The phony tech support scam is an all-too-common danger of surfing around in cyberspace. But, they mainly target PCs. Now, a new iteration on the form has cropped up to menace Mac users—with a malvertising-driven attack vector.
Blue Coat researcher Chris Larsen has found three scam domains (macsupports.info, macworldservices1.com and macsecurityalerts.co), which, when visited, offer pop-up warnings about “dangerous viruses,” supposed malware and unauthorized access. Typically, the sites use Javascript to "lock" the browser, borrowing a classic ransomware tactic meant to freak out the victim and spur them to action. Individuals are then encouraged to call a number to have a technician guide them through the malware removal process—for a fee, of course.
“The really interesting part… is that it came with an extensive audio warning,” said Larsen in a blog post. “A nice computer-synthesized female voice came over my speakers, saying ‘Please call the number provided as soon as possible. You will be guided for [sic] the removal of the adware-spyware-virus on your computer...’"
Plenty of fake PC tech support campaigns find their victims through cold-calling. However, these scams are evolving to become more like watering-hole techniques, by showing malicious ads for the supposed tech support.
“This type of scam campaign combines fake warning pages (hearkening back to the classic fake antivirus attacks of years past) with the more modern fake tech support phone scam,” he explained. “In this way, rather than cold-calling for victims, they can induce the victims to call them—and anyone calling in is likely to be already convinced that they do indeed have a virus problem.”
Larsen postulates that this tactic is especially beneficial for criminals looking to attract Mac users to the sites—since cold-calling would be an untargeted, labor-intensive process given the relatively fewer Mac machines in the world vs. PCs.
“I've never heard about cold-callers targeting Mac users. In fact, you can normally get them to hang up and go away if you tell them you run Mac or Linux,” he said. “But this new version of the scam, where the victims are scared into calling in, allows the criminal to pre-screen his victims by OS—if he detects that you're using a Mac, he can route you to one of these sites, instead of a Windows-themed site.”
Even better, criminals could simply use the legitimate ad ecosystem to determine the OS of the victim, and only serve the Mac-themed ads to Mac users.
This is primarily a US-directed campaign, but Larsen noted that the page script references "future" campaigns (and phone numbers) for France, Australia, the UK, New Zealand and South Africa.
“Don't fall for these sorts of scams,” Larsen said. “More importantly (since you're not the type who would), please warn your family and friends about them!”