Apple Users Under Siege in Sneaky Safari Phishing Scam | Image Source: lifehacker.com
NEW YORK, 19 March 2025 – Apple users are now watching a sophisticated phishing campaign that has evolved since Windows users focused on exploiting ​vulnerabilities ​in macOS and Safari. As the Israeli cybersecurity company LayerX has revealed, this recently adapted scam marks an escalation of digital deception, especially with the aim of stealing ​Apple ID identifiers through convincing false alerts and compromised domains.
Although phishing is not a new threat, this campaign ​is distinguished by its persistence, finesse and ability to infuse legitimate ​alerts. According to LayerX reports, attackers first attracted Windows ​users ​with ​fake system blockages and pop-ups of spy software hosted in Microsoft’s own Windows.net ​domain. Once users panicked and made their credentials, the attackers got full access. But after ​browsers like Chrome, Firefox, and Edge released anti-scareware updates, the operation saw a 90% drop in success. ​In response, attackers turned to a new target: Mac ​users.
How do new macOS users point?
This starts ​with something that many of us do ​without ​thinking – developing a website ​URL. When users try to access a ​legitimate site but enter the address ​incorrectly, they are redirected through a compromised domain chain. Finally, they land ​on a false security ​alert page that mimics Apple’s aesthetics, urging them to ​re-enter their Apple ID to solve an alleged problem.
LayerX’s detailed research, cited by ​9to5Mac, ​points out that although ​alerts include small errors, ​such as spelling ​errors or off-label design, they are remarkably convincing, especially for less intelligent users. A user, an employee of ​a LayerX business ​client, was a ​victim of the scam despite the company’s use of a ​secure Web gateway (SWG), an allegedly robust defence mechanism.
This version of ​the attack uses a specific Safari ​code that blocks the browser, providing a false sense of urgency and authenticity to on-screen warnings. It’s not just a pop-up, it’s ​an experiment designed to ​mimic technical crises ​that drive users to comply out of ​fear.
What ​makes this attack so effective?
Several factors contribute to his power. First, phishing pages are hosted ​on Microsoft’s trusted Windows. Domaine Net, a movement that gives the scam a ​plating of legitimacy. As LayerX explains, using such reputable domains avoids traditional security filters that depend on the reputation of Domain (TLD). ​These phishing pages are also covered by anti-bot and CAPTCHA systems to delay detection ​by automated systems.
Second, the pages are changing rapidly. Attackers use random subdomains and ​often ​change, making it difficult for threat detection ​systems to block them in time. These tactics have been effective during the Windows ​campaign and remain difficult to follow now that ​macOS is the new target.
“This ​campaign is a very professional, persistent and adaptable ​attack campaign that poses ​significant threats to businesses,” said Eyal Arazi, LayerX product marketing leader, in an interview with SecurityWeek. According to him, corporate account violations not only involve a user, but can also present confidential business data, which has a widespread impact.
Why are ​Mac users now led?
The answer lies in security gaps. While Windows browsers have ​received robust updates that cancel phishing based on the scarecrow, Safari did not implement similar protections at that time. This created an ​opening that the attackers were ​quick to exploit. Within two weeks of Microsoft starting, MacOS users started reporting ​similar attacks.
“Mac and Safari users ​are now key targets,” LayerX said. According to Macworld and 9to5Mac, this can be one of the most sophisticated phishing efforts to the ​Apple ecosystem to date. Historically, ​Mac users were not generally targeted at ​this level, largely due to the smaller user base of the platform and generally more security. ​But with Apple’s growing popularity ​in personal and corporate settings, bets ​are higher than ever.
Moreover, the ​aggressors did not have ​to ​build new infrastructure. ​They simply reused the ​existing one, retouching the interface and modifying ​the malicious code to be compatible with Safari and macOS. This minimal adjustment of ​the effort allowed them to strike quickly, ​capturing ​much out of custody.
How can users protect?
Layer X and other cybersecurity experts offer several tips ​to avoid ​falling ​into this trap:
- Always double-check URLs: A small typo can ​redirect you to ​a trap. Use bookmarks for frequently visited sites or type addresses carefully.
- Don’t act on pop-ups hastily: Even if the alert ​seems ​urgent, pause. Check for grammar mistakes or ​off-brand design ​cues that may indicate a ​scam.
- Install updates regularly: Apple frequently releases patches ​to address ​security flaws. ​Staying updated minimizes exposure to known exploits.
- Use security extensions: ​Browser add-ons like ad blockers and anti-phishing tools can intercept malicious redirects.
- Enable two-factor ​authentication (2FA): Even if someone gets your credentials, ​2FA adds another layer of protection.
It is also prudent to educate ​fewer friends and families with technology, as these users are often more vulnerable to such ​manipulation. If your browser freezes and a warning appears requiring references or payment, it is likely to be a scam. Forcing to close the browser, clean the cache and restart the device instead of following the instructions on the screen.
How is this different from the previous Phishing attacks?
The use of legitimate hosting platforms ​such as Microsoft Azure adds a unique turn. Traditional phishing attacks used to use dark and suspicious URLs. But these ​attackers build confidence by taking advantage of real areas of well-known suppliers. In addition, the ​freezing of the page in the background increases the realism of the false alert, adding psychological pressure that may exceed the usual caution of the ​user.
The layer The X report also warns that ​attackers can expand their activities, refine macOS content and eventually expand to other Apple platforms. ​Given the ​soft settings needed to ​switch from ​Windows to Mac, it would not be surprising if ​iOS and iPadOS were ​the next online.
What are the broader implications for businesses?
For companies, these ​are not just some stolen Apple IDs. Risk extends to business accounts and business data. A compromised system can open flood doors to greater safety gaps. Phishing remains a superior vector for cyber attacks not because ​it is new, but ​because it ​works, especially ​when it is polite.
Companies are encouraged to implement ​the Zero Trust and Secure Web Gateways models, but as ​the LayerX case has shown, even these measures can sometimes be short. This is ongoing training and real-time follow-up. Many companies also use the detection of AI ​induced anomalies to mark unusual modes of connection or file access behaviour, but to stay ahead of the arms race requires continuous monitoring.
“The commitment of a business account can lead to the exposure ​of ​data at the corporate level,” said Mr. Arazi, reaffirming the importance of a proactive defence strategy. For businesses, this could mean not only damage to reputation, ​but also regulatory consequences, particularly with data protection laws such as GDPR and CCAA ​at stake.
Interestingly, this news comes with another digital step: Google’s Gemini AI is now accessible without requiring a registration, as Lifehacker reported. Although this development is ​designed to increase accessibility, it contrasts strongly with the growing need for identity verification in the fight against phishing. A broader question arises: how to balance ​ease ​of access with the need for strong security?
As users benefit from easier access to services like Gemini without an account, they can become more comfortable with occasional online interactions. ​However, this comfort can become a responsibility when it erases the line between ​real and false. This is a difficult balance, and safety experts must navigate carefully.
In the end, the last phishing campaign ​is an awakening. It shows ​how fast cyber criminals can adapt, how deep they understand user ​behaviour, and how much confidence they exploit. Staying safe in this environment is not a question of paranoia, but of being informed, prudent and prepared.
Photo credit: Farknot Architect / Shutterstock
