Microsoft links fake Mac AV to Windows scareware gang

Similarities point to Russian group that's also responsible for one of 2010's most widespread security scams

Microsoft said this week that it has evidence of a link between the fake security software now plaguing Mac users and a hard-charging family of similar software on Windows.

Phony security software, labeled "rogueware" and "scareware" by experts, has long been a huge thorn in Windows' side. But earlier this month researchers announced the discovery of a Mac-specific scam that claims the machine is heavily infected.

Once installed, the software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

To get rid of the program's alerts -- and the occasional pornographic page that pops up in the browser, a new twist intended to make victims think their computers have been hijacked -- many Mac owners pay the $79.50 "registration fee" for the worthless program.

Mac users have reported being duped into downloading the fake software on Apple's support forums and increasing numbers to Mac-centric antivirus vendor Intego, which has identified at least three names for the same product: MacDefender, MacSecurity and MacProtector.

The bogus program is believed to be the first security software scam on the Mac.

On Tuesday, engineers who work for the Microsoft Malware Protection Center (MMPC) said that users who visit a Web page posing as a free online virus scanner get served either Mac or Windows scareware.

"This distribution component reads the client's [browser] user agent in order to discern the operating system, and then serves up a malicious application designed for that operating system," said Hamish O'Dea and Tareq Saade on the MMPC blog.

The site delivers scareware dubbed "Win32/Winwebsec," while Macs get "MacOS_X/FakeMacdef," O'Dea and Saade said, using Microsoft's labels for the OS-specific versions of the fake security software.

There's also evidence that the same cyber criminal, or gang of scammers, created both versions.

O'Dea and Saade cited several similarities in the code of the two phony security programs, including nearly-identical URLs as the destination for "phone home" transmissions, similar Web addresses for the purchase pages of the pair, and sharing the same payment gateway, the site where users enter their credit card information to buy the useless utilities.

For the latter, a filename change from "buy.php" to "mac.php" alters the gateway from the Windows to the Mac version.

Microsoft's engineers also suspect that the maker of both pieces of scareware is Russian.

"FakeMacdef contains most of its resources in a directory named "ru.lproj," as opposed to "en.lproj" ... this strengthens our suspicion that the developer may be Russian," O'Dea and Saade said.

Winwebsec, the designation of the Windows part of the duo, is a fast-climbing family of scareware, according to a recent Microsoft analysis of 2010's threat landscape.

In the tenth volume of its semi-annual security intelligence report -- which was released last week -- Microsoft said that its free malware cleaning tool had detected and deleted Winwebsec on over 600,000 Windows PCs in the fourth quarter of 2010.

Although it wasn't among the most prolific scareware variants for the entire year, Winwebsec was the third-most-common fake security family in the last three months of 2010, beat only by "FakeSpypro," which had double the number of infections than any other throughout the year, and "FakePAV," scareware that masquerade's as Microsoft's own Security Essentials software.

Microsoft tabulated scareware deletions from data provided by the Malicious Software Removal Tool, a free utility the company updates monthly and pushes to Windows users.

Microsoft's O'Dea and Saade told Mac users to invest in an antivirus program built for the Mac to keep FakeMacdef off their machines, or to remove it once there.

Several antivirus vendors prominent in the Windows market -- such as Symantec -- also sell Mac security software, while others, including Sophos and the Mac-only Intego, offer free or free trial antivirus programs.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingAppleMac OSMicrosoftSecurity Hardware and SoftwareIntegosoftwareoperating systems

More about AppleIntegoMacsMicrosoftMPCSophosSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts