Posted by David Harley on October 21, 2015.
Dan Goodin wrote yesterday for Ars Technica that Support scams that plagued Windows users for years now target Mac customers, complete with a Malwarebytes screenshot of a fake Safari alert. In fact, Malwarebytes has, for quite a while, been reporting the way in which support scammers have added pop-up alerts to their armoury, although I still see plenty of reports of the classic cold-call-from-‘Microsoft’ version of the scam. The advantages (to the scammer) of this evolution include:
However, Goodin’s story was based on a new article by Jérôme Segura about how Tech Support Scammers Impersonate Apple Technicians. Jérôme has shared lots of interesting information about this scam – he’s doing much more research on it nowadays than I am – but perhaps the most interesting aspect of this particular attack is that it uses the classic phish technique of using a scam site registered as ara-apple.com, obviously intended to masquerade as Apple’s real ara.apple.com support site. Jérôme says that Malwarebytes has contacted the registrar (GoDaddy) and hosting provider(Liquid Web). At the time of writing, however, the fake page is still accessible and presenting links to remote access utilities (TeamViewer and ISL Light Client), as well as the all-important links for processing your payments to the scammer.
Malwarebytes maintains a useful support-scam-related resource page, and I maintain another at AVIEN, though mine is mostly summaries of and links to articles (by me and others). I’ve also published several papers on the topic at ESET (sorry for the plug, but that is where I do most of my writing!):