RomCom, PyPI, Hot Pixels, and More – Intego Mac Podcast Episode 294
Posted on
by
Kirk McElhearn
Apple’s Worldwide Developer Conferences launches on Monday, and we discuss what to expect. We also talk about RomCom malware, PyPI 2FA, Hot Pixels (which may not be so hot), and other malware and vulnerabilities.
- Apple WWDC
- macOS Names that Apple has Registered but Not Used Yet
- US govt banned NSO’s Pegasus, but said to buy rival spyware Paragon Graphite
- RomCom malware spread via Google Ads for ChatGPT, GIMP, more
- Legit app in Google Play turns malicious and sends mic recordings every 15 minutes
- PyPI announces mandatory use of 2FA for all software publishers
- Hot Pixels attack checks CPU temp, power changes to steal data
- Microsoft finds macOS bug that lets hackers bypass SIP root restrictions
- Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains
- Maryland License Plates Now Inadvertently Advertising Filipino Online Casino
Transcript of Intego Mac Podcast episode 294
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, June 1, 2023.
This week’s Intego Mac podcast security headlines include: a prediction on the new Apple products we might see it this year’s WWDC; the US government has freshened-up its spyware arsenal—we’ll tell you how. A new malware spread through web ads, called RomCom, does not come with a happy ending for its victims. And we found a real world example of what can happen when a website domain is carelessly allowed to expire. It’s not pretty. Now here are the hosts of the Intego Mac Podcast: veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:50
Good morning, Josh, how are you today?
Josh Long 0:52
I’m doing well. How are you?
What might Apple announce at this year’s World Wide Developers Conference?
Kirk McElhearn 0:53
I’m doing just fine. This is our last podcast before the Apple Worldwide Developer Conference, which begins on Monday, June 5.
Josh Long 1:02
At the very least, we always get new operating systems, right. The developers have to know what’s coming. So they can be prepared to make any changes to their apps, if necessary, or take advantage of new features. And hardware announcements to there’s been a lot of rumors about, you know, that VR/AR headset thing. And new Macs also is another thing that people are talking about.
Kirk McElhearn 1:26
So the headset has been leaked strategically leaked enough to suggest that it’s going to be true. I can’t imagine with all the leaks that there have been that it wouldn’t be true. It sounds I think we’ve discussed this recently. It sounds like a solution in search of a problem. I have no idea what anyone would want that for other than gaming. We talked about it a few weeks ago. So we’ll see what happens. It’s supposed to be bulky, expensive. And kind of remember the first mobile phones that were like huge bricks with big antennas sticking out of them. It’s going to be that compared to what we might see in 10 years.
Josh Long 2:03
Do you think we’re going to finally get an announcement about an Apple silicon-based Mac Pro?
Kirk McElhearn 2:09
I think we are there’s been rumors of new hardware. In fact, Apple has increased trade-in values for a number of Macs including the Mac Studio, we’re likely to see a 15 inch MacBook Air, we’ll probably get an update on the iMac. So I have the 24 inch iMac which is two years old has gotten the M1 processor will probably see an M2 I would expect Apple to release a larger iMac. Remember, they used to be, what was it. a 21 and a half and a 27. So now we have a 24. Maybe we’ll have a 30 and iMac Pro because it’s not even that we need a Mac Pro. It’s that Apple promised to move all of their Macs to Apple silicon. And developers want a Mac Pro, even if the Mac Studio could replace it. Maybe the Mac Studio was transitional. And they were waiting for something for the Mac Pro. Maybe they’re going to come out with the first m three for the Mac Pro or an M2 Ultra. What is it? M2 Pro Max Ultra Plus, right? It’s at Pro Max Ultra in that order. So maybe it’ll be an M2 Pro Max Ultra Plus.
Josh Long 3:12
Could be. You know, it’s always possible that they could announce the M3 line, but it might be a little bit early for that. The other thing that I’ve seen people talking about is macOS version names. And somebody tweeted recently that there are 15 names of places in California that Apple is trademarked but never used actually I’m not sure that they’re actually places but just animals that are…
Kirk McElhearn 3:36
Grizzly is an animal it’s not a place. Shasta is kind of soda,
Josh Long 3:40
Right condors another one of those.
Kirk McElhearn 3:42
So is that the state bird maybe of California, the condor?
Josh Long 3:45
Is that the state bird?
Kirk McElhearn 3:46
I don’t know. I bet I know what the next version of iOS is going to be called.
Josh Long 3:50
Oh, what do you think that’s going to be called? (iOS 17) Oh, yeah, that kind of makes sense. Because Apple has like normal names.
