Technical Support Scammers targets Apple users

Experts at MalwareBytes uncovered a new malvertising campaign operated by Technical Support Scammers that are targeting Apple Mac owners.

Scammers are prolific and ingenious guys, this time they are targeting Mac pretending to be operators of the Apple Technical support.

Technical support scammers are running aggressive malvertising also relying on legitimate ad networks.

“These scams aren’t being done with cold calls, but by aggressive malvertising,” said Jerome Segura, a senior security researcher from Malwarebytes. 

This last malvertising campaign is targeting Mac users who browse “lower-quality websites” used by Technical support scammers to host the attack code or malicious scripts that are able to exploit vulnerabilities in the browser to hijack the user’s traffic.

With this tactic technical support scammers are able to display the victims bogus warnings that their computer is at risk, and, of course, these messages propose a telephone number to call for support.

Experts at Malwarebytes noticed that websites controlled by crooks discriminate the browser user agent to serve the proper exploit depending on the victim’s OS.  If the browser is Safari, the scammers display victims the tech support message.

“This particular case shows that tech support scammers are resorting to more elaborate ways to social engineer their victims. Perhaps Apple users are even more at risk because they may be less experienced at dealing with these kinds of “errors”.”states a blog post published by Malwarebytes.

The experts highlighted the level of sophistication implemented by the technical support scammers for this campaign.

The technical support scammers behind the campaign use a website with a URL almost identical to the one used by Apple for the legitimate technical support (ara-apple.com instead ara.apple.com) that allows its customers to share the screen for remote assistance.

“The domain name is almost the same as the official [screen sharing] one from Apple,” Segura said.

“These are definitely a threat to Mac users,” Segura added. “Mac users just aren’t as aware of the threat out there [from support scams] as are Windows users.”

The researchers noticed that the fake domain was also used to process payments, but giving a look to the ‘Secure Payment’ page implemented by technical support scammers is possible to verify that the process uses the HTTP protocol instead HTTPs.

Experts reported the malicious campaign to both the registrar GoDaddy and hosting provider Liquid Web to allow the shut down of the bogus websites.

B always suspicious of alarming pop ups or websites that claim your computer may be infected!

Pierluigi Paganini

(Security Affairs – Technical support scammers, cybercrime)