Support scammers who have been targeting Windows users for years and, more recently, users of Apple’s mobile devices and Android tablets and smartphones, have moved on to targeting desktop Macs more aggressively than ever before.
The basic set-up is the same: fraudsters seek to badger users into paying for useless remote diagnostic and cleanup services to fix problems that don't actually exist.
More ReadingTech support locker scam poses as failed Microsoft UpdateGotcha: Symantec fires reseller nabbed in tech support scamOEMs still the Achilles heel of Android security, say boffinsIt's 2015 and miscreants are still trying to dupe you with fake BSoDsScammers going after iOS as fake crash reports hit UK
The only difference is that the lure has been baited differently in attempts to get Mac OSX computer users – rather than Windows or iPhone – on the hook.
Tech support scammers have targeted Mac users before in isolated cases, so the latest ruse isn't a first, but the mechanism this time around represents something of an evolution on previous tactics and techniques.
This time, scammers are impersonating Apple technicians by fraudulently duplicating a key aspect of legitimate support services. Apple offers a screen sharing service as part of its support centre that puts users in touch with a remote advisor. The sharing part of this service runs through the Apple website.
Crooks have registered a domain called ara-apple.com that closely resembles the legitimate Apple locale (ara.apple.com), warns net security firm Malwarebytes.
Pages at the bogus domain are carefully designed to scare people into thinking there is something wrong with their computer.
“Fraudsters will use all sorts of messages, audio warnings and other artefacts in order to social engineer marks into calling for assistance,” writes Jérôme Segura, a senior security researcher at Malwarebytes, in a blog post.
The dodgy domain is used for everything from linking to the remote programs the "technician" (actually scammer) will use, including processing payments, Segura explains.
Malwarebytes has contacted both the registrar (GoDaddy) and hosting provider (Liquid Web) so that they can apply a ban-hammer to this particular fraudulent website. This still leaves the possibility of a reappearance of the same scam by a different gang, or by the same groups using a different site.
Segura offers some general pointers on how to avoid being taken in by this type of scam.
“As always, please be particularly suspicious of alarming pop-ups or websites that claim your computer may be infected,” Segura advises. “Remember that Apple would never use such methods to have you call them or would never call you directly either.”
This advice is expanded in MalwareBytes tech support scams help and resource page here. The page features a list of blacklisted domains.
The advice is mostly aimed at Windows users, who remain the main targets of this growing class of malfeasance, but also includes pointers relevant to a wider range of technology users. ®