September 24th – This Week’s Top Cybersecurity and Dark Web Stories

Threat actors impersonate brands in MacOS malware campaign

Threat actors are running a widespread campaign impersonating well-known brands in an effort to infect MacOS users with information-sealing malware, according to a new warning from LastPass.

The attackers are setting up fraudulent GitHub repositories that masquerade as legitimate software pages from trusted companies. By leveraging search engine optimization, the fake repositories appear at the top of search results, making users believe they are downloading the real software.

In LastPass’s case, teo GitHub repositories created on September 16th were found impersonating the password manager. Posted by a user under the handle modhopmduck476, the repositories contained links claiming to provide “LastPass on MacBook” and “LastPass Premium on MacBook.” Both redirected to a malicious site, macprograms-pro.com, which instructued users to run a terminal command.

Beyond LastPass, the campaign has impersonated a wide range or organizations, including financial institutions, technology providers, AI tools, and cryptocurrency wallets. Threat actors used multiple GitHub accounts with consistent naming patterns combining company names with Mac-related keywords to increase credibility.

The fraudulent repositories identified have since been taken down, but the campaign highlights how attackers continue to exploit trust in large platforms like GitHub abd Google Ads to distribute malware.

Two charged over Transport for London cyberattack linked to Scattered Spider

Two men have been charged following an NCA investigation into the cyberattack that disrupted Transport for London (TfL) systems in August 2024.

Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, were arrested on September 16th in joint operations by the NCA and City of London Police. Both appeared before Westminster Magistrates Court on September 18th, charged with conspiring to carry out unauthorised acts against TfL under the UK’s Computer Misuse Act.

The TfL attack, attributed to Scattered Spider, took place on August 31st 2024, causing major disruption and significant financial losses to the UK’s capital transport network.

Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, described the case as a “key step in a lengthy and complex investigation,” highlighting the damage to critical infrastructure and reiterating warnings of increasing threats from cybercriminal groups in the UK and abroad.