Kirk McElhearn 3:58
Exactly. Yeah, I missed back in the day where it was Apple 10 point something like Apple 10.4. Lion if 10.4 was Lion, because it was easier when you’re doing troubleshooting to know what someone’s using, right? There’s no order for the names of the big cats with the places in alphabetical order. So unless you’re really up to date or you Google it, you can’t really be sure which operating system someone’s running by the name.
Josh Long 4:21
Right. That’s a really good point. By the way, it was 10.4 Tiger and 10.7. Lion. (Okay). See, you knew that you knew that.
The US government has new official spyware
Kirk McElhearn 4:28
No, actually, I totally forgotten. I remember Jaguar was 10.2. That’s the one I do remember. Anyway, we’ll be talking about this next week with all the new stuff, the new name for macOS, the new name for iOS, and some new hardware. This week, we’ve got stories about malware and vulnerabilities and as Josh has put in the show notes, scary sites. So let’s start with some malware. And well this is technically not malware. It’s spyware. It’s government mind-control-ware. The US government had banned the NSO group’s Pegasus which is an app that was used to infect people’s phone to exfiltrate a lot of data as Josh likes to say, apparently they have bought rival spyware from a company called Paragon. Paragon Graphite. So they banned the bad spyware. But they bought the good spyware?
Josh Long 5:17
Well, this isn’t terribly surprising, right? I mean, in fact, I don’t think that the government would have placed any sort of restriction on the NSO group unless they already had a backup plan, right? Because every government wants to have some kind of spyware they can use against their targets, and they probably already had things in the works. According to this 9-to-5 Mac article, the US Drug Enforcement Administration, the DEA, is said to already be using Graphite, it has a lot of the same capabilities as Pegasus. So it kind of makes sense that the rest of the US government might adopt something that one agency is already using anyway.
Is RomCom malware something I should be worried about?
Kirk McElhearn 5:53
Okay, we have new malware. And I often like some of the names that people come up with for malware, they are creative. But this one is kind of dumb: RomCom. First of all, it’s not going to be very easy to find in a Google search, because you know, this is such a common term for movies. And this malware spreads via Google ads, for ChatGPT, GIMP and other software. If anyone doesn’t know what GIMP is, it’s free open source image processing software. It’s kind of the Linux version of Photoshop. It doesn’t do everything in Photoshop does. But it’s extremely powerful app.
Josh Long 6:26
So how do people get connected with this RomCom?
Kirk McElhearn 6:30
Now where do they swipe left or swipe right on Tinder to get the malware?
Josh Long 6:35
There’s Google ads. Google ads!? it seems like that’s something we’ve talked about before. Yes, it is. When you do Google searches, you can’t always trust the high ranking results. Sometimes they’re ads, sometimes even the high ranking websites that are not ads could be infected, or they could be malicious. That happens sometimes through malicious actors exploiting their knowledge of search engine optimization to get to the top. Well, in this case, some threat actors are using Google ads. So when people are searching for search terms, like “ChatGPT” and “GIMP”, they come across this malware instead. Although this is not Mac malware, this is something that could very easily be used to distribute malware for the Mac as well. So something to definitely be aware of, there are a number of other things that people might search for. This campaign has been going on, since about December and continued until at least April. And a lot of different search terms have been targeted here. So you might have been searching for GIMP, ChatGPT. Those are probably the most common ones, but also Go To Meeting which is popular meeting software, remote desktop software and things like that. So if you see anything that seems a little bit off about something that you get in a search result, just be very careful about it.
A malicious phone app exfiltrates audio recordings and sends them to hackers
Kirk McElhearn 7:59
Okay, Ars Technica has an article. Again, this is not Mac specific or iOS specific, but it’s kind of interesting. A legitimate app in Google Play turns malicious and sends mic recordings every 15 minutes. The subhead is the malicious AR Recorder app has come to light but its purpose remains shrouded. Well, its purpose is to send microphone recording, so you don’t know what they’re looking for. Maybe they’ve got AI to sift through the microphone recordings. And to find someone I don’t know, reading the credit card number over the phone or something like that.
Josh Long 8:29
Yeah, and this is kind of interesting, from the perspective that this is an existing app that has had legitimate behavior for some period of time, and people have come to trust it. It’s gotten a lot of positive reviews. We’ve seen things like this happen before. With Google Chrome extensions, that’s probably the the place where we we’ve seen this: somebody develops an extension after a while they kind of get bored, they haven’t updated it for a while. If somebody else comes along, and offers to buy it, the person who developed the extension is like “Sure! Why not!?” I’m you know, I’m not using this for anything anymore. I’m not actively developing it. Sure, I’ll make some money off of it. They assume that this is a legitimate buyer that’s going to continue developing the software and well sometimes it turns out that the buyer is actually a malicious threat actor who modifies it in ways that it essentially becomes malware. I’m wondering if that’s maybe what happened in this case. It’s not very often that you have a legit app in an app store that is totally legitimate for a while and then all of a sudden, after 11 months in this case, now it has new functionality that has some malicious purposes. You don’t want your recording software to be exfiltrating recordings of you. That’s that’s not good.
