Man working with modern laptop in office. Hands typing on keyboard

An overview of malvertising on the Mac

Most people associate malvertising with malware and the Windows platform. Indeed, the vast majority (and most damaging) attacks that happen thanks to malicious ads will typically target Windows users via exploit kits. But other systems are not immune to malvertising, at least in other forms.

Case in point, rogue advertisers have plans for Mac users as well. We see a lot of malvertising campaigns that leverage social engineering to install malware, PUPs or defraud you via tech support scams. In this post, we take a look at some of the most prevalent malvertising types you might come across by showing some recently captured examples.

The User Agent string

Ad networks determine if you are running Microsoft Windows or Mac OS X by checking your browser’s user agent string (UA). Every time you visit a website, your browser performs a GET request to the remote server and sends out your system’s user agent and other details such as the site you came from (referer):

get_request__

This data is collected to aggregate stats on visitors, or adjust the site’s settings to match your display (i.e. if you are using your iPhone, you may have noticed the ‘mobile version’ of the full sites you normally get on your Desktop computer).

Based on this piece of information (and others like your country, given away by your IP address), you will (or should anyway) see adverts that are tailored to you. Online crooks devise “campaigns” that will target those various populations. If you are a Windows user, they might want to redirect you to an exploit kit to infect your PC. On a Mac? Then, a tech support scam or scareware page will be most effective.

This doesn’t mean that Macs are more secure by default, but rather that cyber criminals mostly target Microsoft Windows users as they are the lowest hanging fruit worth investing efforts on. It also shows that there is no need to create sophisticated attacks that exploit advanced vulnerabilities to yet succeed in ripping innocent victims off with deceptive tactics.

Get-rich-quick schemes and other surveys

While this may not be considered malvertising in the strict sense of the term (not to mention the fact it is not only affecting Mac users), these “offers” are aggressively pushed by unscrupulous ad networks and will disrupt the browsing experience with screen hijacks. We see anything from lottery, work from home scams, bogus surveys, and other too good to be true freebies. iPhone users have been targeted with similar surveys before.

congrats

Traffic:

traff_congrats

IOCs:

  • 23-lot-s.com
  • 78.140.190.106

Tech support scams

Tech support scammers have long been targeting Mac users and exploiting their assumed sense of security. Those fake websites impersonate Apple and use various JavaScript tricks to prevent closing the page naturally, leading many frustrated users to call the toll-free number for assistance. Scammers, mostly out of India, will take care of scaring their victims in order to sell them hundreds of dollars of worthless service.

tss_

Traffic:

traff_tss

IOCs:

  • advancepcsupportsreviews.online
  • 107.180.50.210

Fake Flash Player (and other software) updates

This is one of the most common techniques to push adware and even malware onto Mac users. Masquerading as updates for the Flash Player, or video codecs, these pages are well designed and pushy. In some cases, the installer will automatically download itself onto your computer.

These campaigns work particularly well on adult or video streaming websites because they can lure users to download the application in order to watch the content they are looking for. You should stay away from such “programs” and only download them from their official repositories, since these lookalikes are bundled with junk that will slow down your Mac, or worse install spyware or malware on it.

fakeplayer

Traffic:

trafffakealert

IOCs:

Scareware

Some of the worst malvertising campaigns push scareware pages insinuating your Mac is severely damaged or infected and urging you to download a program to fix it. Windows users were familiar with those highly despicable techniques ten years ago (RogueAV or FakeAV). These are typically the works of greedy affiliates trying to drive the most leads they can in order to collect large commissions off various PUPs.

infection1_

Traffic:

traffinfection1

IOCs:

The OS X platform is not exempt from malvertising, and the less savvy Mac users are likely to fall for the various social engineering tricks thrown at them. Half the battle is knowing what’s out there and being very careful with any software updates pushed via websites, no matter how alarming or legitimate looking they are.

If you think you may have downloaded an application but aren’t sure if it is safe or not, feel free to run our Anti-Malware for Mac.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher