Mother's Day search terms lead to Mac rogue security software

Filed Under: Apple, Featured, Malware, OS X, Video

Mac fake anti-virus JSWatch out folks! Our researchers at SophosLabs Canada alerted me this afternoon to the world's first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother's Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Fortunately you don't have to infect your own Mac to find out what the experience is like. We made this video so you can see it in action from the safety of whatever device you prefer to surf the internet from. Watch and enjoy:


Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

OS X fake anti-virus JavaScript popup

Windows users aren't left out... They get their own fake popup, which we have seen all too often.

Windows fake anti-virus JavaScript popup

Early this week I wrote that we were seeing Mac fake anti-virus software spreading in the wild in greater numbers than before. I also noted that the fake scanner used as a part of the social engineering to trick you into installing it looks like Windows XP.

I hope they weren't listening.

The criminals behind these attacks seem to be using Google's search auto-complete technology to determine the most popular search terms to poison.

Google search for Mother's Day poems for kidsYou can see Google automatic suggestions in the screenshot at right. We chose "Mothers day poems for kids" from the list and sure enough, some of the results lead to infections.

Sophos Anti-Virus for Mac Home Edition is free, so why not protect your Mac?

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

, , , , , , , , ,

You might like

10 Responses to Mother's Day search terms lead to Mac rogue security software

  1. asima · 1272 days ago

    that happened to me last night. i was surfing the web, for a new background picture on my macbook, so i opened one of taylor swift and this thing came up stating i had virsuses in my laptop. i was about to click remove all when i remembered i have never seen this layout on safari before and it was similar to the software that infected my desktop PC (i had to reboot that computer). i hadn't even clicked anything and i saw something was downloading. i quickly stopped the download. and deleted it from my system through finder. i then did a full scan of my laptop via the sophos anti-virus. i found that i had nothing, which was a relief :)

  2. Paddy · 1272 days ago

    Thanks for setting this up, Chester.

  3. Aleisha · 1272 days ago

    Is this happening only on the Safari browser?

  4. spookie · 1272 days ago

    Thanks for alerting us, but haven't we all become accustomed now to fake AV, and why in the world would ANYONE fall for this! The fact that Mac and Linux users don't normally run with root privileges means you have to volunteer to be infected in this way. Most of my Windows using friends still run on an admin account, even though they now use Vista or Win7, which don't default to this behavior, opening them up for a world of problems (most of which they call me to fix). If you DON'T allow install of this malware by entering your admin password, it has no way to install, and if you do allow install with an admin password, AV will NOT protect you, as far as I can tell. I still maintain that AV is extraneous on Mac and Linux. Good online behavior is far more important since all the AV on earth will not protect you from stupid.

  5. tcdowning · 1272 days ago

    Woohoo! Welcome to the fun Mac users!

  6. JLG · 1272 days ago

    Why in the world would anyone fall for this? Because they're stupid. Stupid people deserve to have to pay good money for otherwise unnecessary software (e.g. AV on Mac or Linux), so the rest of us won't have to waste our time trying to fix stupid.

  7. @spookie - the social engineering aspect of this coupled with the fact that many mac users mistakenly believe they are immune to viruses is why this is effective. If the user believes they have a virus and this software will help them, they won't think twice about authorizing the install with their admin password.

    I wrote a post about this as well, although I didn't mention the Mother's Day theme. Seems a lot of these malware sites are coming from ce.ms. My post is here if you're interested: http://www.snipe.net/2011/05/rogue-mac-antivirus/

  8. Fripp · 1269 days ago

    So far, it seems that many scams and fake stuff like this can only get through because people either do not read or do not speak English. Really. Practically every scam I've come across stands out because of the many horrible and obvious spelling, grammar and sentence construction mistakes. The first 'warning' in this scenario is a good example. If that doesn't ring your alarm bells, what will?

    For all their ingenuity and scripting skills, these scammers simply seem unable to find anyone with basic language skills. Suckers.

  9. Brad Burbank · 1266 days ago

    It infects windows based computers too. I found out the hard way. Thank god for antivirus/malware removal programs!

  10. Karri · 1263 days ago

    That is idiotic!! I watched 40 sec of the google search and I'm going balistic ... if anyone proceeded to that point !!! They deserve to be infected!! People don't spend 2,000 dollars on a computer and remain so stupid!! LAME IDOOTS that would!!

    Mac Security is all you need .. all the AV software in the world can't fix STUPID!!

    Anyone with half a brain would stop and reset their browser as should also do on Windows!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.