Kirk McElhearn 9:46
Well also imagine that you bought this app a year ago or two years ago, and somehow it changes and you’re not even aware. So there’s really nothing you can do to protect yourself except be aware and delete the app. Right?
Josh Long 9:57
Well, yeah, that’s the thing. If you have Automatic Updates enabled, you probably already got the malicious version of this app when you got your automatic update. This could also be a scenario where somebody has malicious intent. But they start out by putting a very legitimate looking and legitimate behaving app in an app store where again, this doesn’t have to be Google Play. Like we’re we’re kind of thinking about this as being something that could happen also in the Apple App stores as well. So you put a legitimate app in there totally legit functionality, everyone starts to use it, and then you make a change, it would be a little bit harder, I would hope to get something past the apple review team. But it’s not impossible. We have seen malicious things get into the app store before.
PyPI software repository requires 2FA
Kirk McElhearn 10:47
Okay, quickly before the break. And I actually don’t know why you put this into the show notes. PyPI announces mandatory use of 2FA for all software publishers
Josh Long 10:56
will PyPI is the Python package index, P-Y-P-I, with the Y lowercase. It’s a software repository for Python Software packages. And the reason that I thought it was interesting to bring up in the context of the Intego Mac Podcast is because this is a place that we have actually seen Mac malware show up before. One of the things that sometimes happens is typo squatting, where a malicious threat actor will register the name of a repository that is very similar to a legitimate software repository that’s on PyPI. So if you typo it, or if you miss typing, maybe you miss remember, maybe there’s a dash, maybe there’s not in there, and you type it wrong. Sometimes you can actually get malware or a malicious version of an app, instead of the thing that you’re intending to download. I thought this was kind of interesting, because although this doesn’t solve the typo squatting problem, I think what they’re trying to do here is to hopefully prevent legitimate Python Software repositories, from getting overtaken by a malicious actor who is able to guess the password or find it in a data breach or things like that. They’re trying to at least harden their defenses. From that one perspective, even though the typo squatting thing is still a potential problem.
Kirk McElhearn 12:20
But you make it sound like they’re doing something special. Shouldn’t have been doing this for 10 years or so?
Josh Long 12:25
You know, I’m always surprised whenever I come across another site that doesn’t have two factor authentication. There’s still a lot of even mainstream sites that don’t have this yet. A lot of social networks even don’t have two factor authentication yet. And that always blows my mind. Whenever I come across this, of course, I’m assuming that a lot of our listeners have password managers. Look through your password manager, because I imagine you’re going to find that there are a lot of websites that don’t use two factor authentication. And you don’t have one time passwords being generated as your second factor. It’s still a big thing. Unfortunately.
Kirk McElhearn 13:01
Well, we don’t expect this on newspaper sites, for instance, where you’re going to just read content. We do expect it if there’s anything involving money, if you’re uploading content, if you’re selling things, we definitely expect it. So I guess, I mean, it kind of makes sense that they do it. But they’re kind of late for something like this that’s dealing with software repository. If someone gets into someone’s account on PyPI, they could make some subtle changes to some of the software and leave it up and other people could be downloading it and that can be dangerous. We’re going to take a break when we come back, we’re going to talk about something that we just don’t think is true.
Voice Over 13:39
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Method purports to detect a relationship between process power in use and screen pixel data
Kirk McElhearn 14:55
Okay, we have a story and I don’t think this is true Josh doesn’t think This is true Hot Pixels. That’s a good name for malware. Actually, it’s not malware, it’s a process. Some people in university who came up with something. Hot Pixel attack checks, CPU temperature and power changes to steal data. Now, let me simplify this. It’s saying that by the temperature of the CPU, we can tell what’s on your screen. I’m, I’m struggling to believe that this is even remotely possible. It’s not like it’s the temperature of the pixels on your screen, there’s no centers for that. Your Mac has lots of sensors, it has sensors, for the CPU, the GPU for the SSD, for all sorts of there’s probably about 20 sensors in your Mac, but there’s not sensors behind each pixel on your display.
