Why trust Greenbot
A new phishing attack is now targeting Mac users after recent browser updates blocked these scams on Windows computers, according to cybersecurity firm LayerX Labs.
The attack shows fake security warnings that make a user’s screen appear frozen. It then asks users to enter their Apple ID and password. This trick, called “scareware,” previously targeted Windows users until Chrome, Firefox, and Edge rolled out anti-scareware protections against it in February 2025.
“The attackers have shifted their focus to Mac users,” LayerX said in their report. The company noticed Mac attacks starting just two weeks after Windows browsers received their security updates.
Business users face bigger dangers from these attacks. “Whereas the compromise of a personal account is typically limited to that individual, the compromise of a corporate account can result in data exposure at the organizational level,” Eyal Arazi, LayerX head of product marketing, told SecurityWeek.
The phishing pages appear when people make typing mistakes in website addresses. These errors lead them to compromised websites that redirect to convincing-looking Apple security alerts.
These attacks use several sophisticated techniques to avoid detection. They host their fake pages on Microsoft’s Windows.net platform, which makes them look more legitimate. They also constantly change their web addresses to maintain a “clean” reputation with security systems.
In at least one case, the attack got past standard security tools. “Despite the organization employing a Secure Web Gateway, the attack bypassed it,” LayerX reported. Their AI-based protection later blocked the threat.
Jaron Bradley from Jamf Threat Labs advises users never to enter their iCloud credentials outside the official Apple website. “Blinking windows and pop-ups with intimidating messages create a sense of urgency, pushing individuals to resolve the fake issue quickly,” he said.
LayerX warns Windows users to stay alert, too. They expect attackers to probe for weaknesses in Microsoft’s new defenses. “Our prediction is that in the coming weeks or months, we will see a resurgent wave of attacks based on this infrastructure,” they said.
Security experts recommend double-checking website addresses, updating your software, and never giving out passwords or calling support numbers from unexpected security alerts.
