Everything You Need to Know About Mac Scareware
You'd think it was the end of the world.
The fact that Mac users have fallen victim to "scareware" scams -- the kind that have long plagued Windows users -- shouldn't come as a surprise. After all, fake antivirus software schemes like MacDefender don't have to rely on exploitable vulnerabilities, but instead typically depend on tricking users into visiting malicious sites and duping them into installing the software.
And Mac users, for all their pretensions otherwise, are as fallible as the next person.
But from the news accounts this month about MacDefender, and the posts not only on Mac-specific blogs but also on ones usually devoted to Windows, you could be forgiven for thinking that Macs are suddenly the victims of choice.
They're not. Windows machines remain the most common target because, well, globally Windows PCs outnumber Mac OS by more than 16-to-1.
What is true is that Mac users now face the same scareware scams that Windows owners have had to deal with for years.
So what's the deal? Macpocalypse or not? And what should you watch for, and what can you do to keep safe?
Those are the questions we try to answer.
Is MacDefender a worm? Nope. Although MacDefender and its ilk fall under the general term "malware" -- as in, it's malicious in some way -- it's not a virus, not a worm, not a true Trojan horse.
Instead, its one of a long line of "scareware" or "rogueware," terms that apply to fake -- hence "rogue" -- software that tries to spook you -- that's the "scare" -- into paying for a worthless program.
The labels are usually slapped on phony security software that claims a computer is heavily infected with worms, viruses and other malware. Such software nags users with pervasive pop-ups and fake alerts until they fork over the "registration" fee, which in MacDefender's case ranges between $60 and $80.
The criminals monetize their work by collecting these fees. And it's a profitable trade, at least where Windows scareware's concerned. Back in 2008, SecureWorks, now owned by Dell, said that some bad guys were making as much as $5 million a year shilling scareware.
So MacDefender isn't hacking my Mac? No. Although scareware targeting Windows has been known to silently plant itself on PCs after other malware first exploits a security vulnerability in the OS or other software, MacDefender doesn't.
That's a possible future move, of course, assuming attackers spend the time digging up an unpatched vulnerability in, say, Mac OS X or a browser like Safari or Firefox, and then write an exploit.
So how do Macs get infected with things like MacDefender? Easy, they dupe users into doing the job for them.
This video shows how the Mac scareware scam works. (Video: Intego.)
The group behind MacDefender entices victims to malicious sites, where a Web page that looks like the Mac Finder appears, runs a phony virus scan, then claims that the machine is infected with dozens of Trojans. When the unsuspecting user clicks the "OK" button, MacDefender downloads to the Mac.
Such social engineering-style attacks are commonplace on Windows, but have been rare on Macs. Looks like that party is over.
Okay, so I fell for the ruse. What happens next? Once it's downloaded, MacDefender automatically pops up an install screen on Macs where Safari is running.
If you used another browser to download the scareware -- Firefox or Chrome, for instance -- the criminals rely on you to find the just-obtained installation package in the browser's download destination and click on it.
Next you'll see a typical Mac installation process. (In earlier versions you had to enter your administrator password, but that requirement's been eliminated in the most recent version, dubbed "MacGuard.")
Once MacDefender's fooled you into installing it, the scareware runs another scan and drops numerous alerts on the screen, all part of the scam to make you think your Mac is infected.
To remove the "infections," you have to pay up by entering your credit card information.
I'm not completely stupid ... I just won't pay up. What happens then? MacDefender -- which also goes by names like MacSecurity, MacProtector and now, MacGuard -- duns you with those irritating pop ups, flashes an icon in the menu bar, and worst of all, opens pornographic pages in your browser every few minutes.
That last is a new twist to spur you to pay for the scareware.
"We think they're doing this because most people will assume that that means they've got a virus on their Mac, and they need to get rid of it by paying for the program," said Peter James of Mac-only security software maker Intego in an interview earlier this month.
MacDefender automatically runs each time you start your Mac, so you can't get rid of it by restarting or shutting down the machine.
So it's here to stay? Isn't there a way to get rid of it? Yes, you can scrub your Mac manually.
Earlier this week, Apple finally acknowledged the MacDefender scareware campaign by posting a support document on its site. That document spells out the removal steps you should take.
Can't the Mac remove this itself? Not yet. But Apple's promised an update to Mac OS X 10.6, aka Snow Leopard, that will.
"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove MacDefender malware and its known variants." Apple said in the support document it published Tuesday. "The update will also help protect users by providing an explicit warning if they download this malware."
Only Snow Leopard has rudimentary antivirus capabilities, which can warn users of a small number of threats. That same feature can also quarantine already-downloaded files that it deems dangerous.
