Mac fake anti-virus attack gets dirty to ensnare victims

Filed Under: Apple, Malware

The latest variants of the new Mac malware we have been tracking has an interesting payload that many people may not have realised yet.

It's well documented that the fake anti-virus attacks attempt to trick you into believing that you have security problems on your Mac, and that you need to hand over your credit card details to buy a version which will clean-up your computer.

Mac fake anti-virus alert

However, when we left an infected Mac running for a while unattended earlier today in our labs, we found that it would periodically open instances of the web browser and point them to various websites.

Saucy website

As you can see, the website isn't necessarily the kind that you might want regularly popping up on your screen - especially if you don't have an understanding wife or boss.

A quick look inside the code of the attacks, which Sophos is detecting as OSX/FakeAV-A, reveals a list of possible websites that you may find your computer visiting without your permission:

List of saucy website URLs hidden inside fake anti-virus

My guess is that the malware attackers are doing this as a further incentive for you to purchase the so-called "fix". It's just another clever piece of social engineering which might make you rush into handing over your credit cards, in the belief that your Mac has been compromised.

Don't forget, the bad guys will use every dirty trick in the book to get their hands on your money.

Sophos customers should be protected, but if you have a Mac at home and want to defend yourself you can download our free anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

, , , , , ,

You might like

9 Responses to Mac fake anti-virus attack gets dirty to ensnare victims

  1. Just this morning Sophos caught another virus when I opened my Safari Browser. (I usually use Firefox) Thank You All for your hard work and dedication.

  2. This is what I call naked security ;)

    Protecting against naked ladies :)

  3. Judy · 1576 days ago

    I got this virus last nite, ran the Sophos free app, scanned my imac...but it says it has to be removed manually and I dont understand how to do all the steps. Should i take my imac to the Apple store since i have Apple care?

    • Frank · 1575 days ago

      I have the same problem as of last night. Hope someone can help

  4. 1MacGeek · 1572 days ago

    Just use the Quarantine Window as a file pathway guide, and navigate to the file Sophos says must be removed manually. Either drag that file to the trash, or right-click and use the Move to Trash item from the sub-menu. Remember to empty the trash when you are done.

    ***WARNING*** The method below will delete files you may not want deleted. Use with caution and at your own risk. No warranty is expressed or implied.

    Alternatively, you can go to the Sophos preferences, set the "When a threat is found" setting to Clean up threat. A sub-menu will appear below it called "If cleanup fails", then set this to Delete threat. Sophos should now do the work for you. Just rescan your drive and Sophos will wipe out the threats automatically. Also you may want to use these settings in the On-access Scanning section under Options.

    I can't imagine why one wouldn't want to just delete this threat when it hits one's Mac, but the world takes all kinds. :-)

  5. bob · 1562 days ago

    Show me ONE single SYMPTOM from a "virus" or "malware" on OSX *WITHOUT* the user running an installer, and inputting their admin password. You won't be able to find any. Their hasn't been a single SYMPTOM from any of these "threats" EVER on OSX. Anyone can install a program to f**k up their computer - duh! I can also willingly shoot myself in the foot! Should I walk around with bullet proof shoes to prevent myself from shooting myself in the foot? I know, I know ... I'm getting really philosophical here. But isn't philosophy what this issue is really about? People *think* their are threats to Macs, however the only threats have been things that would be considered a comical self inflicting wound. Again, show me ONE symptom that has appeared on OSX without the user going through a full blown installer.

    What did the MacDefender program even do to the OS? NOTHING! OOOHHHH NOOO it put a startup item in my startup items list!!!! OMG!?!!?! Ok lemme start this serious virus removal by removing the startup item! OK done...that was friggin hard!!!

    If I really gave a rats behind about some self inflicted wound that I did to myself such as MacDefender, all I would have to do is boot off my Leopard disk and run an "Archive and install" which would leave my user folder and applications intact while completely rebuilding the OS. All better, and without any noticeable change! Too bad rebuilding your computer on Windows isn't as easy as that! Poor Windows users =[ . So let it be known that even in the case of the laughable "Macapolipse", all the Mac users will need to do is boot off the OSX Boot DVD and run an "Archive and install". Sounds scary!

    Their aren't any current threats to OSX other then the user's stupidity. I don't like to resort to insults, but when people act like these lame-duck attacks are anything Mac users should be worried about - it's insulting to the truth. As I said before, when ONE person can show ONE symptom from an attack without running an installer and entering your admin password - then I'll give two s**ts about what these ignorant fear mongering n00bs say about Macs.

  6. It's surprising that Apple would allow something to compromise the credit cards of their users. I thought Macs were supposed to be more secure than PCs?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley