Tag Archives: OS X

KeRanger OS X ransomware campaign

[Updated 7th March 2016:

According to a ComputerWorld story, (and confirmed elsewhere) Apple has revoked the certificate of the compromised version of BitTorrent client Transmission and updated Xprotect.]

Palo Alto reported on March 6th that New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer: they believe this to be ‘the first fully functional ransomware seen on the OS X platform.’ At any rate, it looks like a capable piece of malware. According to fortune.com,  Palo Alto plans ‘to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data’.

Info also added to the Mac Virus blog and the AVIEN ransomware resource page. More info as the story develops, if time allows.

Advertisements

Pop-up Support Scams and iOS

[My colleague Josep Albors, knowing of my interest in support scams, recently contacted me about the spate of support scam alert messages reported by some users of iOS devices, the idea being to persuade the victim to ring a scammer ‘helpline’ by making them believe that they’re talking to a legitimate helpdesk about a real problem. Here’s a summary of the Spanish-language blog he wrote following our conversation. This article will be added shortly to the tech support scam information resources on this blog.]

Telephone scams that masquerade as support services have been with us for years. In fact, our colleague at ESET, David Harley, is an expert on the subject and has spoken at length on the topic in the blog WeLiveSecurity .

Over the years, criminals have honed their techniques, trying to increase the number of victims drawn into this deception. Today we will discuss one of the most recent cases of support scams, mainly targeting users of iPhone and iPad devices.

ALERT

This time the criminals have changed their approach and are no longer cold-calling their victims passing themselves off as support service staff trying to help victims solve non-existent problems on their computers (at a price, of course). In this instance, they are looking for users to call them after seeing some troubling ‘alerts’ on their devices intended to make them think that something is wrong with their system.

In the last week or two several users (mainly in the US and UK) have reported seeing an alert window in the Safari browser on their iPhones and iPads. Our colleague David Harley addressed this specific issue in his blog about threats to Mac and IOS .

Victims see a screen popup that indicates that the system has crashed because of a third party application and advises them to call a phone number for an immediate solution.

The peculiarity of this popup is that, however much you press the OK button, the message will still appear in your browser, even if you close it and return to open.

Fortunately, it’s possible restart the browser and close the tab before it is loaded (or take a more drastic measure by deleting all browser history) so as to remove this annoying message. The purpose of the scammers is to make victims believe that there really is a problem so that they will make the phone call, whereby the scammers will ask for money in order to solve the non-existent problem.

Here’s the format of a typical message of this type:

[URL of scam site]
Due to a 3rd party application in your phone,
iOS is crashed Contact Support
for Immediate Fix.
[US toll-free number]
[OK]

Other variants claim that clicking OK will send a bug report to Apple and state explicitly that the ‘support line’ number is Apple’s.

DETECTION OF THIS THREAT

It is easy to fall into such traps where the default browser (Safari in this case) does not react to this kind of deception and does not block malicious sites as some other browsers do.

If you try to access a malicious web site with Chrome or Firefox from a desktop computer, you will see a warning that you have been targeted by a phishing attack and access to the malicious web page will be blocked.

Some security solutions will also detect this website as a potential phishing threat if you access it from your browser on a desktop system, or indeed on an Android device.

CONCLUSIONS

David Harley comments:

There are a couple of interesting aspects of this variation on the support scam: one is that it’s a further indication of a trend away from cold-calling and towards luring potential victims into calling the scammer. In the past it’s also been done by seeding social media sites with testimonials, or fake support sites using scraped content and dubious generic advice, as Martijn Grooten and I discussed in a blog some years ago.

There have also been many reports recently of tech support services advertised in the US where calling gets you into a conversation with someone using very similar, misleading sales techniques as those we associate with the classic cold callers from Indian call centres: see, for instance, http://www.welivesecurity.com/2015/06/03/confessions-support-scammer/ Tellingly, one of the ‘confessions’ I quoted there made the point that:

Basically we had “marketers” who would put pop ups on people computers saying that they may be infected with a virus and giving them a number to call.

