According to The Mac Security Blog, published by Mac security firm Intego, a new fake anti-virus affecting the Mac OS X has been found in the wild, although the company said it appears as if attacks are limited at this point.
The fake anti-virus, MAC Defender, is being delivered via infected websites that are taking advantage of black hat search engine optimization (SEO) techniques that drive malicious sites up search lists in relation to popular search terms.
A major tip-off that this is a scam, Infosecurity notes, is the fake “Windows” screen that pops up within the Safari browser when users visit an infected domain. Following this, Intego said, the user’s Mac downloads a zip file, which may or may not be automatically unzipped depending on the browser settings.
“Strangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac”, commented Chet Wisniewski, a senior security advisor at IT security firm Sophos, in a recent security blog post.
A typical Mac installation process ensues, and prompts the user to provide the administrator password before installing the rouge anti-virus.
With a recent spate of events dominating the news, such as the royal wedding or the death of Osama Bin Laden, SEO attacks were to be expected. How this SEO attack differs, however, is in its use of Mac OS targets and the Safari browser, which have historically remained relatively unscathed from malicious SEO manipulation.
The unique nature of this attack was not lost on Wisniewski: “From rather innocuous terms related to global warming, to hot topics like Osama bin Laden's death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple's Mac OS X”.
Kapersky Labs, meanwhile, highlighted that one of its researchers warned last April that rogue anti-virus malware may have been “in the works” when examining some su domains responsible for delivering fake AV.
“Not only Windows users are a target of bad guys that want to distribute rogueware”, said Kaspersky research expert Fabio Assolini in a recent security blog posting. “Now they are also attacking Mac users using the same and old blackhat SEO techniques, poisoning search results in popular search engines.”
Assolini said the company’s researchers came across the rogue Best Mac Antivirus and MACDefender when conducting research on malware associated with Osama Bin Laden's recent death during a raid conducted by US forces. He added that both fake anti-virus applications were “specific to Mac OS X”.