But Apple seems to be saying that it will add a cleaning tool to Snow Leopard that can scrub an already infected Mac. If so, that would be a first.
And it would mean that Apple would be following in the footsteps of Microsoft, which has offered free cleaning tools -- notably the Malicious Software Removal Tool, or MSRT -- for years. MSFT is updated at least once each month, then pushed to customers via the Windows Update service.
People running older versions of Mac OS X, including 10.5, aka Leopard and 10.4, the even older Tiger, presumably will be on their own.
How pervasive is MacDefender? No one really knows.
A back-of-the-envelope estimate by Ed Bott, a ZDNet blogger who usually writes about Windows but has dealt out a series on MacDefender, put the number of infections between 60,000 and 125,000.
While security firms that sell Mac antivirus software have not tossed out numbers like that, at least one -- Intego -- has cited Bott's estimates and concluded that "this fake antivirus has been extremely effective in tricking Mac users."
Today, Finnish antivirus company F-Secure said it had seen "a significant rise on infections with the Mac rogue Trojans," but didn't specify the raw numbers or the rate of increase in infections.
Companies like Intego, of course, have an interest in touting MacDefender's ubiquity: They sell antivirus software for the Mac.
F-Secure, in fact, launched its first Mac-specific product today.
Symantec, which has one of the world's largest network of malware sensors and "honeypot" systems -- and also sells Mac security software -- said it didn't have "much if anything, in the way of hard data/numbers" on the Mac scareware campaigns.
Bottom line: There's no solid evidence yet on how many Mac users are falling for the con.
Why the Mac? Why now? The question should be, "Why not before this?"
Scareware has hammered Windows users for years, and remains a very popular way for criminals to make money. According to Microsoft's latest security intelligence report, the company's MSRT cleaned millions of scareware-infected Windows PCs last year.
Both Intego and Microsoft have reported connections between MacDefender and a gang responsible for one of the biggest Windows scareware families.
Intego has said that the group simply added MacDefender to its scam arsenal by developing the Mac-specific fake antivirus program, then seeded it to the same malicious sites that were already serving up Windows scareware, in effect getting a bigger bang for its buck.
Apple's increased sales of Macs may have triggered the move by the gang. While Windows PC sales have stalled -- and still greatly outnumber Mac sales -- Apple's sales of desktops and notebooks has outpaced PC sales for 20 consecutive quarters.
Where there's a market for malware, there's malware.
What can I do to keep MacDefender and its like off my Mac? Lots of things, actually.
For one, be wary of search results on hot news topics, since scareware scammers constantly "poison" those results to push their sites higher on the list. When MacDefender first appeared, it was spread through sites that ranked high on Google Image searches, and those resulting from searches for information on Osama Bin Laden's death.
For another, don't install anything you haven't downloaded yourself.
If you browse with Safari, head to its Preferences screen, then uncheck the box marked "Open 'safe' files after downloading" at the bottom of the General tab: That keeps Safari from automatically opening the installation screen of MacDefender.
Only type in your account password when installing software you actually want and asked to be installed. If the account password dialog pops up and you don't know why, don't enter your password.
Speaking of accounts, the newest MacGuard scam doesn't require a password when you're running under an administrator account. You might want to switch to a standard account instead, which will prompt you for a password when MacGuard tries to install. Check out this Apple support document for how to set up a standard account in Snow Leopard.
Don't pay for security software you haven't asked for. Don't enter your credit card information in any prompt to register such software.
Consider adding an antivirus program to your Mac. Sophos gives one away free, and others, including F-Secure, Intego and Symantec, sell products that will block scareware and remove it if it's infected your machine.
Poisoned Google Image results steer victims to Mac scareware downloads. (Video: F-Secure.)
Is the Mac now in the same security boat as Windows PCs? Not by a long shot.
Windows remains the most popular target for hackers because it's the most popular platform on the planet. But the appearance of MacDefender marks a change in criminal tactics that you'd be foolish to ignore. Scammers are nothing if not copy-cats.
I want a crystal ball...what's next for Macs and malware? Assume that MacDefender is the first of a wave of scareware aimed at Macs. Any success by MacDefender's makers will likely be copied by other groups that already have experience shilling bogus security software to Windows users.
And there are certainly steps those criminals can take that will up their game, whether that's using unpatched browser or plug-in vulnerabilities to exploit a Mac -- and then silently plant scareware on the computer -- or relying on other long-practiced social engineering tactics, including spam that draws users to malicious sites or files attached to email messages that purport to be legitimate documents but are in actuality a scareware installer.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is email@example.com.