Rogueware campaign targeting Mac users
Bad guys distributing rogueware are attacking Mac users using Blackhat SEO techniques and poisoning search results.
During our research about Osama Bin Laden’s death we saw the same malicious domains serving two rogueware applications specific to Mac OSX, called Best Mac Antivirus and MAC Defender.
When doing searches the user can be redirected to a malicious domain which checks for: browser agent (it must be Safari), the IP address (only US domains now) and the referrer (if it is Google or other search engine). After these checks the malicious page will show a fake scan screen:
Even though the page is showing a fake Windows screen, the file offered will be a .mpkg: the installer of the rogue application:
For the application to be installed, the user needs to input his root password.
This is the main window of the rogue application:
Author: Fabio Assolini, Kaspersky Lab Expert.