Gang targets Apple users with 'scareware'

Program downloads itself on to Apple users' machines and then demands payments to 'remove infections'

An organised gang appears to be behind a "scareware" program known as Mac Defender that downloads itself on to Apple users' machines and demands payment to "remove infections".

The program, which exploits default settings in Apple's Safari and other browsers to download itself, can only run if the user allows it to be installed by providing their administrator name and password – but a significant number of users, possibly in the hundreds, have been affected.

Apple support staff have been notified of the problem and were told it is "under investigation", but are being warned not to confirm whether it is malware. Ed Bott at ZDNet has been passed a copy of the advice circulated to support staff and was told the number of calls about the problem has increased substantially.

Different versions of the program, variously known as Mac Defender, MacProtector and "Mac Security", have appeared online in the past fortnight. The Guardian has discovered it has been spread through advertising networks on newspapers including the Washington Post and by "poisoned" searches in Google Images.

Joel Esler of the Sourcefire Vulnerability Research Team, who has analysed the attack, told the Guardian that when users visit a page with an infected ad or link, the download – called "mac-antivirus.zip" – is started automatically by Javascript. Because Apple's Safari defaults to a setting of "open files after download", the program – which contains an application package wrapped in a zip archive – is first unzipped and then triggers the installer program.

Users are then presented with a dialog asking for their administrator name and password so the installation can proceed. If they do, the program installs itself in the /Applications folder and adds itself to the user's login items, and puts a menu item in the top right of the menu.

The program then autoruns when the user logs in, and periodically claims to be "scanning" the computer, and throws up demands for credit card details. These continue whether or not people enter valid details.

If the user disabled the "open files after download" setting then the installation process will not be triggered.

Esler, who has analysed the program, says the addresses to which the credit card details are sent differs between different versions of the programs: "One IP was in Arizona, another was in Romania," he said.

But he also said the program does not appear to be malicious beyond its aim of extracting credit card details. "It's what I call 'ransomware'. It 'acts' like it's infecting your machine, throwing a popup ad or porn site, to make you think you are infected. It asks you to buy this anti-malware solution called "MacDefender" for the low price of '79.99'. When in reality, the software does nothing."

Such "social engineering" tricks to get users to download and install scareware are common on Windows – but their emergence on Apple's Mac platform indicates criminals have now spotted weaknesses in the default setup of Mac OSX that they can exploit.

The people behind the attacks have proved effective at covering their tracks. The Guardian contacted Atjeu hosting, which had unwittingly served one of the infected ads on the Washington Post, and was told there were no records of who had put it there.

"The owner of the server that this site was hosted on is a client of ours but they are a reseller and so they sell individual websites to end users and also to other resellers of web hosting," said the Atjeu administrator.

"We do not have records of the end users at all as that can often be three or four layers down from us. It appears, however, that what happened in this case was one account on the server was compromised and the hacker used that account to put the malicious site up so there would be no official records of any kind of who it actually was."

• Step-by-step instructions on how to remove the MacDefender and MacProtector programs are available at Fixkb.com.