UW Computer Security Research and Course Blog

Security software vendor F-Secure has recently reported the first known “scareware” scam targeting Mac users. The software known as MacSweeper (www.macsweeper.com) poses as legitimate security software that “discovers” numerous fake problems and threats, which can only be solved by purchasing their $40 product. A senior security specialist at F-Secure shared two ways he determined the illegitimacy of MacSweeper: running their provided scan showed vulnerabilities in Mac-specific folders even when run on Windows machines and the company’s “About Us” section was taken directly from Symantec Corp.’s website. The website itself however is very professionally done and it is difficult for casual users to notice its phony nature.

Scareware is not a new phenomenon; it has existed in the Windows realm in the form of such software as WinFixer and IEDefender for quite sometime, but it appears that the Mac is becoming a more attractive target for malicious social engineers as its user base has been steadily increasing in recent years. This was bound to eventually happen and there is little that could have been done beforehand to prevent the rise of this type of software. From an end-user perspective, Mac users must clearly be more wary of internet scams and trained in discerning illegitimate sites (just like Windows users; since these types of threats exploit vulnerabilities at a more human-relational level they supercede technological differences). Developers could help mitigate the threat of being deceived by making Mac browsers like Safari and Firefox use simple heuristics such as checking each website against a blacklist to warn users when they are visiting a potentially malicious site. Government authorities could help by prosecuting savvy swindlers working on the web and closing down these types of deceptive sites; however this is precisely where larger privacy issues come into play.

MacSweeper.com uses a Ukrainian domain name server and was registered by individuals using the PrivacyProtect (http://www.privacyprotect.org/) anonymizing service to hide their identity. These services have a legitimate function in protecting people’s identities (e.g. someone in a nation with restricted freedom of speech or religion, or a whistleblower, etc.), but also are easily abused by malicious individuals who wish to cover their tracks. The proper balance of privacy and security extends beyond the scope of this article, but suffice it to say that governments need to be able to identify and prosecute online criminals* so they can protect their citizens. The good news is that the PrivacyProtect service has an abuse reporting system for this very purpose.

While the urgency of addressing the scareware problem is unclear (since we do not know how many people are victimized by MacSweeper and similar software), we can expect that such trickery will only increase in the future and should therefore work to improve public training, browser software, and internet policy in the hope of deterring these social engineering attacks and other online criminal activity.

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=hardware&articleId=9057279&taxonomyId=12&intsrc=kc_top

* I realize I’m using strong language by saying ‘criminal’ (especially if it turned out that MacSweeper had a real product offering), however the false representations (of the condition of a users’ system) and scare tactics are clearly unethical. This would be a particularly appropriate term if MacSweeper installed a trojan (or some other malware) or abused customers’ credit card information (but I don’t have any evidence that it does either of these at this time). The idea of “scare tactics” also brings up ethical questions for any security company: are they exaggerating security issues to drum up more business or do they hold a genuine and appropriate level of concern?

SDG