Cybercriminals are exploiting macOS’s push notification system to distribute fake alerts mimicking legitimate system warnings. These malicious notifications often appear even when Safari isn’t running, typically containing alarming messages about virus infections or iCloud account risks designed to trick users into compromising their security.
Technical Overview for Security Teams
The attack vector leverages websites that deceptively obtain notification permissions. Attackers create convincing replicas of macOS system alerts with fabricated icons and urgent messages prompting immediate action. This technique qualifies as scareware – a psychological attack exploiting fear to manipulate victims.
Apple’s documentation confirms this is an intentional feature: “Safari push notifications work just like app push notifications. They display your website’s icon and notification text, which users can click to go directly to your site.” Malicious actors abuse this functionality by:
- Compromised websites requesting notification permissions under false pretenses
- Perfectly cloned macOS alert icons and dialog styles
- Emergency messages demanding immediate action (“Your Mac is infected!”)
Mitigation Strategies for Enterprise Environments
For security professionals managing corporate devices, we recommend these technical solutions:
System Configuration Method
To audit or remediate this issue across multiple endpoints:
# Check active notifications via terminal
defaults read /Library/Preferences/com.apple.notificationsettings.plist
The GUI path for disabling suspicious notifications:
- Open System Settings → Notifications
- Review Web Notifications section for suspicious entries
- Toggle “Allow Notifications” off for malicious sources
Safari-Specific Remediation
For incident response teams cleaning multiple workstations:
- Open Safari → Preferences → Websites → Notifications
- Set untrusted sites to “Deny”
- Remove malicious entries completely
# Reset Safari notification permissions
defaults delete com.apple.Safari NotificationsPermissions
Corporate Security Implications
This attack vector presents unique risks for organizations:
- Persistence: Notifications reappear until permissions are revoked
- Credibility: Employees may mistake them for legitimate IT alerts
- Data Exposure: Some variants redirect to credential-harvesting pages
Documented cases show recurring notifications claiming “Your device is infected” and “iCloud account at risk” even after antivirus scans, as reported in Apple’s support communities.
Detection and Remediation Tools
For security teams needing scalable solutions:
| Tool | Function | Use Case |
|---|---|---|
| CleanMyMac X | Malware scanning | PUP/adware detection |
| SpyHunter | System analysis | Malicious notification identification |
| Intego VirusBarrier | Mac-specific scanning | macOS malware detection |
SOC Recommendation: Implement MDM policies restricting automatic push notification approvals from browsers on corporate devices.
Security Best Practices
This growing attack vector combines social engineering with legitimate feature abuse. Key recommendations:
- User education about these attack patterns
- Technical controls limiting unnecessary permissions
- Active monitoring of endpoint notification settings
As an additional measure, consider network-level ad blockers to prevent initial access to malicious sites generating these notifications.
