Skip to main content

Mac Tech Support Scam

Technical support scams have been in operation for many years. They come in a number of guises and change regularly in order to remain a threat. A newly registered scam website targeting Mac users was identified towards the end of 2016.
Threat ID:
CC-1068
Category:
DOS, Exploit
Threat Severity:
Low
Threat Vector:
Published:
12 January 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Technical support scams have been in operation for many years. They come in a number of guises and change regularly in order to remain a threat. A newly registered scam website targeting Mac users was identified towards the end of 2016.

Threat details

The malicious webpage determines the version of OS X a user’s computer is running with a User Agent check then delivers one of two Denial of Service attacks. The first variant contains code which will continuously create draft emails with the subject line populated with: “Warning! Virus Detected! Immediately Call Apple Support (phone number)”. This forces older versions of Mac OS to run out of memory and freeze which is intended to pressure users into making the phone call to the fake tech support number.

The second variant is able to open iTunes and display a fake warning page which makes similar claims about a virus detection and displays a Toll-Free number to call Apple Support. If a user calls the phone number, attackers will gain control of the user’s PC.

The flaws appear to be partially fixed in Mac OS Sierra 10.12.2. Users running this version of Mac OS are not susceptible to the continuous creation of draft emails however it should be noted that the second attack can still launch iTunes without any prompt from the browser.

Remediation advice

For organisations to protect themselves from such a threat, the following actions should be considered:

Remediation steps

Type Step
  • Employees are appropriately educated to identify social engineering techniques and suspicious looking websites.
  • Software is kept up to date.
  • Security patches are updated regularly.
  • All malware signatures are kept up to date.

Consider:

  • The use of an IDS or IPS to monitor irregular behaviour.

Last edited: 17 February 2020 11:34 am