Industry Intel

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

FBI says to just pay the ransom

We all know cryptolocker and we all know the toll it’s taken on many individuals and companies. While the original cryptolocker has been shut down since FBI operation Tovar it has not stalled the many variants of encrypting ransomware from becoming a plague to the user (looking at you cryptowall). The “business model” just isn’t going away and is only seeing improvements as time goes on.

Recently in a blog post it was suggested by the FBI to just pay the ransom. With encryption being so sophisticated and the key never stored on the machine I can honestly say that I agree. If you really need the data that was encrypted and your current backup solution doesn’t suffice for the data you’ve lost there is literally nothing you can do to get that data back other than pay the ransom. It’s a sad state of affairs, but this is where we’re at – proactive backup solutions beforehand or bust. Sure there are tools like Shadow explorer that will work if you’re hit with something that’s not killing the Volume Shadow Service (VSS), but that is an elementary error and most encrypting ransomware campaigns are packing the best payloads that make no mistakes. If you have no recent air gap backup or cloud syncing backup that lets you keep old copies, you really have no options other than starting from scratch again and “sticking it to the hackers” but really only individual consumers have the financial freedom to make that choice. Most scenarios where I know victims paid the ransom are because it was a huge hit to their businesses productivity.

For example, let’s say a small business that works as a reseller ships out thousands of products a day and their label printing machine was hit with cryptowall. They aren’t able to print any of the custom saved labels that use on a daily basis and it’s catastrophic to their business for a couple days. The $300 – $500 ransom really is nothing in comparative to the thousands of orders that they couldn’t ship until they get those shipping labels. Most of the time they spend deciding if they should pay isn’t because it’s too much money, or they “shouldn’t support terrorists” but the concern that they wouldn’t get their files back and would be effectively scammed again. In the end, after failed searches for backups and having this huge await shipment line, they just decide it’s worth it to risk throwing the money away and pay the ransom. They get their files back pretty quickly and now can resume shipping.

Most stories are similar to this and when I’ve asked them how paying the ransom went they’ve said that if they knew it would be that easy to get their files back, they would have paid sooner. This is where we are at – criminals putting a gun to our files and demanding payment. It’s worked great the past couple years since it started and it’s only getting better; I see no end sight to this.

Looking forward is even more troubling since once the bad guys start figuring out who can afford more of ransom is when things start getting real hairy. Sure $500 is nothing to resume business as usual, but what if it was a $50k ransom? There would be entirely different discussions internally before deciding to pay.

Mobile Malware – A problem or not?

Recently I was asked to give my thoughts on mobile malware. I was asked this in relation to a number of reports released earlier in the year that were in my view misinterpreted.  At the time many experts claimed mobile malware had been a much-exaggerated threat, based on such a large proportion of unwanted mobile apps/programs were seen to be adware.

Personally, I think it’s better to discuss mobile threats, mobile threats are more than just mobile malware.  Many legitimate Apps have been seen over the last few years to be open to serious data leakage and only recently we have seen the discovery of Android’s “Stagefright” vulnerability – pegged as the “worst Android bug to date”.  Receiving a simple MMS message with crafted exploit code, and without any interact from the victim, a hacker is able to do anything from stealing private communications to possible taking control of the device itself.

Read more:

In September, we saw “XcodeGhost”, this highlights the Apple App Store isn’t immune to serving up compromised apps.  The Xcode development tools are used by iOS app makers.  The original package was copied, modified, and then re-distributed for download.  Apps built using the modified version were injected with malicious code, then published to the App Store.

Read more:

Mobile malware is a problem and is getting bigger with the ever increasing growth of the mobile market.  There is concern that enterprise decision makers may misinterpret such reports and may not take mobile security as seriously as they should.  Enterprises should be very concerned about mobile threats, this includes, mobile malware, mobile vulnerabilities and mobile data loss.

Mobile adware itself is a huge problem and needs to be addressed.  Adware can collect personal information from the device it’s installed on, often without consent, including many pieces of PPI.  Enterprises allowing such devices to connect to the private network should be seriously concerned, information is power, and company secrets are a secret for a reason.