Josh Long 15:44
And so the claim that’s being made in this research paper, there are six researchers from different universities, four of the are from Georgia Tech, they claim to have found a methodology that is repeatable, it’s exploitable, and they’ve notified all of these companies, including Apple, that may potentially have some ways that they could fix this, or at least sort of mitigate these sorts of attacks. Even if you have one app running on your computer, which is your browser. And they do specifically say that this attack can be pulled off with Apple silicon based system on a chip. So that’s the M1 M2 processors, and that it can be pulled off with Google Chrome as well as Safari. So they’re doing this thing to try to like get attention, I think, from Apple users, because Apple’s you know, everyone knows that Apple computers are perfectly safe, right. And so I think that that’s kind of where they’re going with this. They’re trying to get people speculating about these potential problems. This is a big research paper, they’ve got a whole bunch of pages and, and like lots of words, lots of words, and lots of sources cited, and lots of graphs and interesting stuff. Even if you only have the browser running, you don’t only have the browser running because there are background processes too.
Kirk McElhearn 17:06
Dozens of processes all the time, no matter what you’re doing. And as I was saying, before we started recording, I’m looking at my browser, I’ve got zoom open. So that’s changing the heat of the CPU. If I’ve got a time machine backup running in the background that changes the temperature of the CPU as well, it makes no sense.
Josh Long 17:23
Yeah, sounds very implausible. However, if you’re interested, we’ll put the link in the show notes. And you can kind of look at this, even if they’re able to pull off this kind of attack, it can apparently take somewhere between eight and 20 to 23 seconds for each pixel to be deciphered. Which means that basically, you kind of need the same data to be on the screen for a pretty long period of time in order to actually read everything that’s on the screen. So again, this whole thing sounds ridiculous.
Microsoft found a macOS bug that lets hackers bypass System Integrity Protection.
Kirk McElhearn 17:57
Yeah, I think so. In other news, Microsoft found a MacOS bug that lets hackers bypass SIP route restrictions. Please explain what SIP is.
Josh Long 18:09
SIP is system integrity protection. And this is a feature that’s been around on macOS for a while that prevents malicious changes to the operating system, Microsoft found a SIP bypass. So they wrote up a bunch of details about this, we won’t get into too many of the technical details. But it is nice to see that when researchers publish the full report of how they came across this vulnerability, how it can potentially be exploited. Now that it has been patched, we actually did get a patch for macOS Ventura, macOS, Monterey and macOS Big Sur two weeks ago on May 18.
Follow-up on our warning about .zip and .move filenames.
Kirk McElhearn 18:48
Okay, we recently talked about dot-zip and dot-mov domains and how it would be very easy to trick people giving someone what they think is a file name, archive dot-zip. And we have a clever file archiver in the browser phishing trick that uses zip domains, what a surprise.
Josh Long 19:07
Remember, sometimes depending on the software that you’re using, if you send a message to somebody, those dot-zip and dot-mov domains, if you just type setup dot-zip, for example, it might turn that into a link to a website of setup dot-zip, which is not what you really intended. If you’re just trying to explain to somebody a file name. I tested a bunch of different apps and I didn’t really come across very many apps where it automatically turns it into a link. Twitter does regardless of whether you’re using their app or their website. So maybe that’s something they ought to reconsider public tweets as well. If you’re typing setup dot-zip, I’ve seen this many times when researchers are talking about some new malware that comes in a zip package and they’ll give like a hash for a zip file. And I’ve seen lots of these file names in public tweets that are links to a dot-zip domain. And I’m just like, oh, no, somebody probably registered that already, and is hoping to infect somebody who clicks on this. So getting back to this particular tack, yeah, if you do see a dot-zip, and you click on it, and it takes you to a file Unarchiver in the browser, well, this is a scam, because there’s not a website that’s going to be extracting a zip file for you. This is very likely a malware or phishing site. And this kind of thing has already been done in a phishing format in the real world.
What can happen when a domain name expires?
Kirk McElhearn 20:38
So over the years, we’ve talked a lot about what can happen if the registration for a domain name or an email address has expired and someone else takes it over. It seems that in the state of Maryland, about 800,000, people have license plates that were designed to commemorate the War of 1812, I guess it was in 2012, that they had these license plates. At the bottom of the license plate, there was a URL www star spangled two hundred.org star spangled 200 years.org. So I guess they want people to go to the website and see all this stuff about the War of 18 dwell. And if you go right now you will see a very popular Filipino gambling site.
Josh Long 21:18
Yeah, this is one of those sad, Unfortunate examples where somebody forgot to renew the domain, or they just thought, Oh, who cares if it lapses right when people go to the site, and their browser just won’t load. And well, that’s not the way things work. Because once the domain expires, anybody else can buy it, including Philippine betting sites.
