Scareware targeting OS(updated)

Johannes Ullrich has just reported some scareware which could trouble OS X users. This is detailed in his post in the SANS ISC InfoSec Forums.

Currently, you are at risk of it if you follow certain Facebook click-bait, including one for photos by EMGN (Sponsored) such as a pile of wood reflected in a puddle of water. A browser alert is then seen, giving an odd web address, but warning you that your Flash Player is out of date. If you click on the OK button (the only one offered), a seemingly legitimate Flash Player update will then be downloaded.

The installer is signed with a legitimate developer certificate which therefore passes Gatekeeper’s protection; it is hoped that Apple will revoke that certificate very shortly in response to this report. Apple’s XProtect also did not detect anything amiss.

The scareware installed as a result does not appear to be malicious, but claims to scan your Mac for malware, offering you a chance to buy a cleaning tool.

Beware of Facebook click-bait, and let’s hope that Facebook and Apple take immediate action to stop this.

Thanks to Michael Mimoso at ThreatPost for this information.

Note: Patrick Wardle notes that as of 7 February 2016, Apple has revoked the developer certificate involved here. If you try to use this installer, Gatekeeper should now report this as an error, and refuse to install the scareware. Thank you, Patrick – and thank you, Apple.

There is no news on Facebook blocking such click-bait, though.