Mother’s Day search terms lead to Mac rogue security software

Mac fake anti-virus JSWatch out folks! Our researchers at SophosLabs Canada alerted me this afternoon to the world’s first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother’s Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Fortunately you don’t have to infect your own Mac to find out what the experience is like. We made this video so you can see it in action from the safety of whatever device you prefer to surf the internet from. Watch and enjoy:


Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

OS X fake anti-virus JavaScript popup

Windows users aren’t left out… They get their own fake popup, which we have seen all too often.

Windows fake anti-virus JavaScript popup

Early this week I wrote that we were seeing Mac fake anti-virus software spreading in the wild in greater numbers than before. I also noted that the fake scanner used as a part of the social engineering to trick you into installing it looks like Windows XP.

I hope they weren’t listening.

The criminals behind these attacks seem to be using Google’s search auto-complete technology to determine the most popular search terms to poison.

Google search for Mother's Day poems for kidsYou can see Google automatic suggestions in the screenshot at right. We chose “Mothers day poems for kids” from the list and sure enough, some of the results lead to infections.

Sophos Anti-Virus for Mac Home Edition is free, so why not protect your Mac?

Mac users hit with fake anti-virus when using Google image search

A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden’s death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple’s Mac OS X.

JavaScript Fake AV scannerStrangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.

When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like “BestMacAntivirus2011.mpkg.zip”.

Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.

Fake AV for Mac installer/download

In a similar social engineering trick as we have seen in Windows fake scanners it pretends to be a legitimate Mac anti-virus program called MacDefender.

The scanner doesn’t actually touch the hard disk while “scanning”, although on a Mac it can be hard to know without a hard disk light.

It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utility test, also known to Unix shell programmers as [.

Mac fake scan results

Credit card at risk warningIt uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.

It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.

Buy fake Mac AV

Sophos customers using the Sophos Web Security Appliance and Sophos Live protection are protected against these threats.

Mac users with Sophos Anti-Virus for Mac are protected by the identities OSX/FakeAVZp-B and OSX/FakeAV-DMP. Windows users are protected against the Windows version known as Mal/FakeAV-FS.

Are you a Mac user? Why not download our free anti-virus for Mac OS X?