo appears.

If you click the “Check” box, malware will be installed on your gadget. You will then be asked to supply an admin username and password.

If the user provides the credentials, a progress bar is displayed claiming to be scanning your gadget.

Once this process is complete, your gadget is infected with password stealing malware. It can also capture keychain files, 1Password vaults, GPG passwords and browser auto-fill data.

If you, or anyone you know, downloaded the Symantec Malware Detector, you should run anti-virus software to remove the OSX.Proton malware. Once the malware has been removed from your device, you should change all of your passwords. Since the malware is built to steal passwords, you should assume all of your passwords have been compromised.

Changing your passwords

If your machine has been infected with OSX.Proton malware, it is highly recommended that you change all your passwords stored in your macOS Keychain and credentials stored in web browsers as well.

To see what accounts are in your Keychain, open the Keychain app (access it from the same “Utilities” folder) then change the password for each account.

To view passwords saved in Safari, click on “Safari” on the top-left menu bar while Safari is open, then select Preferences >> Passwords.

On Chrome, paste this into your address bar: “chrome://settings/passwords” (without the quotes) to view all your saved passwords.

Firefox users can paste “about:preferences#security” (without quotes) in the address bar then click on “Saved Logins” to view your saved credentials.

Don’t overlook these crucial Mac security tips

In the modern information era, your own personal cybersecurity should always be top-of-mind. For that, we put together a brief list of security tips that you should definitely know about. Use these tools and keep your cyber information secure.

For more useful security tips for Mac users, click here to learn these important tips.

Stop robocalls for good with Kim’s new eBook

Robocalls interrupt us constantly and scam Americans out of millions of dollars every year. Learn Kim's best tricks for stopping annoying robocalls in this handy guide.

Get the eBook