Mother’s Day search terms lead to Mac rogue security software

Mac fake anti-virus JSWatch out folks! Our researchers at SophosLabs Canada alerted me this afternoon to the world’s first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother’s Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Fortunately you don’t have to infect your own Mac to find out what the experience is like. We made this video so you can see it in action from the safety of whatever device you prefer to surf the internet from. Watch and enjoy:

Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

OS X fake anti-virus JavaScript popup

Windows users aren’t left out… They get their own fake popup, which we have seen all too often.

Windows fake anti-virus JavaScript popup

Early this week I wrote that we were seeing Mac fake anti-virus software spreading in the wild in greater numbers than before. I also noted that the fake scanner used as a part of the social engineering to trick you into installing it looks like Windows XP.

I hope they weren’t listening.

The criminals behind these attacks seem to be using Google’s search auto-complete technology to determine the most popular search terms to poison.

Google search for Mother's Day poems for kidsYou can see Google automatic suggestions in the screenshot at right. We chose “Mothers day poems for kids” from the list and sure enough, some of the results lead to infections.

Sophos Anti-Virus for Mac Home Edition is free, so why not protect your Mac?

Mac fake anti-virus attack gets dirty to ensnare victims

The latest variants of the new Mac malware we have been tracking has an interesting payload that many people may not have realised yet.

It’s well documented that the fake anti-virus attacks attempt to trick you into believing that you have security problems on your Mac, and that you need to hand over your credit card details to buy a version which will clean-up your computer.

However, when we left an infected Mac running for a while unattended earlier today in our labs, we found that it would periodically open instances of the web browser and point them to various websites.

Saucy website

As you can see, the website isn’t necessarily the kind that you might want regularly popping up on your screen – especially if you don’t have an understanding wife or boss.

A quick look inside the code of the attacks, which Sophos is detecting as OSX/FakeAV-A, reveals a list of possible websites that you may find your computer visiting without your permission:

List of saucy website URLs hidden inside fake anti-virus

My guess is that the malware attackers are doing this as a further incentive for you to purchase the so-called “fix”. It’s just another clever piece of social engineering which might make you rush into handing over your credit cards, in the belief that your Mac has been compromised.

Don’t forget, the bad guys will use every dirty trick in the book to get their hands on your money.

Sophos customers should be protected, but if you have a Mac at home and want to defend yourself you can download our free anti-virus. It’s automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Sophos to acquire Astaro – some reactions

Astaro appliancesEarlier today Sophos announced its plan to acquire Astaro, a world-leader in internet security appliances.

You can read the official announcement and FAQs for yourself, and learn more about Astaro and its products on the Astaro website.

It’s an exciting time for Sophos, but rather than me bore you to tears about it, I thought I’d share some links where you can see what other people have to say about it.

Here’s some of the coverage which has appeared since the deal was announced:

“Sophos buys security appliance firm Astaro”, John Leyden, The Register.

“Sophos moves beyond the endpoint with Astaro buy”, Alan Shimel, Ashimmy blog.

“Sophos buys into unified threat management with Astaro purchase”, Phil Muncaster, V3.

“Sophos has acquired network specialist Astaro”, The H.

“Sophos gobbles up UTM outfit Astaro”, Doug Woodburn, CRN.

“Sophos to acquire Astaro in network security push”, Andrew R Hickey, CRN.

“Sophos announces intention to acquire Astaro”, Dan Raywood, SC Magazine.

“Sophos acquires internet security appliance maker Astaro”, Robin Wauters, Techcrunch.

And some comments from the Twittersphere:

Firstly, security blogger Mike Rothman:

Mike Rothman

Here's our take on #Sophos / #Astaro. We like the deal. Sophos Wishes Upon A-star-o.

IDC analyst Eric Domage:


Sophos acquires Astaro. Birth of a little Giant. Good news for Flag lovers + "IT Security made simple " lovers like me !

and some other chaps:

Gagandeep S Sapra

#Sophos to Acquire #Astaro a great product in the making …. 🙂

Steve Werby

@ I wonder if the acquisition was less for the tools and customers and more for the "talent" (slang for @'s beard).

If you’re not familiar with Jack Daniel, you should be. He’s the community development manager at Astaro, and very active in the information security world.

Aside from co-founding and organising the Security B-Sides events, Jack also finds time to write his Uncommon Sense Security blog, contribute to the Astaro security blog, and grow a mighty fine beard.

We’re delighted to have Jack and the rest of the talented staff at Astaro joining the Sophos family.

Mac fake anti-virus attack adopts new disguise

New versions of the latest malware to hit Mac OS X users has come to light, following the discovery earlier this week of fake anti-virus attacks being spread by SEO poisoning.

Fake anti-virus (also known as scareware) is commonly encountered on Windows, of course, but until now has been rarely encountered on the Apple Mac platform.

The new variants, seen by SophosLabs, are calling themselves “Mac Security” rather than their previous disguise of pretending to be “MacDefender” (which, incidentally, is the name of a genuine security product for the Mac – adding to the confusion).

Mac Security fake anti-virus. Click for a larger version

When I ran the fake anti-virus on a test machine it claimed that a number of innocent files, including Mozilla Firefox, were infected by viruses and told me I would have to register the program in order to cleanup the “infections”.

The fake anti-virus tells you that you need to pay money to get a version which cleans-up malware. Click for a larger version

It’s precisely these kinds of scare tactics which are regularly used by Windows-based fake anti-virus attacks to hoodwink innocent users into handing over their credit card details. Clearly whoever is responsible for this latest spate of attacks believes that there are rich pickings to be made from Mac users too.

Sophos detects the latest variants as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our detection to protect Mac users.

If you’re not a Sophos customer, but have a Mac at home, you can protect your Mac right now if you download our free anti-virus. It’s automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Oh, and did I mention that our free Mac anti-virus product recently won a rather prestigious award? 😉