Cybercriminals have adapted a phishing campaign that previously targeted Windows users, now repurposing it for macOS.
LayerX Labs reports that attackers have adapted Windows phishing methods for macOS, using deceptive pop-ups and fake software updates that closely mimic macOS security warnings, tricking users into providing their Apple ID credentials.
This shift reflects a larger trend: hackers are increasingly targeting Mac users as Apple’s platform gains market share. Many Mac users assume they are safer than their Windows counterparts, a belief that attackers are now exploiting with more advanced social engineering tactics.
How the Phishing Attack Works
Initially designed for Windows users, this phishing campaign has been modified to deceive macOS users with minimal adjustments. The attack operates through two primary methods:
- Compromised Websites – Fake macOS security alerts appear while users browse the web, urging them to enter their Apple ID credentials.
- Fake Software Updates – Attackers disguise malware as legitimate macOS updates, prompting users to install malicious programs.
In many cases, these phishing pages are hosted on Microsoft’s Windows.net cloud infrastructure, making the fraudulent pages appear more credible.
Once a victim enters their credentials, hackers can gain full access to their iCloud account, disable Apple’s security features like Find My Mac, and remotely lock or erase devices.
“In one specific case, the victim was a macOS and Safari user working for a LayerX enterprise customer. Despite the organization employing a Secure Web Gateway (SWG), the attack bypassed it,” the security researchers noted.
“The new Mac-targeted attacks required relatively minimal modifications by hackers of their existing infrastructure – primarily text changes and some code changes to target MacOS and Safari users.”
Why Mac Users Are More Vulnerable Than Ever
LayerX Labs warns that Mac users, long considered a low-priority target for phishing scams, are now at increased risk. While Windows users have grown accustomed to phishing attempts and ransomware attacks, Mac users generally have not faced the same level of threats. This relative complacency makes them more susceptible.
Compounding the issue, a recently discovered vulnerability in Apple’s iOS 18.2 Passwords app left Mac users at risk of credential theft.
The flaw, reported by The Verge, allowed attackers on shared networks to intercept unencrypted requests from the app and redirect users to phishing sites. Apple patched the issue in iOS 18.3 after security researchers found that the vulnerability had remained exploitable for three months.
A Malwarebytes report warns that infostealer malware—programs designed to extract passwords and financial data—are increasingly being disguised as legitimate macOS applications. This suggests that phishing attacks may only be the beginning of a broader push by cybercriminals into Apple’s ecosystem.
How Mac Users Can Protect Themselves
Given the growing sophistication of phishing campaigns, security experts recommend that Mac users take proactive measures to protect themselves:
- Be Skeptical of Security Alerts – Avoid clicking on pop-ups that claim your system is compromised. Instead, check for system updates manually via System Settings > Software Update.
- Enable Two-Factor Authentication (2FA) – Even if hackers obtain your Apple ID credentials, 2FA can prevent unauthorized account access.
- Use a Password Manager – Trusted password managers autofill credentials only on legitimate sites, reducing the risk of entering details on phishing pages.
- Stay Updated – Keep macOS and all installed applications up to date to patch potential vulnerabilities.
- Understand Phishing Techniques – Familiarizing yourself with common phishing tactics can help avoid falling victim.
Cybercriminals have rapidly refined their methods, and Mac users can no longer assume they are immune to phishing scams. As Apple’s ecosystem continues to expand, attackers are adapting accordingly, making vigilance more critical than ever.
