Mac Defender — The phishing scam that rocked Apple

Apple’s biggest selling point for its Macs has always been the perceived imperviousness to “malware”. The fact that what some regard as the world’s first virus, “Elk Cloner”, was a Mac virus seems to have exited people’s minds.

However, in the last couple of weeks reports of what may come to be seen as the first widespread piece of Mac malware have been filtering through.

Mac Defender, discovered at the start of this month by antivirus firm Intego, is a phishing scam that targets Mac OS X users through Safari with the aim of gaining personal data (such as credit card numbers) but has also been reported to cause other issues. In a security memo, Intego explains how Mac Defender works:

“…MAC Defender, which targets Mac users via SEO poisoning attacks (websites set up to take advantage of search engine optimisation tricks to get malicious sites to appear at the top of search results). When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a website that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file.”

When Mac Defender was discovered Intego classified its risk as, “Low; in the wild, but not very widespread for now”.

However, it has spread since then. The latest estimates claim it has affected between 60 000 and 120 000 Mac OS X users. A quick search of Apple Support forums showed a slew of complaints about the mystery virus.

Furthermore, veteran ZDNet journalist Ed Bott — speaking with an anonymous AppleCare call-center rep — reported that by last week the volume of calls was “4-5x times higher [than usual]“, with more than 50% of the calls about Mac Defender.

The most damning aspect of the interview was not only the initial response from Mac enthusiasts that reports on Mac Defender were instances of “crying wolf“, but rather that Apple itself was actively looking to keep the whole affair a secret.

According to Bott’s source, Apple’s official stance was to not help customers remove the malware from their computers. Also, in an alleged official document — also obtained by Bott from another call-center rep source — setting out the policy regarding calls about Mac Defender under the heading “Things you must never do according to the client” [the client being Apple] it was written:

“You cannot show the customer how to force quit Safari

You cannot show the customer how to remove from the Login items

You cannot show the customer how to stop the process of Mac Defender in their activity monitor

You cannot refer the customer to any forums or discussion boards for resolution (this includes the Apple.com forums)”

But Apple has finally gotten the message.

In a support document it released this week, it noted the existence of Mac Defender, saying: “A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender ‘anti-virus’ software to solve the issue.”

Apple also stated that a Mac OS X software update would be released which would automatically find and remove Mac Defender malware and its known variants along with detailed instructions on how to remove it for those not willing to wait.

While Apple’s alleged early lack of regard for its customers was certainly confusing, it can be understood.

Mac’s history, or lack thereof, with regard to malware has something that the company and its legion of fans — which studies have recently proven has a religious-like belief in Apple — have always prided themselves on.

However, in a strange twist of fate, there is an odd sense of pride Apple can take from this very savvy attack on its customers. Phishers and malware developers in general will always seek to reach a large number of potential victims — and as such Windows has always been the target. That Macs are now also being targeted is a sure sign — if any more were needed — that the company is a serious player.