The recent case of “Gunpoder” also highlights a new strategy malware writers are using.  The game emulator app looks and behaves like adware, all while stealing PPI from the infected Android device. Many AV companies classified this malicious app as adware and many users thinking that adware was ‘more annoying than dangerous’ allowed the app to run.

Read more:

Cyberattacks are more prolific than ever, and businesses are clearly struggling in the battle of keeping their employee and customer data safe.  Cybercriminals look for the simplest method to achieve their objective, if that’s through a mobile device and an uneducated user, then so be it. Mobile infiltration is often a precursor to further attacks.

Ignoring mobile malware and security, at any level, could have huge repercussions on a business’ reputation and customer loyalty as well as financially – it’s important not to leave the front door open.

So what can we do?

With all security implementations, striking the balance between mobile security and productivity is an on-going challenge. At present I would suggest it’s weighted towards productivity.  Productive employees are great, but at the same time the company’s assets have to be properly secured. Therefore the fight against mobile malware needs to be appropriately evaluated in terms of personnel and monetary resources.

Mobile security is just another problem that arrived on the doorstep of the security and/or IT team, and on many occasions without any extra budget allocation. Like with many facets of cybersecurity it only becomes a priority after the inadequate defences are breached and company stakeholders want answers.

Companies need a mobile security strategy. They also need to follow best practices and keep abreast of industry information and security bulletins.  Any strategy must consider corporate devices and BYODs. Organisations need to keep on top of patch management and understand what technologies best address their security needs, these may include centralised app management and app reputation technologies and in case of device loss – consider encryption and remote wiping.

Like with any device on a network, threat protection should be installed and kept up to date.  Webroot offers mobile security apps for both Android and iPhone. The corporate network can be protected further by directing mobile traffic through special gateways with customised firewalls and security controls.  Mobile devices should be configured to avoid unsecured wireless networks.

It goes without saying that devices need strong authentication and password controls.

Remember, mobile security and security in general is a continuous practice. It’s essential to implement a comprehensive mobile security strategy, then check how well training and policies are being interpreted and implemented with regular mobile security audits and tests.  Communication between the organisation and its employees is vital – the risks and potential consequences need to be understood by employees through continued user education.  At the same time organisations need to understand and respect the now slightly blurred boundary between business and personal.

Cybercriminals only need to find one hole in the defence, whereas security professionals have to secure all possible points of entry.  It’s a battle we may lose from time to time, but we have a responsibility to make it as hard as possible for our adversaries.

Why do we need National Cyber Security Awareness Month?

As the 12th annual National Cyber Security Awareness Month enters its final week, we’ll look at the future of technology and the potential vulnerabilities that come with it. As President Barack Obama has stated, “Cyber threats pose one of the gravest national security dangers the United States faces,” and that is why we all need to be mindful of the “smart world” we now live in. It is our shared responsibility to be aware of the importance of cyber-security as the number of Internet-connected devices around us increase. Surveys show that in 2014, 47% of adults in the United States had their personal information exposed by hackers.

Our phones, tablets, and personal computers are the most obvious devices that need protection, but what about the “Internet-Of-Things” devices? From vehicles to watches to kitchen appliances, more and more of our household objects are becoming “Smart” items, and each device stores and transmits private personal data. Health monitors, baby monitors, coffee makers, home environmental controls; whatever the device, if it connects to the internet, it can potentially be exploited by a determined hacker.

This is something that all device manufacturers need to keep in mind, since most consumers won’t usually have the ability to install security software on these devices themselves. But there are a few security tips that we should all keep in mind:

1. Protect your network. This means changing the default Administrator password on your router, using strong (WPA2) wireless network encryption, and changing your WiFi password occasionally. See our “Tips for Improving Router Security” blog post for more information.

2. Protect the devices you can. Whether you use a PC, Mac, or Android device, you will need an antivirus application to protect you against malware. If your network is breached, having devices that are well protected will sometimes deter a hacker who is looking for easy targets. Webroot provides this defense with cloud-based malware detection that automatically stays up to date.

