Information stealing malware is nothing new, even for Macs. Mac owners have seen several “stealer” malwares this year alone. What makes MetaStealer more interesting is the way it is being deployed to businesses by threat actors pretending to be customers. More about this in moment.

But first, let’s talk about stealer malware. This is software that has the ability to steal sensitive information from its victims. For example, one released in March, MacStealer, can extract iCloud Keychain data, passwords and credit card info stored in browsers, documents and images. It comes in the form of a DMG (Mac Disk Image) file. Once opened it presents a file with a PDF icon, which is actually the malware installer.

Another just recently released comes in the form of a ZIP or RAR (compressed) file sent through Facebook Messenger from hijacked accounts. This stealer has an added ability: it steals and deletes active session cookies from the browser. This logs the user out of whatever web sites they were in (e.g., banking, finance, or other line-of-business sites) and gives the hacker an open, already logged-in session to work in. The hacker quickly changes the user’s password, blocking the victim from getting back in while they steal money or information.

There are many of these stealers, and considering their success, there will be many more. They come in different forms and by different methods. But what caught my attention with MetaStealer is that bad actors are calling their specifically targeted victims, pretending to be a prospective customer. This highly effective form of social engineering is known as pretexting. After verbally agreeing to your terms in a phone call your new client sends you what you think is a signed service agreement. Why would you expect it to be malware? Here’s one user’s account of this attack.

What you can do

Trust no one.  Whether through a pretexting phone call or a message in Facebook, if you don’t know the person be cautious of any files they send or actions they ask you to perform (e.g., “Visit my website…”).  I know that sounds simple and obvious, but social engineering works because bad actors are very convincing. If you need a signed contract, use a service like DocuSign so you have control of the document media. Do some simple background checking on new business prospects to ensure they’re legit. And although the thought of a new client is appealing, try not to let it cloud your objectivity.