Mac scareware makers adopt Windows tactics

As the cat-and-mouse game between scareware authors targeting Mac OS X computers and Apple Inc. intensifies, cybercrooks may now be taking a cue from their counterparts writing scareware for computers running Microsoft's Windows. Computer security firm Sophos said the malware authors now regularly change the look and feel of their products and use legitimate-sounding brand names. "More Mac scareware appeared overnight, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible," Sophos Asia-Pacific head of technology Paul Ducklin said in a blog post. One of the first "major" scareware for Macs, MacDefender, appeared in May and fooled users into thinking their machines were infected, and installing the program. The users were made to pay for the scareware, with Ducklin noting many victims may not even realize they had been duped. Apple has since issued security patches that will detect the scareware, although the scareware authors upped the ante by coming up with a more potent version of their scareware. Now, Ducklin said the latest OS X scareware variants come from the MacDefender stable, though they identify themselves during startup as Mac Shield. "Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up. But the cleanup isn't free - you're required to register. Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support," he said. Yet, he said the software is "completely fraudulent," and its "lifetime" ends tomorrow when the crooks move on to the next bogus brand name. Ducklin issued anti-scareware tips for Apple users:

• If you use Safari, turn OFF the open "safe" files after downloading option. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.
• Don't rely on Apple's built-in XProtect malware detector. It only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn't enough any more.
• Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look - any anti-virus sold via the App Store is required by Apple's rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.
• Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don't do this - an anti-virus evaluation should let you try out detection and disinfection before you buy.