3. Don’t be an early-adopter. When a cool new device comes out, it’s tempting to be among the first to have it… but the first versions of any “smart” products are the most prone to security flaws. By waiting until a second generation device or a first software update for the device, you may reduce your risk of using an insecure product.

While the technology of the future becomes increasingly Internet-connected, it is our shared responsibility to remain vigilant about security and ensure that it is incorporated at every point of access.

For more information about this month’s themes and events, see the Official Department of Homeland Security National Cyber Security Awareness Month page.

What is a computer virus?

It is a long-standing joke that if you do a web search on any medical symptom, it will always lead to a web diagnosis of cancer. In the same manner, searching for any computer problem will always lead you to conclude that you have a nasty computer virus. Chances are you have never had, and never will have a computer virus, as this handy Venn diagram from demonstrates:

Now perhaps I’m being a bit nit-picky about the connotation of the term “virus” but there is quite a bit of misinformation and FUD (Fear, Uncertainty and Doubt) out there when it comes to computer viruses. Wikipedia defines a computer virus as “a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive.” The key here is that a virus spreads via various methods of replication – infecting other files. The vast majority of malware does not do this, and a virus is not going to change your home page, display pop-up ads, or install a toolbar as adware or Potentially Unwanted Applications (PUAs) may do. Your printer issues are not being caused by a virus either.

If you search for the name of any browser redirect, toolbar, pop-up ad, or any number of other computer problems you will almost always end up on a web page that claims the issue is due to a virus. These pages are rarely from reputable security vendors, and are often security blogs that feature prominent advertising for various legitimate and not-so-legitimate security software. The term “virus” is used to make you think the problem is far worse than it actually is in hopes that you will purchase the advertised security programs. These tactics are similar to those used by Rogue Security Software and tech support scams.

If you are searching for more information on a computer problem, pay attention to the sites that come up in the results, and to the terminology used. If the term “virus” comes up, chances are that the result is not from a trusted security company or computer support forum. There are several general computer support forums out there which offer excellent free support for general computing issues. For issues related to specific programs or hardware, most companies have their own support forums these days, and in many cases someone else has experienced the same issue that you are having.

Are antivirus testing scores a true reflection of our Mac product efficacy? You decide…

In a world full of new malware and various types of cyber threats continuing to pop up on a daily basis, the average consumer has reached a point where a good antivirus security solution is an absolute must; even when dealing with so called “immune” operating systems like Mac OSX. However with so many antivirus products to choose from for the Mac, how is the average consumer supposed to make sound decisions about which product will give them the best protection and the greatest peace of mind?

These days, most consumers in the market for a new product simply jump on Google and look for general product reviews; however with so many mixed results, and an array of product features to choose from and compare, the antivirus playing field can quickly become very confusing and overwhelming. As an alternative, another source of information that consumers turn to for data about antivirus solutions are third party antivirus (AV) testing companies. For years these companies have performed baseline comparative tests on many of the most popular AV products in an effort to test the product’s malware detection and remediation capabilities, as well as looking at how machine performance is affected by the product being installed and run on the user’s machine. In recent years they have also started to do testing for AV products being developed for the Mac OSX platform. The results of these tests are typically published with an overall bottom-line score for each product being tested, which is based on the product’s overall malware/virus detection percentage.

As a result, the average consumer looking at these tests will use some type of previous brand recognition or family/friend influence, in conjunction with the AV testing scores, in order to make a swift decision on the “best” antivirus software for their needs. It is easy for the human psyche to say, “Oh this product scored 100%, so it must be good.” The issue with this type of decision making process is that unfortunately the assumption is made that all AV products are created equal, and that the Mac AV testing platform and testing methodology creates a true simulation of real world execution and installation of the malware being tested. This could not be further from the truth.

