Page provides phone number victims can call for “help”

Jan 15, 2015 10:02 GMT  ·  By

Tech support scammers started to take aim at Mac users and in one of the latest attempts observed by security researchers they leverage the “Mac Defender” malware scare to trick users into calling a fake help desk center.

Well-known in the Apple community, Mac Defender is a fake antivirus program that infects the system with malware designed to steal sensitive information such as card data. It was first detected in 2011 and it can be encountered under different names (Mac Protector, Mac Security).

Console logs used to point to alleged infection

It was delivered to unsuspecting users through web pages claiming that the computer was infected and could be cleaned by installing the fake security product.

In the recent tech support scam discovered by Jerome Segura of Malwarebytes antivirus company, the crooks created a web page falsely alerting Mac owners that traces of Mac Defender have been detected on their computer.

A phone number is provided for the alleged victims to call and learn the steps needed for making the machine safe again. Obviously, crooks, who are generally based overseas, wait at the other end for the phone to ring.

It is unclear how exactly they try to swindle the potential victim into shelling out money their way, but most of the times, they ask for remote desktop control permission and pull up the logs in the Console telling users that some of the reports suggest malware infection.

If the victim falls for the social engineering trick and wants the alleged problems gone, they have to pay the money for the repairs.

Sometimes details unmasking the fraud slip through

The same method is used against Windows users, where Event Viewer is one of the system components chosen by the crooks to fool their victims into believing their machine is infected.

The pages promoting the scam are distributed via advertising campaigns on different websites and forums.

Most often, there are no parameters for selecting the users they are displayed to, based on the operating system used for browsing. As such, they are shown even to users of other platforms, revealing their true nature.

In the most fortunate cases, though, the crooks may do a shabby job and mix things up, presenting details that fit other operating systems.

For instance, in an attempt to target Android users, they recycled content from a Windows tech support scam and presented Internet Explorer as one of the symptoms indicating that the device was not working properly.