Fake security software takes aim at Mac users
- 03 May, 2011 06:24
Scammers are distributing fake security software aimed at the Mac by taking advantage of the news that al-Qaeda leader Osama Bin Laden has been killed by U.S. forces, a security researcher said today.
A security firm that specializes in Mac software called the move "a very big step forward" for malware makers targeting Apple's users.
Phony antivirus software, dubbed "rogueware" by security experts, has long plagued people running Microsoft Windows, but this is the first time scammers have targeted the Mac with a sophisticated, professional-looking security application, said Peter James, a spokesman for Intego, a Mac-only antivirus company headquartered in France.
"This is indeed a very big step forward for Mac malware," said James.
The program, dubbed MAC Defender, is similar to existing "rogueware," the term for bogus security software that claims a personal computer is heavily infected with malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.
Until now, rogueware has been exclusively targeting Windows PCs.
That's changed, according to Kurt Baumgartner, a senior malware researcher with Moscow-based Kaspersky Lab, who today said that one group distributing MAC Defender has also been actively spreading Windows rogueware.
"They have been revving up for this for months," said Baumgartner of the work to prep MAC Defender.
Last month, Baumgartner had reported that ".co.cc" domains -- which are often used to spread malware and host attack code-infected Web sites -- had begun to host fake security sites and deliver the "Best AntiVirus 2011" rogueware.
During his early-April sweep through the .co.cc domains, Baumgartner found a URL explicitly aimed at Macs: "antispyware-macbook(dot)co(dot)cc".
"It is very odd that this group is marketing 'Fast Windows Antivirus 2011' from 'macbook' domains," Baumgartner said at the time in a blog post.
Today, Baumgartner said that a group using .co.cc domains was serving up fake security software for Macs as part of a broader campaign to trick Windows users into downloading and installing phony programs.
That campaign is currently exploiting the hot news topic of Bin Laden's death to get people to click on links that redirect their browsers to the rogueware downloads. The scammers have used "black hat" SEO (search engine optimization) tactics to push links to rogueware higher on Google Images' search results.
But that's not the only way Mac owners have been duped into installing MAC Defender.
On Saturday -- the day before President Obama announced the killing of Bin Laden -- messages from infected users began appearing on Apple's support forums.
"What is macdefender and why is it trying to install itself on my computer?" asked someone identified as "wamabahama" on April 30.
The first fake AV targeting Macs makes false claims that the machine is heavily infected. (Image: Intego Security.)
"FYI, my daughter said the program started after clicking on a 'hair style photo,'" added "Mr. Fix It Home Services" on the same support thread. Others reported stumbling upon MAC Defender after searching for images of prom tuxedos or for pictures of a character in the movie "Princess Bride."
On Monday, Intego published a detailed advisory about MAC Defender, noting that that it was "very well designed, and looks professional."
Intego spotted MAC Defender and acquired samples on Saturday, said James, who pointed out that users must enter their administrative password to install the program. "So there's still a social engineering angle here," he said.
In fact, users see a generic Windows-oriented page when they first click a link to the rogueware. "They're not even getting a Mac-specific page," James said.
But unless users have Safari set not to automatically open files after downloading, MAC Defender's installation screen opens without any user action. That's been enough to con some into approving the install by typing their administrative password.
The program also relies on an unusual technique to make users pay up.
"Every few minutes, it opens a porn page in the browser," said James of MAC Defender. "We think they're doing this because most people will assume that that means they've got a virus on their Mac, and they need to get rid of it by paying for the program."
MAC Defender demands $60-$80, depending on whether users select a one-year, two-year or lifetime "license."
Ironically, there are only eight to 10 serial numbers that MAC Defender accepts, said James, and those are tucked into the binary file -- unencrypted -- where advanced users may be able to root them out.
James also called out the MAC Defender's look and feel as an indicator that the criminals are serious about reaping profits from Mac users. "This was done by a very sophisticated Mac interface developer," James said. "It's an obvious sign that [scammers] are starting to target Macs. Earlier [scams], such as 2008's MacSweeper just didn't bother trying to look professional."
Intego spotted MacSweeper, a fake Macintosh system cleaning program, in January 2008.
MAC Defender has also created some collateral damage: The rogueware uses the same name as a legitimate German company that develops Mac software.
"A new malware application named MAC Defender (MacDefender.app) for OS X surfaced a few days ago," warned the MacDefender site. "If you see an application/installer named like this DO NOT DOWNLOAD/INSTALL it. I would never release an application named like this."
The rogueware's name choice was probably a twist on "PC Defender" and "Windows Defender," phrases used in the titles of numerous Windows-based fake AV programs, said James.
Mac users running Safari can prevent MAC Defender from automatically opening after it downloads by unchecking the box marked "Open 'safe' files after downloading" at the bottom of the General tab in the browser's Preferences screen.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.