In order to test the true efficacy of an antivirus product, AV testing companies should actually be installing the malware and executing the viruses in question, in order to see how the antivirus product handles an actual simulation of an end-user infection. Unfortunately, the reality of the situation is that AV testing companies generally do not use “real world” simulations of malware executions and installs when testing Mac AV products. Instead they perform their tests using a method called “zoo testing,” which involves putting hundreds of malicious file samples into a folder and then putting that folder somewhere on the testing PC before running their test. Often these files do not even reside inside of the full Mac bundles necessary for execution or have even had their executable bit stripped from the binary, in effect making them benign to any system. The issue here is that none of the malware is actually executed or installed on the testing machine, nor does it constitute any kind of real threat to the system. In addition, this type of approach is often easily “gamed” by AV companies that are simply looking to do well on the test.

Without getting too technical, in recent years advancing technologies in the antivirus industry have continued to make leaps and bounds in terms of the detection and remediation methods and backend systems that are being used to detect malicious activity and protect end users from security breaches on their machines. Webroot has been a pioneer in implementing technologies that are forward-thinking, adaptive and have brought our product efficacy to unprecedented levels. Unfortunately, in order to actually be correctly tested on the effectiveness of these newer methods and technologies, it requires AV testing companies to install real infections, rather than a zoo of files that can’t even be executed. AV testing companies have been reluctant to adapt their Mac testing methodologies to changing technologies and approaches. So, what does this say about the validity of AV test scores? Does this approach make AV testing results a useful tool for sound consumer decision making when deciding on a Mac security solution?

AV testing has been a big concern for many companies over the years. We all want our products to perform at a high level and carry a positive market leading reputation. For many AV companies this has been true to the extent that they focus their primary client development efforts towards malware detection for AV tests, rather than real life infections. Isn’t this approach a detriment to the effectiveness of the product for the end-user? Here at Webroot, due to known issues in the AV testing climate, we have shifted priorities in order to drive our efforts and innovation into developing the best security products and customer experience that we can attain. We believe that our excellent standard for real world efficacy, in addition to the many value added features that are built into our products, bring the greatest value to our customer base.

10 Tips for Improving Your Home Router Security

With the recent news of router vulnerabilities, we thought it would be an excellent time to provide a few tips for improving your home router security. While nothing is hack-proof in the world we live in, you can take many steps to deter attackers from targeting you. I have arranged this from easy to do, to increasingly technical.

Simple steps to secure your home router

  • Create a unique login. Most routers use a default login username such as “admin”, and a password that is usually just “password”. Be sure to change the login information (username and password) to something unique to you. Please note that this is different than your WiFi name and password.
  • Create a username and password for your connection (WiFi). Consider changing it from the default to something that is not personally identifiable. Ideally, you DO NOT want your the manufacturer (Netgear. Linksys, etc.) or address as your WiFi name. Choosing WPA2 over WPA or WEP is also advisable. A long passphrase as your password that contains more than 20 characters is important here. REMINDER: you can disable the SSID broadcast so that only users that know your network name can connect. If you plan on having guests, create an entirely different Guest network. It is never advisable to give the credentials to your main connection.
  • Avoid using WiFi Protected Setup (WPS). WPS is a nice convenience, but it leaves your WiFi network vulnerable. Malicious actors can use this to attempt connection with a PIN, possibly leaving you open to brute-force attacks.
  • Keep router firmware up-to-date. Unlike your computer, your router doesn’t send reminders for new updates. It will be up to you to make sure you’re logging into your router regularly to check for updates.


Don't Get Hacked

More complex security tips

  • Disable Remote Administrative Access. In addition, consider disabling administrative access over Wi-Fi. An Admin should only be connecting via a wired Ethernet connection.
  • Change the default IP ranges. Almost every router has an IP resembling and changing this can help prevent Cross-Site Request Forgery (CSRF) attacks.
  • Restrict access via MAC addresses. Your router gives you the capability to specify exactly what devices you want to connect so that others are not permitted. You can usually identify the address of the specific device in the Admin Console of the router.
  • Change from the standard 2.4-GHz band, to the 5-GHz band. If the devices you use are compatible, it is generally advisable to make this change. Taking this step will decrease the range of the signal and could stop a potential attacker that is farther away from your router from discovering it.
  • Disable Telnet, PING, UPNP, SSH, and HNAP. You can close them entirely, but I generally advise putting them into what is referred to as “Stealth” mode. This stops your router from responding to external communications.
  • Log out! This does not just apply to routers, though. You should log out of any website, utility, or console when you are done using it.

