“Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web,” Tom Spring reports for ThreatPost.
“According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns,” Spring reports. “Mac OS X users are being singled out in this typosquatting campaign with malware. According to Endgame, when a Mac user stumbles on one of the typosquatters’ webpages a fake Adobe Flash update pops up and attempts to trick users to install the advertising component called Genieo.”
“Genieo, according to Endgame, is a, ‘common OS X malware / adware variant’ that ‘typically infiltrates the user’s system by posing as an Adobe Flash update,'” Spring reports. “Once on the targeted computer, Endgame said, Genieo drops an OS X DMG container. “Genieo then entrenches itself on the host by installing itself as an extension on various supported browsers (Chrome, Firefox, Safari),’ wrote Mark Dufresne, director of malware research and threat intelligence for security software company Endgame, in a company blogpost. Windows PC users who visit one of the typosquatter sites are redirected an ad network where they are peppered with online ads. ”
Read more in the full article here.
MacDailyNews Take: Let’s be careful (and precise) out there.
Many of us have dispensed with Flash altogether and don’t miss it, but if you do use Flash, whatever you do, you must never ever click on a link to update it. The only place where you can safely update it is directly from Adobe’s site and you must type in the address manually so that you can be sure that you really are going to the genuine site.
Thanks for the advice. I usually make sure the path is correct but agree it is safer to go to the site directly.
What I find shocking is that the affected companies do not go out of their way to block the Oman sites.
Or perhaps have ISP have an official list to block.
And turn off “open disk images” in safari preferences. Can’t believe that is still enabled by default.
So why can’t the domain holder squash these things?
Adware is now the #1 form of malware infection on Macs. This epidemic started a couple years ago and Genieo is possibly the #1 perpetrator. They hide behind a variety of different adware names, all ‘legal’ and detrimental to anyone infected. A wide variety of websites package up this adware within their software installers. Just about ANY software download site is now dangerous in this respect, including venerable MacUpdate.com. That’s sad. (The work around for MacUpdate, which they kindly provide, is to log into the website. Then you would get screwed with their adware installer).
Thomas Reed, of ‘The Safe Mac’ website fame, has been studying Mac malware for years and helping out victims of infection. He was the first to come up with a well written and useful free adware detection and removal tool. It was called AdwareMedic. That software has since been bought by Malwarebytes and they hired Thomas to direct its future development. It is now called Malwarebytes Anti-Malware and is STILL FREE. It detects and removes ALL the current malware. Highly recommended:
Malwarebytes Anti-Malware for Mac
Thomas and I belong to a fun gestalt eList of people who work with Mac security. He’s an incredible asset.
BTW: One Mac software download site that does NOT foist adware is:
MajorGeeks
I know the guys who run it as they’re local to me. It’s not the most comprehensive listing of Mac software, and I occasionally berate them for ‘going on vacation’ whereby they abandon the Mac list for a number of days. Otherwise, they are also highly recommended.
At the community centre where I work, it takes over an hour for Malwarebytes to scan the PCs. On the Macs it takes under 10 seconds!
Fortunately, we now have far more Macs than PCs. Saves a fortune in support costs and by my estimation, has already saved close to £700 a year in electricity costs.
I don’t think Malwarebytes Anti-Malware for Mac is licensed for business use (they have a link for Business, and then says “Stay tuned” or something).
Agreed. Never download from any of these sites:
macupdate.com
download.com
softonic.com
Every single downloadable item has been purposely injected with adware and/or other malware. And the webmasters of those sites do not care — I suspect they get paid by the malware developers for hosting this rubbish.
My impression as I watched MacUpdate testing their ‘MacUpdate Installer’ was that they were working with some sort of marketing organization or consultant, learning how to use the ‘installer’ software and experimenting with applying it to various ‘downloads’. My friend Thomas Reed complained to them about applying the ‘installer’ to Firefox and they relented. I believe that is still the case. But MacUpdate then proceeded to test it with other downloads.
So far, I haven’t found MacUpdate foisting anything seriously malevolent (unlike download.com and softonic!) or attempting to fake out / socially engineer victims. But what it’s attempting to install includes adware nonetheless.
Again, if you log into MacUpdate, they’re not going to shove their ‘installer’ at you. If you do happen to get stuck with their installer, STOP installation immediately to be safest. Then go get the ACTUAL installer of what you want from the developer’s website instead.
Thanks to autocomplete, I rarely have to type “.com” anymore.
——RM