Scareware Signed With Apple Cert Targets OS X Machines

msm1267 writes: A unique scareware campaign targeting Mac OS X machines has been discovered, and it's likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.

"Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks," said Johannes Ullrich, dean of research of the SANS Institute's Internet Storm Center, which on Thursday publicly disclosed the campaign. "So far, it apparently hasn't been revoked by Apple."

friend's computer hit by this

[lkcl]

i have a friend who called me to say that their computer had had the default browser search settings changed to some adware. so i checked the instructions on how to remove it, only to find that the settings shown in the screen-shots *weren't there*. turns out that inspection of the timestamps on the filesystem, the phishing-malware had *replaced* legitimate system libraries, which enabled them to disguise the malware and prevent its own removal. it was necessary for us to go round some friend's houses, drop the macbook into single-user mode and copy over replacement files from an identical copy of macosx.

now, this is the first time i've ever dealt with macosx viruses, but i was surprised that it was so easy for my non-technical friend to be fooled by a phishing attempt which scared her with the "you have 2,500 viruses do you want us to fix it?" tactic. as a purely software-libre end-user for the past 20 years, all i can say is, "welcome to the monoculture world, apple. your false sense of security myth is well and truly over, and you have a hell of a lot of catching up to do".