Speaking Digital

I hate to even mention the two words together – Mac scareware. Something about it makes me feel dirty. Inevitably, it was going to happen. Here’s how to spot the bogus “application” and not get sucked into the scam.

First things first, this didn’t pop up while visiting some seedy site. My wife was on Travelocity looking at hotel rooms for an upcoming trip. I wasn’t looking over her shoulder to see what she clicked on, but that’s besides the point. A site like Travelocity should not be serving up links to anything like this. It just goes to show that you have to be on your toes any time you’re on the Internet.

Warning Signs

Let’s start looking at the components of this screenshot and why it should be throwing red flags in your head (besides the fact that I told you it should.) Take a look at the top menu bar across the screen. In the upper left hand corner, notice we’re still in Firefox, not MacDefender or whatever this “app” is supposed to look like. There is no anti-virus app or program out there that will launch itself inside of your web browser. Fortunately, on a Mac, you can see which application has your focus by checking the upper left hand corner of the screen to tip you off to things like this. Also take notice at the top of the Firefox window, it still says Mozilla Firefox as opposed to the title given to this web page. If the crook behind this site would have changed the title, it would be reflected here and not show Mozilla Firefox. There is also the address bar and other navigation and search options that should tip you off as to something’s up.

In our version of this scareware, the file didn’t download automatically. I’m not sure if that’s Firefox helping us out or if the page is designed to wait until you click on something on the page. The download window popped up when I tried to move the “Apple security alert” window for better positioning of things for this screenshot. At this point, I hit cancel since I didn’t try to download anything. This should be another red flag to you. If you don’t request a file to be downloaded from a web site, definitely don’t give the file permission to download. More importantly than that, if an installer launches without you attempting to install anything, quit the installer. Be smart about what you’re giving permission to on your Mac.

Another item to look at is the left-hand column of the main window. It looks very similar to the items you would see in a Finder window. But even here are a few items that should look odd to you. Under the Places header, notice the wording next to the Home folder (to the right of the little house icon.) It says computer, instead of your account’s short name (unless you gave yourself the name “computer”). If your full account name was John Doe, your short name would default to johndoe and while you could change this to something else (say computer in this instance) most people aren’t that odd. Interesting to note, they do show Dropbox in the sidebar. If you’re not using Dropbox, it wouldn’t be in your sidebar. The same could be said for the work folder shown above the Dropbox folder. That folder would have had to have been placed there manually by you.

The most telling sign that this is a scam is located in the bottom gray section of the web page. Notice in bright, glowing red it says it found eleven viruses. That is physically impossible on a Mac running the OS X operating system. Since OS X was initially released in March of 2001, there has not been one virus for the Mac OS X operating system. Not one. In 10+ years. Let that sink in for a bit. For a Mac to be infected with eleven viruses is an impossibility that I can’t even begin to explain the odds of. There’s a reason why people say there are no Mac viruses – because there aren’t. And this isn’t a virus, either. A virus, by definition, has the ability to infect a computer, then replicate itself and infect other computers through a common flaw in a piece of software. What we’re seeing here is a malicious web site trying to pass off a scam.

So it’s a scam, now what?

The easiest thing to do is quit your Internet browser and try to avoid where ever you were just at. If you were on a valid site (like we were with Travelocity) you may want to report the issue to that site’s webmaster or customer service department. When explaining what happened, try to be as thorough as possible as it will help them in tracking down what went wrong and where. Reporting the issue may not help you directly, but you’ll be helping the next visitor and every one after that.

What if I’m infected?

Now, I can’t speak for what happens if you do download and install the application. I wasn’t about to do that to myself. I’ve heard from reports that the application will ask for your credit card to “purchase” the full version of the security software, run a “clean up,” then tell you everything is fine on your Mac. You now have bigger things to worry about since you just gave your credit card number away to somebody on the Internet.

Security firms are reporting this to be a rather innocuous application that just wants your credit card number. Removal is rather easy.

1. Restart your Mac in Safe Mode (http://support.apple.com/kb/HT1455).
2. Browse to your Applications folder. Find MacDefender.app (the name may change, so if you don’t find an application named that, have a look at the rest of your apps and find the security app) and throw it in the Trash.
3. Head to your Downloads folder (or whatever folder you may have designated as the location for Internet downloads) and trash the installer as well.
4. Empty the trash so you don’t tempt yourself to reinstall the app.
5. Reboot your Mac and let it start up normally.
6. Launch Safari (or your Internet browser of choice, but these instructions will be for Safari)
7. In the menu bar at the top of the screen, click on the word Safari and choose “Reset Safari…” from the list.
8. Select all items available in the window and click “Reset”.
9. Smack yourself.

OK, step 9 isn’t really necessary, but you may feel like wanting to after falling for this scam.

Now that you’ve seen what this version of this scareware looks like (and it’s bound to change to try to throw people off), you should have a better idea as to how to handle this situation. As always, if you have further questions or concerns, please contact me.

– Update –

Apple has addressed the issue and is planning to release a software update in the near future that will detect and automatically remove the application. Apple has also published their official information and removal page, http://support.apple.com/kb/ht4650.