Tech support scammers put Mac owners in crosshairs

Technical support scammers have begun targeting Mac owners, a security researcher said today, adding them to much larger pool of potential victims running Windows because Apple’s operating system has been relatively untouched by malware.

“These scams aren’t being done with cold calls, but by aggressive malvertising,” said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. In some cases, Segura said, legitimate online ad networks are being abused by criminals.

[ ALSO ON CSO: The worst of the worst phishing scams ]

Mac owners who browse to what Segura called “lower-quality websites” may encounter attack code or scripts that hijack the browser to display scary, but bogus, warnings that their machine is at risk, then offer a telephone number to call for technical assistance.

Windows users have had to deal with technical support scams for years, with the most pernicious stemming from cold calls, often from massive call centers in India. During those unsolicited calls, the caller claims to be from Microsoft, and contends that the company has detected malware on the Windows PC or other problems.

The callers are not from Microsoft and the problems exist only in the minds of the scammers. But they bilk billions from U.S. residents annually by spooking consumers into paying for worthless software or support plans.

With the relatively small number of Macs in use compared to Windows-powered PCs — Web metrics company Net Applications pegged the former’s global user share at 7.7% for September, the latter at 90.5% — it’s no surprise that the scammers don’t cold call, pretend to be from Apple, or ask if the person on the line has a Mac. The odds would be against the crooks.

Instead, as Segura noted, the scams are perpetrated online, and rely on sufficiently scaring Mac owners to pick up the phone and dial.

Malwarebytes has seen campaigns where the malicious or compromised websites sniff the browser user agent, then push the victim toward different payloads depending on the result. If the browser is one that runs on Windows, the criminals serve up a multi-exploit toolkit; if it’s Safari, which runs only on OS X, they steer the victim to the tech support con.

Segura speculated that without an exploit ecosystem on OS X to rival that on Windows, hackers are simply doing their best to worm their way onto Macs or monetize Mac-owning victims.

The campaign that Malwarebytes analyzed was the first, said Segura, to surface with this level of sophistication. “Very professional,” said Segura, pointing to the fake website the scammer directs marks to.

That site, which uses a URL almost identical to the one Apple offers for legitimate technical support-to-end user screen sharing, resembles the real deal, and provides links to the remote access tools the scammer will use to infiltrate the Mac. The idea, of course, is to fool the user into believing that they’re dealing with Apple’s official technicians.

“The domain name is almost the same as the official [screen sharing] one from Apple,” Segura said.

“These are definitely a threat to Mac users,” Segura added. “Mac users just aren’t as aware of the threat out there [from support scams] as are Windows users.”

As of mid-day Thursday, the scammers’ website remained up, even though Malwarebytes said it had reached out to both the domain’s registrar, GoDaddy, and its hosting provider (Liquid Web), to point out the malicious intent.