Kirk McElhearn 21:40
Yeah. The real problem with this is that domains are hard coded in something. And there’s no way that it can be fixed until they replaced the license plates. And states do this, every now. And then it’s interesting, because for the show notes, we wanted to link to an article on vice and vice just filed for bankruptcy. So Josh decided not to link to the Vice article. And he he linked to an article from some newspaper in Maryland. And when I clicked on the link, I couldn’t load it, because I’m in Europe, and a lot of small newspapers and websites in the US won’t serve their content to people in Europe because of GDPR. So in order to be able to show this article to anyone who’s not in the US, we’re linking to vice, yet this article might disappear, or someone else might take over vice.com, at some point
Josh Long 22:27
Vice filed for bankruptcy. So that doesn’t necessarily mean that they’re going to be going away anytime soon, you know, someone could come in and rescue them or something could happen. But I don’t know, there’s got to be some third party service out there that will monitor links on your site and let you know, when a domain expires, or, you know, if it no longer links to the same content anymore.
Kirk McElhearn 22:48
Well, you can you can update the content. So that’s not good. You’d want to know if it redirects well, that…
Josh Long 22:53
no, no, that’s what I mean. Yeah, if something is changing to something that’s completely different from what it originally was like, it’s no longer this article, that that would be a problem. And this does happen from time to time. I have even seen this happen. Before I started writing for Intego. Many years ago, I started out with just a security blog that I came up with for fun, from time to time, some of those domains that I linked to way back then even domains that were used for malware analysis, where you could go and find a report on what some particular piece of malware did. Some of those domains have expired. And I think it was sometime early this year, that blogger where I host to this, this blog, said that my site was linking to something malicious. And I never actually found any malicious content linked, but they did give me some idea of which particular blog posts had some offending content. And so I was able to go in and either change those to archive.org links, where possible, or just remove the link where there was no archive of it.
Kirk McElhearn 23:58
So this is called the link rot. And it’s defined on Wikipedia as the phenomenon of hyperlinks tending over time to cease to point to their originally targeted file webpage or server due to that resource being relocated to a new address or becoming permanently unavailable. And you think of any business that goes out of business, any particular website providing news or content that goes out of business, this is always going to happen, and there’s really nothing that we can do to prevent it. A 2003 study, according to Wikipedia, found it on the web about one out of every 200 links broke each week, suggesting half-life 138 weeks.
Josh Long 24:37
So the one thing that I think could and should be done is for the standards to be updated so that when a domain expires, it cannot be registered by somebody else that would prevent anybody from being able to reuse a domain for malicious purposes. Now, I know that there are going to be people who will disagree with that, but at least from a security perspective, I think that’s probably the best thing that could be done.
Kirk McElhearn 25:02
Some years ago when I got my domain kirkville.com. Now I’d been using mcelhearn.com My last name for a long time, but it’s not easy for people to remember how to spell. And someone had recommended that I call my website Kirkville. And he made a nice drawing with like a little sign when you’re entering a town in France, because we’re someone in France who did this. So I decided after a number of years, I wanted to get this domain. And it wasn’t available. It belonged to some town in upstate New York, I believe. When it did become available. I paid $150 for it, someone had squatted it. And so I paid for it. A couple of weeks ago, I received an email, I was see seed with a whole bunch of people, and it was being sent to [email protected]. So I had a catch all on my email that sent it to me. And someone in the email was saying yes, well, you can get in touch with the Kirkville Fire Department at [email protected]. And I replied, nope, not anymore. Now, I don’t know how many years I just the first time I’ve seen one of these, I don’t know how many years it’s been since the Kirkville Fire Department realized that they don’t have a domain anymore. But this is very common. So I don’t think there’s anything wrong with domains being renewable, but there should be some way in the DNS service to indicate that there should be some warning when you go okay, warning, this domain has just been renewed in the past year or something.
Josh Long 26:22
Yeah, it is a difficult problem to solve. Because some people may want to resell their domain or you know, or, or buy a domain from somebody else who’s no longer using it. There are legitimate cases for that. And of course, if if somebody did make this the standard where domains expire permanently, then you know that companies like GoDaddy and other registrar’s, they’re going to just capitalize on this right and they’ll just say, Fine domains never expire, but we’ll just resell them as often as we want to.
Kirk McElhearn 26:52
Okay, that’s it for this week. Next week. We’ll be talking about all the new stuff at WWDC, including new hardware, funny goggles, and hopefully the name of the new version of macOS. Until next week, Josh, stay secure.
Josh Long 27:03
All right, stay secure.
Voice Over 27:06
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