These router security tips should help protect your WiFi data from cybercriminals desiring to hinder your online activities.

Tech Support Scams Continue

We’re regularly asked about phone calls from “Microsoft” claiming that your computer is infected, and whether or not it is a scam – it is. Sometimes it’s a call from another “tech support” company, or a warning message on your screen. The truth is that Microsoft and other companies will not contact you to tell you that you have a computer problem through a phone call, email, or a pop-up warning message.

These scams are nothing new. We blogged about this previously in April of 2013 and a lot has changed in the malware world since then, but these scams continue. That we’re bringing these scams up again tells you one thing though – people continue to fall for them – don’t let yourself become a victim of one of these scammers.

If you’re contacted by one of these scammers, hang up, don’t click that link, and don’t call that number. Usually they’ll try to get them to let you access your computer remotely – don’t let them, and certainly don’t give them any personal information or a credit card number.

As long as you don’t let them log on to your computer remotely or download and install any software because of these scams you probably don’t have anything to worry about. These scammers don’t typically install malware on your computer; the scam is to get you to pay for tech support that you don’t actually need.

More information can be found on scams using the Microsoft name at the following links:

Dow Jones Data Breach

In a letter to customers sent today, Dow Jones & Co has revealed that its services were breached, possibly exposing the credit and debit card information of customers. Reportedly only impacting “fewer than 3,500 individuals,” the information provided shows that the unauthorized accesses took place between August 2012 and July 2015.

“In today’s world – where literally anyone connected to the Internet is vulnerable – it’s no longer just a question of spending, it’s a question of processes and skills. Following the Dow Jones breach, I’m heartened that the CEO has publically said that no company is immune to cyberattacks. Solely recognizing that all organizations need comprehensive security solutions is the first step to reducing the onslaught of breaches we’ve witnessed over the last few years,” said Grayson Milbourne, Security Intelligence Director of Webroot.

“As large company breaches have revealed, security isn’t always a question of budget but also a question of skills and background checks. The name of the game is to find out what is going on in an environment and reduce the risk. Overall, there is a clear trend of attacks that aim to compromise companies who store vast amounts of user data. These businesses need to prepare for continued attacks by updating their security policies and systems to be on high alert.”

While Dow Jones & Co is reporting the information has been possibly compromised, they are also reporting that no evidence is pointing toward the information actually being used in authorized manners.

Avoid Unwanted Applications

Has your home page changed? Are you getting pop-up ads that are “Provided by” some company you’ve never heard of? Are your search results coming from a different search engine? Welcome to the world of Potentially Unwanted Applications (PUAs.) While they can be annoying, PUAs are easily avoided.

The easiest way to avoid PUAs is to only install programs from their official download sites. Third-party download sites continue to be one of the main sources for PUAs. If you search for software downloads, chances are you will end up on a third-party site rather than an official download page and end up inadvertently installing PUAs.

When installing software, always pay attention to the install process – don’t just click “next” until the install is complete. Most installers allow you to opt-out of installing optional software, but they don’t always make it easy. Pay attention to any available install options, and always choose a custom install when possible. Watch for “skip” or “decline” buttons that will allow you to not install bundled applications. Look for check boxes that ask you if you want to install additional applications of change your home page or search settings. If you follow these suggestions it will help you to avoid installing PUAs.

Phishing Attacks and Lessons Learned

Phishing attacks have been a prevalent, and often quite successful method of obtaining sensitive data from unsuspecting victims for quite a few years now. These attacks are extremely common through email and usually only require the user to click on a link contained within, and enter the information requested. Due to the simplicity of obtaining potentially valuable data from users, many companies have been instituting security training  for these types of attacks by using phishing tests to determine their employees’ ability to discern a real email from a possible phish.

With the latest breach coming from the United States’ Office of Personnel Management, the question remains of what could have been done to prevent such a high-security organization from making a simple mistake that could be catastrophic? The answer seems to be increasing the amount of security training that is taking place within these organizations, in regards to phishing attacks and basic online security.

