New MacGuard Phishing Attack Bypasses Mac OS X Password Requirement

A new MacDefender variant targeting Apple (NSDQ:AAPL)'s Mac OS X platform now can circumvent the password requirement to install fake antivirus software onto victims' computers.
The latest version of the fake antivirus MacDefender, known as MacGuard, was first detected by researchers at Mac security firm Intego. Unlike other versions of Mac Defender, MacGuard bypasses password requirements, and automatically installs without any user intervention.
Intego researchers first detected a fake antivirus attack with Mac Defender targeting the Mac OS X platform May 2. Like other fake antivirus schemes, known as scareware, the virus appeared on users' Macs via a pop-up or an infected link, offering a phony virus scan. The fake scan would inevitably claim to find a virus, and then would trick the user into submitting credit card numbers in exchange for bogus antivirus software.
Since it was first discovered earlier this month, alternately named versions of the MacDefender virus have emerged, such as MacProtector, and MacSecurity. Up until now, the different version have been the same application but with different names.
However, the new MacGuard, which is spread via SEO poisoning attacks, functions slightly differently. Initially, the installation package, known as avSetup.pkg, is downloaded automatically when a user visits a malicious or infected site, typically via an SEO poisoning attack.
If Safari's "Open safe files after downloading" feature is checked, the payload will open Apple's Installer and the user will see a standard installation screen, Intego researchers said. If not, users could see a downloaded ZIP archive and feel inclined to double click, which would also launch the Mac OS Installer.
The package then installs a downloader, dubbed avRunner, which then launches automatically while the installation package deletes itself from the user's Mac, essentially erasing its tracks.
"Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program," Intego researchers said in an advisory. "Since any user with an administrator's account -- the default if there is just one user on a Mac -- can install software in the Applications folder, a password is not needed."
The downloader then installs the new MacDefener version, MacGuard, downloaded by the avRunner application from an IP address hidden in an image file.
Intego researchers say that users should be wary of Web pages that appear to be a Finder window.
"Leave the page, and quit your Web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it," Intego said.
Apple issued an advisory earlier this week warning users of the MacDefender virus , saying that "In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."
Security experts question how Apple will keep up with what appears to be a constant stream of MacDefender variants -- a tactic which emulates the myriad of fake antivirus attacks on the Windows platform.  


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...