1 Million Macs Exposed to Malvertising Scam

A malvertising campaign has been targeting Macs since at least mid-January, with at least a million machines exposed, security firm Confiant said in a blog posting this week.

Credit: Apple/Dreamstime/Tom's Guide

(Image credit: Apple/Dreamstime/Tom's Guide)

The malicious ads lure users into updating their Adobe Flash players—but that update is really a downloader called Shlayer that opens up the Mac to even more malware. To evade malware screeners, the ads first load normally, but then draw in malicious content from a Firebase, a Google-hosted online data repository designed for mobile-app makers.

Unfortunately, not that many Mac antivirus brands recognized the Shlayer malware signature yet. As of this writing on Thursday afternoon (March 21), the corporate siblings Avast and AVG did, as did Avira and Bitdefender and their licensees (Emsisoft, F-Secure, GData and Qihoo 360), plus a couple of others. But dozens of other antimalware engines listed on the VirusTotal page for Shlayer's signature let the malware slip by.

Our advice would be to ignore any pop-up windows suggesting that you update Flash Player, especially if you're using Safari, which Shlayer seems to prefer. (Go to the official Flash update page at https://get.adobe.com/flashplayer/ instead.) Alternately, you could use an ad blocker.

MORE: Best Mac Antivirus Software

The million machines exposed weren't necessarily infected. Their users just all had a malicious ad load in a browser window. The user would still have to click on the ad, and then click again to authorize the installation of the Flash Player "update" to become infected. Malvertisers often get people to click through by creating a sense of urgency or titillation with messages like "Click here to see the nude videos criminals have of YOU!"

Antivirus products often look for signs of potentially malicious code in ads and other browser components, and make a judgment call on whether to block the object even if it contains no known malware signature.

Shlayer has been good at getting around that. When it first deployed in January, it buried malicious code directly in the images used in the ads so that the detection engines wouldn't "see" the code.

It's now changed tactics: Instead of hiding the malicious code in plain sight, Shlayer sucks it in from Firebase, a repository for mobile-app data that is generally trusted because it's a Google property. But if there's one thing we've learned from 20-odd years of user-generated content, it's that jerks tend to abuse trust by uploading nasty stuff to otherwise benign websites.

"The Firebase code looks very similar to typical vanilla ad tech," Confiant security researcher said in a company blog post. "The comparison is a great illustration of how in just a short amount of time the game has changed, and these days it's all about subtle payload delivery."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Latest in News
3D printed model of alleged iPhone 17 Air design
iPhone 17 Air — these 5 big revelations have me excited for the first truly new iPhone in years
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 18 (#646)
Igor
The Roku Channel is streaming one of my favorite kids' movies for free
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost