Apple support to infected Mac users: "You cannot show the customer how to stop the process"

Filed Under: Apple, Featured, Malware

Mac Defender fake security popupsZDNet writer Ed Bott has posted the latest instructions to Apple tech support personnel regarding users calling in with active fake anti-virus "MacDefender" infections.

Bott says he acquired the documents by talking with two anonymous Apple support representatives about how Apple is coping with the first widespread attack against OS X users. According to his sources Apple has received an estimated 60,000 tech support calls related to the infections.

It has been encouraging that many Apple customers have been taking this attack seriously and taking preventative measures like installing our free anti-virus program for OS X.

Apple is apparently telling support reps to tell customers:

"Apple’s [sic] doesn’t recommend or guarantee any specific third part [sic] anti-virus protection over another. However I can suggest several third party virus protection programs that you may want to consider researching to find the best one for your needs."

But they still have their heads buried in the sand when it comes to assisting their customers. The memo, acquired from an outsourced support company, says:

Screenshot of leaked Apple memo

"Things you must never do according to the client [Apple]."

  • You cannot show the customer how to force quit Safari on a Mac Defender call

  • You cannot show the customer how to remove from the Login items.
  • You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
  • You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the forums)

Apple's famous PR savvy apparently doesn't apply to handling security incidents. It is genuinely tragic that such a large number of OS X users are falling victim to this scam, and Apple's response is less than helpful.

You could argue that Apple created this false sense of security through their marketing and advertisements suggesting Apple users are immune to security threats. Now that some of their flock are affected, it would be good of them to at least point people in the right direction.

Many journalists have asked me in the last few weeks whether this is being hyped by the anti-virus business. Are real people being impacted? Judge for yourself... Apple's reaction says more about the problem than I can possibly explain.

Regardless of platform we all need to be safe with the choices we make on our computing devices, whether we use tablets, Linux, Windows, OS X, or Android. When enough people let their guard down they are easy targets and criminals will take advantage of the lowest hanging fruit.

Until next time... Stay secure.

, , , , , , ,

You might like

35 Responses to Apple support to infected Mac users: "You cannot show the customer how to stop the process"

  1. Samantha · 1599 days ago

    Is Mackeeper a good application for apple as I received it today and download it... hope its nothing like Mac defender??

  2. Gary · 1598 days ago

    > You could argue that Apple created this false sense of security through their marketing and advertisements suggesting Apple users are immune to security threats.

    It's true that Apple have cited security in general and AV security in particular in their promotional material - and still do. However, it's hardly their main sales pitch, being pushed in the face of every prospective customer.

    It's journalists and bloggers who pull this "immunity" issue out every time they want to make their stories that little bit more dramatic. And AV journalists and bloggers in particular.

    Your video example is five years old - it was uploaded in 2006. I guess you had to go that far back to find anything which made your point as clearly as you imagine it to be.

    NB While disagreeing with your banging on the "Apple says safe from viruses" drum, I do agree with your point about Apple being able to take a better position in dealing with this matter. (I'm also a happy SophosAVforMac user at home, so thanks for that.)

    • Here's a more recent Apple "I'm a Mac, I'm a PC" advert from 2009 discussing malware.

      "PC" dresses up in a biohazard suit:

    • Bob · 1582 days ago

      " I guess you had to go that far back to find anything which made your point as clearly as you imagine it to be. "

      it is so incredibly painful to read such an arrogant comment. You are not a better person than everyone else because you use a mac, drink coffee at starbucks and own a hybrid. It is mind boggling to see a person act like they are better and smarter than everyone because of a product choice.

  3. JJJ · 1598 days ago

    It may not be viruses, but malware. Here's a review of Sophos' anti-virus software:

  4. @Anskiere · 1598 days ago

    I don't understand the reasoning in not showing customers how to force quit, remove login items, or stop a process.

    Any idea why they are going about it this way?

    • There's actually a very good reason for that: A great number of Windows installation repairs are necessitated by naive users being told how to do these kinds of things and then trashing something important because they think they've learned some powerful trick. You don't tell a naive end user how to do power-user things if they don't have the relevant experience and knowledge to know what to do with it -- that only makes matters worse.

      What you CAN tell them to do is hold the Shift key to disable most nonessential startup items, and use this clean boot to install reputable clean-up software.

