Tuesday, March 7, 2017

Defeating Tech Support Scams, Mac Edition

Mac users are falling prey to tech support scams in growing numbers. Because of this, they're being increasingly targeted. Why? The myth that Macs are impervious to malware, scammers and fraud.

Let's start with that word, "myth." Mac does, indeed, have a lot of safety features built into its operating system. However, contrary to popular belief, this is not the reason the bad guys left them alone for so long. There was one simple reason for that - market share. Criminals put their time and energy into the technology that gave them the most bang for the buck because Microsoft had and continues to hold the highest number of users. See, e.g. netmarketshare.com for current statistics.

Apple is still behind Microsoft in overall users but the popularity of Apple products continues to increase for both home and enterprise (office) use. The rapid growth rate is what's put OS X and iOS in the crosshairs of the bad guys. The double whammy is the Apple user population is unprepared. While Windows users have had years of experience and resources available to exercise caution, Mac users have grown accustomed to taking things at face value and simply trusting the platform. This works out well for tech support scammers, in particular. Like most people unaccustomed to thinking defensively, a lot of Mac users are easy to scare. How do I know it's a lot? Because of the growing number of scams and scammers.

The primary purpose of these "warnings" is to get you to call or click.

Calling gives live humans the opportunity to heighten the scare tactic as they walk you through installing a malicious back door. Yes, they really are in a call center - they get paid by the number of installs by the criminals who will then lease out your computer to other criminals or use it themselves to launch further scams.

The automated method of this scam involves scaring victims into clicking on links, videos or ads that redirect you to these warnings then clicking to download a "fix" that's really a back door, ransomware or a payment screen to install a "fix" that essentially holds your web browser or computer hostage until you pay, click or call.

Defeating the scams is relatively simple. It starts with basic hygiene. Do you stay current with security updates for your operating system and apps? Do you run anti-malware in active mode? Do you regularly back up? If you said "yes" to all of these, move on to the next section. If you said "no" to any question, do it now, then move on to the next section.

Every computer needs to know where and how to find other computers. In order to do that, they each need to speak both human and machine. Humans type "cnn.com," a domain, which the machine translates to it machine-readable, numeric equivalent, an IP address. This is a gross oversimplification of the domain naming system or DNS but it gets us to the next step. Your computer's hosts file.

A hosts file is a sort of cheat sheet that performs that domain name-to-IP address translation that can override DNS servers. Updates to the hosts file only govern the machine that the file is on, which is one of the reasons why it's not a popular protection. It's high maintenance. But for home users, who have only 1-3 computers to worry about, it's worth the hassle because it's effective (in my opinion, of course).

At the bottom of this post I've linked a text file that contains a long list of domain names preceded by the IP address This means that the domain names will translate to only, making the domain unreachable by any browser or application that uses the hosts file on that computer. Why does this matter? Because the way these malicious redirects work on the tech support popups is by silently telling your computer to go to these domains to launch the code that makes the popup happen (or look like a popup) in the first place. By editing your hosts file to make the domains unreachable, you stop the attack before it happens. All you need to do is copy and paste that list. I've pulled it together through multiple sources and vetted extensively. Is this absolutely all of the tech support scam domains? It's all the ones I know about as of this writing. It'll likely change but these have been around and active for a while. So, while no single update will ever protect you from everything (be wary of anything or anyone that tells you otherwise), it's a darned good start.

There are a couple of ways to edit your hosts file. The GUI method is a bit clunky. You open Finder, select Go from the menu bar, then Go To Folder to open a search window. Type /private/etc/hosts in the search window and a new Finder window opens with the hosts file highlighted. You need to drag the file out of this window and to your desktop in order to edit it. After you copy & paste the list below to the end of the file, you drag & drop the edited file to the Finder window for /private/etc to replace the old version with the updated version. You'll also need to flush the DNS cache of your computer.

A much easier method is the terminal. There's a text editor built into the operating system that's accessible by opening a terminal window and typing "sudo nano /private/etc/hosts" like this:

You should be asked for your password then you'll see the terminal window change as it drops you into the hosts file:

Now it's as easy as cut & paste:
1) Highlight the list linked below by clicking Command (the key next to the space bar) and the A key simultaneously. This keyboard shortcut means "highlight all content."
2) With the entire list highlighted, click Command and the C key simultaneously. This keyboard shortcut means "copy."
3) Go to the hosts file in your open terminal window, place the cursor below the last line in the file, and click Command and the V key simultaneously. This keyboard shortcut means "paste."

The hosts file will scroll as the update occurs. When it stops, click Control and the O keys simultaneously (that's the letter "O," not a zero) to save the update. You should now see something like this:

Click Control and the X keys simultaneously to save and exit the hosts file editing. Restart your browser and you're done.

While not absolutely necessary, it's still a good idea to flush the DNS cache, which means forcing your computer to forget about recent domain name-to-IP-address resolutions. There are several ways to do this, depending on which version of OS X you're using. A good resource to find the correct command for your flavor is brought to us by the good people at OpenDNS here.

Here's the hosts file update list. I've included adware and first-stage browser crash sites in addition to the tech support scam sites to round out your safer Internet experience.

No comments:

Post a Comment