by Luis Chapetti & Dave Michmerhuizen – Security Researchers
When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.
Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter. Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.
Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page. The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.
The initial infection vector is poisoned entries in Google search results. We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:
Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events. The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.
This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying. Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons. Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.
Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.