The advantage of seeding the internet with fake pop-ups is that the technique has the potential to work across almost any platform, depending on how secure the browser technology is. (For instance, similar attacks have been reported on OS X/Safari very recently.)

The third interesting point – though it actually follows on from the second – is that when people call you to describe their problems, you don’t have to invent over-used gambits like the Windows-specific CLSID and Event Viewer tricks to convince them that they have a problem. So again, it’s platform non-specific.

It seems clear that criminals continue to incorporate new techniques to ensnare new victims. As far as telephone scams specific to fake support are concerned, the claims we see are more-or-less complete fiction, but we will watch with interest to see what further innovations they come up with.

Josep Albors

New Mac Malware Resource

Well, actually, it’s an old one. It’s at the Mac Virus site I kicked back into life a few months ago, primarily as a blog site.

However, I’ve been under some pressure to restore some of the features of the old Mac Virus site. While I’ll be restoring some (more) of the pre-OSX stuff for its historical interest, I don’t see that as a big priority right now. But as I’ve been talking quite a lot about Mac threats in the past month or two (see http://macviruscom.wordpress.com/2010/05/13/apple-security-snapshots-from-1997-and-2010/ for example), there’s been curiosity about what we’ve been seeing in the way of OS X malware.

Enter (stage left, with a fanfare of trumpets) the Mac Virus “Apple Malware Descriptions” Page at http://macviruscom.wordpress.com/apple-malware-descriptions/. Right now it consists of two descriptions of Mac scareware from 2008, so it’s at a very early stage of development. (It just happens to be those two descriptions because someone asked me about them yesterday.)

Isn’t this stuff available elsewhere, I hear you ask? Of course it is. The point about these descriptions is that unlike most vendor descriptions, they point to various other sources of (reasonably dependable) information, as well as including a little personal commentary. It’s a first cut at attempting to answer the question “if there’s so much Mac malware around, where is it?”

More later…

David Harley CITP FBCS CISSP
AVIEN Chief Operations Officer
Mac Virus Administrator
ESET Research Fellow and Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com
http://amtso.wordpress.com/

Mac Whacks Back

It sometimes seems like I’ve spent the last twenty years trying to persuade Mac users that using a system named after a fruit doesn’t mean that there are no snakes in Eden or that angels will protect you from all harm.

Not, perhaps, completely in vain, but apparently many of the old Mac evangelist mindsets continue to prevail, irrespective of the true nature of the threatscape. (Macs don’t get viruses, Trojans don’t matter, there are no Mac vulnerabilities and if there were they’d be fixed immediately, social engineering is irrelevant, Microsoft Bad/Apple Good, blah….) There is a polite but nonetheless naive article that more than hints at this mindset here:

http://www.makemineamac.info/2009/10/dont-bug-me-why-macs-are-still-virus.html

Thanks, however, to Kurt Wismer for reassuring me that Mac security is not just my own personal crusade:

http://anti-virus-rants.blogspot.com/2009/12/why-mac-fanatics-still-believe-theyre.html

I have a feeling I’m not done with this issue. And just to be clear: for most of those 20 years I was working for customers, not for vendors…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

NOD32 beta test versions

As we all know, there is, never has been, and never could be any Mac or Linux malware. If it did, no Mac or Linux user would fall for it, and if they did it would be their own fault. Microsoft-loving antivirus companies are simply looking for excuses to line their pockets.

(Guys, this is called irony! )

There you go. Now I’ve said it for you, there’s no need to clutter this page and my mailbox with fanboi comments and hatemail.

However, in case you’re gullible enough to believe that ESET, like other security companies, really believes that Mac and Linux users sometimes need anti-malware protection, we have now public beta test versions of our scanner available for OS X and for Linux desktop.

http://beta.eset.com/linux
http://beta.eset.com/macosx 

Declaration of interest: yes, I do currently work for ESET. And I am that gullible.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/