Unfortunately, many users continue to fail these types of tests, while still holding high-level security clearance. This is likely due to the lack of reprisal for the user, aside from more security training sessions, which allows the poor behaviour to carry on. Paul Beckman, CISO for the Department of Homeland Security, has a different idea about consequences for these individuals, who are often senior managers or other C-level employees. He states, “Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government”, and suggests that these employees should have their security clearance removed until such time that they can prove to be responsible with extremely sensitive information.

Beckman said he hopes to move forward with the discussion of cracking down on repeat offenders, but it will all take more time and getting more CISOs on board. Meanwhile, these types of attacks are becoming more personal and thus, more difficult to prevent against.

With other companies able to learn lessons based off the circumstances surround the OPM hack though, we hope too see a continued shift towards education and understanding from the largest corporations down to the standard internet user. Maintaining awareness and understanding of the threats on the internet, especially effective ones such as phishing, is the first step in moving towards safer browsing habits.

History of Mac Malware

The subject that fan boys of each side love to argue about.  Mac malware.  The fact is that malware for Mac is real and it continues to grow as a problem.  In 2012 Apple removed the statements “It doesn’t get PC viruses” and “A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.”  I would like to shed light on the malware from beginning to now in hopes that it will bring an understanding of why security is needed on all operating systems, including your Mac.

macmalware11982 – The first threat that occurred was the Elk Cloner (this however did not actually affect the Mac) which would cause the Apple II to boot up with a poem:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!


There were a few different malware families that came out but being as they are using an operating system that is not really used I won’t go into great detail.  In 1987 nVIR virus began to infect Macintosh computers.  In 1988 HyperCard viruses started to gain traction. HyperCard was software created by Apple to execute scripts immediately on opening.  MDef was discovered in 1990.  MDef infected application and system files on the Mac.  In 1995 Microsoft released a virus that would infect both PC and Mac users via Microsoft Word called Concept.  In 1996 Laroux, the first Excel macro virus was found but didn’t actually do anything to Macs until Excel ’98 was released.  In 1998 Both AutoStart 9805 and Sevendust were discovered.

2004-Present – This brings us into the modern operating system we all know and love OS X. Also the time frame where threats are created that can still affect systems in use today.

2004 – Renepo was found. It had the ability to disable a system firewall, and it would try to copy itself to /System/Library/StartupItems.

macmalware22004– Amphimix a program which is also a MP3 file. When launched it displays a dialog box which reads “Yep, this is an application. (So what is your iTunes playing now?)” It then loads itself into iTunes as an MP3 file called “Wild Laugh”, playing four seconds laughter.


macmalware32006 – Leap is widely considered to be the original Mac Trojan. Leap used iChat to spread itself; forwarding itself as a latestpics.tgz file to the contacts on the machine. Inside the Gzipped Tar File (.tgz) was an executable file masked as a JPEG. When executed, it infected all Cocoa applications.

2006 – Inqtana was the second worm for Mac OSX. The worm propagated through a vulnerability in unpatched OSX systems.

2008 was a big year for Mac malware… Apple published an advisory to use antivirus software. They removed the statement from its website after being up for about two weeks.

2008 – BadBunny is a multi-platform worm written in several scripting languages and distributed as an OpenOffice document containing a macro.  It spreads itself by dropping script files that affect the behavior of popular IRC (Internet Relay Chat) programs, causing it to send the worm to other users.

2008 – RSPlug is a Trojan that changed DNS to send users to malicious servers. It originally spread as a video codec that was downloaded from various porn websites.

2008 – AppleScript.THT tries to disable security software, steal user’s passwords, turn on file sharing, take screenshots of the desktop, and take a photo of the user via the built-in camera.  The malware exploits a vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

macmalware42008 – MacSweeper, Mac’s first ‘rogue’ application (a fake antivirus misleading users by reporting infections that doesn’t exists). When the infected user tried to remove the “infections”, MacSweeper asked to provide credit card details and pay $39.99 for a “lifetime subscription serial key.”

