Watch out for ‘OSX Dok’ money stealing Mac phishing attack which mimics your online bank

“A recently discovered strain of Apple Mac malware has begun mimicking major banking websites in an effort to steal login details from victims,” Danny Palmer reports for ZDNet. “First uncovered in May, OSX.Dok affected all versions of Apple’s older OS X operating system and was initially used to spy on victims’ web traffic.”

“The malware was later modified to infect macOS users, and its latest variant has been updated to steal money and financial credentials, say researchers at Check Point,” Palmer reports. “This new Dok campaign is distributed via phishing emails relating to financial or tax matters, with the payload deployed via a malicious ZIP file that victims are urged to run.”

Palmer reports, “Check Point warns the malware is still on the loose and will be a threat for some time to come, especially if the attackers continue to invest in advanced obfuscation techniques.”

Read more in the full article here.

MacDailyNews Take: As we wrote back in May regarding OSX/Dok:

Of course, never open an unexpected zip file, even if it’s from someone you know.

Apple blocks OSX/Dok communications-snooping malware – May 3, 2017
Nasty Mac malware bypasses Apple’s macOS Gatekeeper, undetectable by most antivirus apps – April 28, 2017


  1. I have to wonder if we need to start categorising these threats. There are so many steps required to get this malware that surely it must fall into the “idiot” category.

    An email from my bank containing a zip file… You’d have to monumentally stupid to do anything other than file it away as junk.

      1. Last week, when prompted to update my Chase banking app, a phishing attempt linked off the app store, offered me free credit reporting as a new Chase offering. I didn’t bite, but I found it pretty disconcerting that it was sandwiched between me an an App Store download. It was a first of it’s kind for me.

  2. I never even click on a link in any email to any login page. Ever. If I want to check my accounts I will login to them myself – not via a hotlink.
    In Mail, click on the name of the sender. If there is a mismatch it is highly likely spear phishing.
    In Safari on a webpage, click on the lock in the address bar and you can see certificate info.
    Anything I download is scanned for malware by my Intego SW.

  3. OSX.Trojan.Dok has been around since April. We’re now on the third version.

    Phishing has bombarding victim’s email for years. During the last two years it has become a steady flood to the point where one should NEVER click on ANYTHING in ANY email EVER.

    Actually, there is a simple way to check if the links in any email are legitimate, but apparently it’s ‘simple’ only to we techies. So stick to the advice above.

    Me Stuff:
    When I get phishing email I:
    1) Report it to, like I report ALL spam I receive.
    2) I forward the phishing email to the company being FAKED in the email. I have a list of phishing forwarding addresses for most companies. Some companies don’t care and instead tell victims to forward phishing email to the FTC, Federal Trade Commission.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.