The mainstream technology press has claimed that there will be lots of viruses for the Macintosh “real soon now,” ever since OS X was released over a decade ago. Combined with the fact that there are a seemingly infinite number of viruses for Windows, it’s easy to see why Mac users would be somewhat paranoid about the possibility of malware.
While the legions of Mac viruses still haven’t appeared, there is a nasty out there that takes advantage of this paranoia. It isn’t a virus, a Trojan Horse, or any other sort of actual malware. Instead, it’s more like a phishing scam, using social engineering to get you to do something that the bad guys want you to do. It does it by scaring the willies out of you, and is becoming disturbingly common. Some call it “scareware” or “ransomware.”
What happens is that you visit a Web site and seemingly have your browser maliciously frozen. You’ll find that you can’t quit, nor can you navigate away from the page by clicking the Back button.
Next, a page or pop-up appears telling you any of a number of stories (often tailored to your location), perhaps that your Mac has a problem or has illegal material on it, or that your data has been encrypted by some malevolent entity.
Many of these pop-ups give a phone number to call, often claiming it’s for “tech support” or “the FBI.” If you call the phone number, the people you talk to will ask you to allow them to connect to your computer via remote control software. It’s likely that during this connection they will install spyware on your computer.
Alternatively, the pop-up may give instructions on how to send ransom money to the people who are responsible for causing your browser to freeze, along with a promise that they will unfreeze your browser and/or decrypt your data once they receive the ransom. (Although there are several pieces of malware for Windows — CryptoLocker and CryptoWall, notably — that actually do encrypt user data and decrypt it only after the user has paid a ransom in Bitcoin, none of these target Macs.)
First off, it’s important to know that if you encounter this scary situation, your Mac hasn’t really been infected with a virus or any other sort of malware and that your data hasn’t been harmed. You should never call the given phone number and you should especially never ever give the people at the given phone number remote control access to your Mac. Also, never pay any ransom requested. You can deal with this situation easily on your own, and it’s likely that if you give the bad guys remote control access to your Mac, they will do something nasty like infect it with spyware and/or steal valuable data.
Choose Force Quit from the Apple menu or press its shortcut, Command-Option-Escape.
Control-Option-click on the Web browser’s icon in the Dock, and choose Force Quit.
You aren’t quite done yet. Many browsers can be set to reload the previously displayed Web pages when they next launch, which could put you right back where you started. To prevent this in Safari, press the Shift key before clicking the Safari icon in the Dock or double-clicking the Safari icon in the Applications folder. In Firefox, hold down Option to launch it in Safe Mode, and then click Refresh Firefox in the Firefox Safe Mode dialog. In Chrome, before you force-quit, click the hamburger button to the right of the address field, choose Settings, and in the On Startup section of the Settings page, select “Open the New Tab page.” (Or, if you want to get fancy, try this AppleScript trick for opening Chrome in Incognito mode).
ScamZapper automatically identifies instances of scareware and prevents them from loading. If you encounter a particular example that isn’t in its database, ScamZapper has a feature called Troubleshoot Pop-up that takes you through a series of automated troubleshooting steps.
Google constantly pushes out updates to their warning list. As you would expect, Google continually scans its index for sites that might be compromised by malware, and uses statistical methods to identify potential phishing sites, but you can also report scareware sites manually. The company says that reported sites are checked, and if necessary, added to the list within 30 minutes.
Those manual reports are key. If users diligently report sites that contain scareware, it shouldn’t take long for any particular site to be neutralized. So, if you encounter a Web site that contains scareware, please report the site!
When reporting to Google, note that the Web address of the infected Web site isn’t the one that’s shown when your browser appears to be frozen. That’s a spoofed address. Instead, it’s the Web address of the Web site that you were trying to access just prior to encountering the scareware.
I hope that you now know enough not to be scared by scareware, and can thus both deny the bad guys any ill-gotten gains and help prevent others from encountering the same sites you hit.
[Randy B. Singer has been writing about the Macintosh for close to 30 years. He has several Web sites, the most popular of which is currently Mac OS X Routine Maintenance.]