I won’t lie, before I got into threat research, I ended up with this on my Mac…

2008 – Hovdy tried to install itself to /Library/Caches. It disabled syslog/system updates, stole password hashes, open ports in the firewall, disabled security software, installed LogKext keylogger and started web server, VNC, and SSH. It also tried to get root access by way of ARDAgent vulnerability.

2009 – Iservice was discovered in a pirated version of iWork ’09. It copied itself to /usr/bin/iWorkServices and tried to execute a HTTP request. Updated variants were later found in a pirated versions of many high use programs.

August 28, 2009 – Apple released an anti-malware tool called XProtect,at release it could protect a Mac against only two threats (RSPlug and Iservice).

2010 – HEllRTS (aka HellRaiser) is a Trojan that allows control of a computer by a remote user. The remote user has the ability to transfer files, pop up chat messages, display pictures, and even restart or shut down the infected machine.

2010 – Boonana, a Trojan that spread via social media and email disguised as a video. It runs as a Java applet, which downloads its installer to the machine.  After installed it starts running in the background and communicating with a variety of servers such as command and control servers.

2011 – MacDefender, another rogue like MacSweeper that installs itself into the /Application folder and wants you to pay them for the “infections” to be removed from your mac.

macmalware52011/2012 – Flashback was disguised as a Flash player download and targets a Java vulnerability on Mac OS X. The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load. The Flashback malware was the largest attack to date, hitting more than 600,000 Mac computers.

2013 – Lamadai, a backdoor Trojan, targeted NGOs (Non-Government Organizations) and exploited a Java vulnerability to drop further malware code.

2013 – Hackback spied on victims and was designed to take a list of certain file types, find all files matching those types, compress them into a zip located in /tmp/ and upload them to a remote server.

2014 – LaoShu went viral via spam emails posing as a notification from FedEx. It contacts a remote server sending system information, files, and screenshots. It is important to note that it is signed with a valid Apple developer ID certificate.

2014 – CoinThief is designed to steal Bitcoins from infected machines, and is disguised as legitimate apps.  The source code was on Github for a while under an app named StealthBit.


It’s worth mentioning that these have been the main threats seen on the Mac and not all of them.  There are many smaller variants and proof of concepts that are not listed.  Also, that I didn’t include any adware variants such as Genieo or VSearch on here, but I did write about in my last blog.  Even after seeing all of these there will still be those that refuse to believe that their mac is vulnerable to attack, but trust me it will only get worse from here.  Apple is increasing their market share and with that comes an opportunity for malware writers to make more money.

The most difficult question in computer security

Whenever I think of security awareness, there is one question that haunts me: How do we educate the not-so-technically inclined about security? It seems like a simple enough question, we know the basic tips and tricks, it’s second nature to many of us. Keeping Windows fully patched and up to date pretty much takes care of itself with the proper settings in Windows Update. Many other applications check for updates regularly by default. Running antivirus software should be a no-brainer and if you run a cloud-based AV solution like Webroot SecureAnywhere you don’t even need to worry about updates.

Then you try to explain how to identify a suspicious email to that friend or family member that always comes to you for computer support. You came prepared with sample emails complete with circles and arrows and highlighted text. You explain how to  check email headers, hover over links to check where they actually go, and look for obvious spelling and grammatical errors. To the non-techie this can seem like a bunch of techno-babble that they will not remember.

The technical approach is simply not going to work on some people. Yo can suggest treating any email that they were not expecting to receive, is from an unknown sender, and contains a link or an attachment as suspicious. This can work, but has it’s own issues. People order products over the internet all the time. Order and shipment confirmation emails are something people expect, so when someone receives a fake email claiming to be from a shipping company it can be quite effective. These emails may be obviously suspicious to you, but you said to be suspicious of emails that they were not expecting, remember? It tends to just get more complicated from there. We want to educate and help develop healthy suspicions, not distrust and paranoia.

So how do we explain how to identify a suspicious email in simple terms that even the less technical people can understand? This is a question that we need to continue to ask ourselves, and we each need to do our part in educating others on security issues.

As a note, tomorrow begins National Cyber Security Awareness Month and with that, we will be posting regular security tips to keep you and your family safe while online.