Everything You Need to Know About Mac Scareware

You'd think it was the end of the world.

The fact that Mac users have fallen victim to "scareware" scams -- the kind that have long plagued Windows users -- shouldn't come as a surprise. After all, fake antivirus software schemes like MacDefender don't have to rely on exploitable vulnerabilities, but instead typically depend on tricking users into visiting malicious sites and duping them into installing the software.

And Mac users, for all their pretensions otherwise, are as fallible as the next person.

But from the news accounts this month about MacDefender, and the posts not only on Mac-specific blogs but also on ones usually devoted to Windows, you could be forgiven for thinking that Macs are suddenly the victims of choice.

They're not. Windows machines remain the most common target because, well, globally Windows PCs outnumber Mac OS by more than 16-to-1.

What is true is that Mac users now face the same scareware scams that Windows owners have had to deal with for years.

So what's the deal? Macpocalypse or not? And what should you watch for, and what can you do to keep safe?

Those are the questions we try to answer.

Is MacDefender a worm? Nope. Although MacDefender and its ilk fall under the general term "malware" -- as in, it's malicious in some way -- it's not a virus, not a worm, not a true Trojan horse.

Instead, its one of a long line of "scareware" or "rogueware," terms that apply to fake -- hence "rogue" -- software that tries to spook you -- that's the "scare" -- into paying for a worthless program.

The labels are usually slapped on phony security software that claims a computer is heavily infected with worms, viruses and other malware. Such software nags users with pervasive pop-ups and fake alerts until they fork over the "registration" fee, which in MacDefender's case ranges between $60 and $80.

The criminals monetize their work by collecting these fees. And it's a profitable trade, at least where Windows scareware's concerned. Back in 2008, SecureWorks, now owned by Dell, said that some bad guys were making as much as $5 million a year shilling scareware.

So MacDefender isn't hacking my Mac? No. Although scareware targeting Windows has been known to silently plant itself on PCs after other malware first exploits a security vulnerability in the OS or other software, MacDefender doesn't.

That's a possible future move, of course, assuming attackers spend the time digging up an unpatched vulnerability in, say, Mac OS X or a browser like Safari or Firefox, and then write an exploit.

So how do Macs get infected with things like MacDefender? Easy, they dupe users into doing the job for them.

This video shows how the Mac scareware scam works. (Video: Intego.)

The group behind MacDefender entices victims to malicious sites, where a Web page that looks like the Mac Finder appears, runs a phony virus scan, then claims that the machine is infected with dozens of Trojans. When the unsuspecting user clicks the "OK" button, MacDefender downloads to the Mac.

Such social engineering-style attacks are commonplace on Windows, but have been rare on Macs. Looks like that party is over.

Okay, so I fell for the ruse. What happens next? Once it's downloaded, MacDefender automatically pops up an install screen on Macs where Safari is running.

If you used another browser to download the scareware -- Firefox or Chrome, for instance -- the criminals rely on you to find the just-obtained installation package in the browser's download destination and click on it.

Next you'll see a typical Mac installation process. (In earlier versions you had to enter your administrator password, but that requirement's been eliminated in the most recent version, dubbed "MacGuard.")

Once MacDefender's fooled you into installing it, the scareware runs another scan and drops numerous alerts on the screen, all part of the scam to make you think your Mac is infected.

To remove the "infections," you have to pay up by entering your credit card information.

I'm not completely stupid ... I just won't pay up. What happens then? MacDefender -- which also goes by names like MacSecurity, MacProtector and now, MacGuard -- duns you with those irritating pop ups, flashes an icon in the menu bar, and worst of all, opens pornographic pages in your browser every few minutes.

That last is a new twist to spur you to pay for the scareware.

"We think they're doing this because most people will assume that that means they've got a virus on their Mac, and they need to get rid of it by paying for the program," said Peter James of Mac-only security software maker Intego in an interview earlier this month.

MacDefender automatically runs each time you start your Mac, so you can't get rid of it by restarting or shutting down the machine.

So it's here to stay? Isn't there a way to get rid of it? Yes, you can scrub your Mac manually.

Earlier this week, Apple finally acknowledged the MacDefender scareware campaign by posting a support document on its site. That document spells out the removal steps you should take.

Can't the Mac remove this itself? Not yet. But Apple's promised an update to Mac OS X 10.6, aka Snow Leopard, that will.

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove MacDefender malware and its known variants." Apple said in the support document it published Tuesday. "The update will also help protect users by providing an explicit warning if they download this malware."

Only Snow Leopard has rudimentary antivirus capabilities, which can warn users of a small number of threats. That same feature can also quarantine already-downloaded files that it deems dangerous.

But Apple seems to be saying that it will add a cleaning tool to Snow Leopard that can scrub an already infected Mac. If so, that would be a first.

And it would mean that Apple would be following in the footsteps of Microsoft, which has offered free cleaning tools -- notably the Malicious Software Removal Tool, or MSRT -- for years. MSFT is updated at least once each month, then pushed to customers via the Windows Update service.

People running older versions of Mac OS X, including 10.5, aka Leopard and 10.4, the even older Tiger, presumably will be on their own.

Subscribe to the Security Watch Newsletter

Comments