      • Hmm... very good point. I never even thought of that, even though I work in the field.
        But you are right - I don't tell my users that kind of thing, either. I just never thought of it

      • jonny · 1097 days ago

        How incredibly patronising and disgustingly creepy.

        "You don't tell users how to disable a third-party startup application."

        Why not?

        "Why they could disable ANY third-party startup applications!"

        And what's the problem with that? Should they not have the right to determine which third-party (or indeed, any parties) apps are starting up on their computer? What damage could it possibly cause that would not be caused if they remained ignorant?


        Uh huh.


        "You don't tell users how to Force Close Safari."

        Why not?

        "Why they could then Force Close any application!"

        And what's the problem with that? What damage could that possibly cause that would not be caused otherwise?


        Uh huh.

        Anyone who asserts ignorance is in the benefit of another human being is guilty of a grotesque insult to Decency and is representative of the corruption that is the "mothering" cancer rotting its way through our species.

        Fix your filthy mind. You're a victim. Stop imagining you're being shrewd by [creating victims] via withholding information ("it's for the victim's benefit").

  5. Rich M. · 1598 days ago

    It doesn't matter which platform you use (MS, Apple, or Linux), there will always be a need to protect yourself and your systems since there are viruses & malware apps written for all of them running loose in the wild. Why is it Apple's fault if you get a virus on your computer? Is it MS's fault if your system gets infected? I run a Mac with Parallels and have been running AV software on both since day one.

  6. "Many journalists have asked me in the last few weeks whether this is being hyped by the anti-virus business."

    I'm an independant Network Admin working for a completely unrelated company. I have nothing to do with any AV company.

    I have rather a large base of home users that are friends and family, I freely and regularly support. They run a whole variety of OSs on many different devices and I am receiving a large amount of calls on both OSX and Windows machines that are infected with FakeAV.

    The number of calls for Windows computers does not exceed the number of OSX calls. They are roughly the same. I have also had to look at an iPad about 2 weeks ago with a similar infection.

    These applications are in the wild and innocent basic users are being infected simply because they dont know what not to do when alerted by a prompt.

  7. Baker · 1598 days ago

    I'm calling BS on this one. Apple even has how to do some of those things on their support site, so why would they tell their support staff not to tell people how to do those things? Furthermore, I know of NO ONE who has this and have yet to see anyone post anything about it on FB. Something like this would reach reliable media sources, no?

    • If you're on the support site, you're already more savvy than the typical phone caller.

      • spookie · 1574 days ago

        Anyone who can't even find the support site for their hardware/software really shouldn't be using a computer. Asking me ro run AV on my Mac to prevent someone's BlackBerry from spreading a Windows exploit is silly, and enables incompetent users. It's my job to protect my personal systems and the systems I support professionally. It is NOT my job to "help [those] poor fools who think Windows 7 is cool."

    • JonnyB · 1596 days ago

      Am I misreading, or did you allude to FB being a 'reliable media source'??

  8. Bruce · 1598 days ago

    "Those who do not learn from history are bound to repeat it."
    Think Word 95 and Concept, et al, in late 1995 or early 96. I was at an NCSA antivirus conference in Washington DC and Microsoft VPs came out talking about their support for security. It was revealed during their little bit that a memo had been issued that morning from Redmond telling 1st line support people that they were to hang up on anyone looking for support for removing Concept of if they identified themselves as working for an antivirus firm.

    • jonny · 1097 days ago

      Sounds awfully like the OS manufacturers believe they have a vested interest in ensuring the exploitability and vulnerability of their products.

      If this is true (and I don't see how anyone sane could argue a contrarian position), the next logical step is to assume the existence of the exploits is by design.

  9. Greemble · 1598 days ago

    "Linux, Windows, OS X, or Android"

    Just to be a pedant - Android is a Linux distro

    • Chester Wisniewski · 1598 days ago

      Yes, Linux, but not exactly GNU/Linux :) Point taken, but malware for Android typically has to be designed to exploit specific features of Android as an OS, not generically Linux. Similar to BSD being part of OS X, but still not equal.

