Scareware Gives Mac Users the Heebie-Jeebies
"Technically, this is the first time we've seen the fake antivirus on the Mac," said Intego spokesperson Peter James, referring the the so-called MACDefender scareware his company spotted recently. Like other scareware varients, MACDefender attempts to trick users into installing it by telling them their computers are riddled with viruses.
Scareware has apparently made its way to the Apple Mac platform.
Intego, which specializes in creating antivirus software for the Apple Mac platform, warned Monday that a fake antivirus program called "MACDefender" is attacking Apple Macs.
Scareware in general is a common tactic used by online scammers, and it's been seen many times in the past to fool users of Windows PCs. Like many other scareware variants, MACDefender takes victims to a website, tells them their computers are infected, then tricks them into buying a non-existent antivirus program.
While the malware is in the wild, the risk is low, and infections have been relatively limited so far, Intego said.
Here's the painful part: A legitimate company by the name of "Mac Defender" exists, and perhaps that fact has spurred some victims to fall for the malware.
Tales from the Malware Defense Department
The MACDefender malware targets Mac users through SEO poisoning attacks -- websites that leverage search engine optimization to get their links positioned at the top of search results, Intego said.
Users who click on any of those poisoned links are taken to a website that displays, oddly enough, a fake Microsoft Windows screen with an animated image depicting a malware scan.
This file is a compressed ZIP archive.
Victims are urged to check the tab "Open safe files after downloading in Safari." If they comply, the ZIP archive will open and launch an installer that opens up a screen welcoming victims to the MACDefender Setup Installer.
Victims have to enter an administrator's password in order to install the malware, Intego said.
A program called "MACDefender" then launches, displaying its interface and adding a menu item to the Mac OS X menu bar. The application also adds itself to the victim's Login Items so it will relaunch each time they log in or start up their computers.
The application displays alerts telling victims it has found viruses. It also opens Web pages for pornographic websites in the victims' browsers.
Victims can't quit the application easily because there is no "Dock" icon, Intego said.
Members of Apple support communities who were infected by the MAC Defender app have posted questions on community bulletin boards asking how to get rid of the application.
Victims who decide to buy MAC Defender are taken to a Web page where they are offered one-year, two-year or lifetime licenses for the application and are asked to provide a credit card number.
Brave New World
This type of attack is known as "scareware," and it has become such a nuisance in the PC world that Microsoft has launched an all-out effort to hunt down scareware authors and prosecute them.
"The only thing new here is the target," Randy Abrams, director of technical education at ESET, told MacNewsWorld.
"Technically, this is the first time we've seen the fake antivirus on the Mac," Intego spokesperson Peter James told MacNewsWorld.
"The real surprise is the app looks well thought-out and professional," James added. "In the past, most of the Mac malware we've seen has been poorly designed, and the interface just looks bad."
However, there are two indications that the application is not on the up and up, James pointed out. One is that the Web page it sits on is a Microsoft Windows page; the other is that users have to input an administrator's password.
"These two hurdles are probably restricting its success," James speculated. "It's strange that the authors didn't take the next step and design a Mac screen; perhaps that's their next step."
If the malware begins spreading rapidly, it could spur more attacks on the Mac OS.
"The authors are cybercriminals, and they'll expand based upon the degree to which they are successful," Dave Marcus, director of security research and communications at McAfee, told MacNewsWorld.
Rah, Rah, Rasputin ...
The malware was probably created by Russians, James suggested.
"There's a folder called 'a package,' and while the interface for the application is in English, it's in a package named 'RU.LPROG,'" James explained. "This is a language file, and the 'RU' is for 'Russian.'"
It would be "very simple" for the authors to name the package EN.LPROG, which would indicate it is in English, James stated.
Apple did not respond to requests for comment by press time.