      • spookie · 1574 days ago

        No, Android is not "exactly GNU/Linux" But if GNU/Linux is meant, one should SAY (or write) GNU/Linux. Android IS a Linux distro. And OSX is a BSD as well. What you mean by it not being "equal" to BSD is beyond me. GNU/Linuxes are on GNU licenses like the GPL, which are copyleft. They require that derivative works also be open source and code be contributed back to the community. Android is NOT on a copyleft license, and neither is OSX. Android is mostly on an Apache license, and that is also the preferred license for Android apps. Apache does NOT require that derivative works be open or that code be contributed. OSX is on a closed commercial license, which is allowed for derivative works by the BSD license, which, like Apache, does not require derivative works to either be open or contribute code back to the community. That different licensing structures have been used does not make Android not really a Linux nor OSX not really a UNIX.

        I use OSX Leopard, OSX Snow Leopard, Ubuntu Linux, Puppy Linux, #! Linux, Windows XP (SP3) and Windows7 on my personal laptops, and iOS and Android (Froyo, Gingerbread and Honeycomb) on my tablets/handhelds/mobile phones, so I have some experience with various operating systems despite my professional life being primarily supporting Windows systems. I don't think cyber-criminals care WHICH vulnerabilities they exploit, so long as it achieves their purposes. Android exploits don't "[have] to be designed to exploit specific features of Android as an OS, " but can be designed to exploit ANY feature of Android--those unique to it or those it shares with other Linuxes, GNU or otherwise. By their nature, UNIXs and UNIX-like OSs (like Linuxes) are a bit more difficult to exploit than Windows systems, because of better permissions structures and the lack of easily-exploitable components like ActiveX. I use resident AV on the WIndows systems I support, and use no resident AV on my personal systems, including Windows systems. In more than 20 years of computing I have never had a virus, on any OS, and never had any other malware but for tracking cookies, which are annoying but usually not harmful.

        Greemble is 100% correct. Android is a Linux, and naming it along with Windows, OSX and LInux, but NOT mentioning the other dominant tablet/handheld/mobile OS, iOS, implies that Android is in some way NOT a Linux but iOS IS part of OSX, which it is not. Mentioning OSX outside of UNIX (and BSD is a UNIX) is also not technically correct, but UNIX was not mentioned, nor was BSD.

  10. Chris · 1598 days ago

    ...They won't show how to force quit? What? Why not? That's an absolute basic skill that should be learned immediately. What in the world is their logic for that?

    • Jon W · 1597 days ago

      Can you really not imagine why this advice would be given to call-center support folks in the face of an emergent threat?

      a) the measures would only be known to / thought of by some percentage of call center folks, until the "official" resolution path is defined

      b) the measures were not (at the time of writing) known to address the entire threat - potentially leading to people thinking they were done fixing when in fact they were still compromised.

      c) the security design makes it possible for Apple to push a definitive and complete fix within a relatively short period of time, and in the meantime, the fact of a support call indicates that the user knows something is wrong, so the risk of additional compromise is low

    • spookie · 1574 days ago

      Apple support absolutely WILL tell you how to force quit an application, and they have such instructions on their support site as well as including that in their "switching" tutorials. The directive was in re: Mac Defender and it's variants ONLY. Their reasons for wanting to have an official support directive for this before giving customers this information certainly has precedent in the industry.

      • jonny · 1097 days ago

        Murder has always had precedent in life (at least, we must assume it always did otherwise the purpose of the story of Cain & Abel takes on an wholly nightmarish hue). My point being, what does "precedent" or "history" have to do with explanations of Reason or Motive or Logic....or Sanity?

        I'm yet to hear a sane or logical reason disclosed for lying to customers about how to limit their exposure to the malware which took advantage of an existing exploit in the Operating System.

        I'm yet to hear a sane or logical reason for why the story of Cain & Abel is read to children, either. I suspect the analogy is far better than one might imagine, at first blush.

  11. Pete Cooper · 1598 days ago

    Fix/patch coming soon:

  12. Amy · 1598 days ago

    I thought this was something that mac users downloaded and paid for. I can't believe that 60,000 users paid $100.00 for this scam.

    Anyway, Apple has specific instructions concerning this and how to remove it.

    • spookie · 1574 days ago

      I can't believe people get scammed in the Nigerian Banking scams either, but people are mostly stupid. Almost every computer I am asked to "fix" suffers from a PEBKAC or ID107 error.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at