Mac Malware?
April 13, 2016 7:38 PM   Subscribe

My dad just called me in a panic. His iMac (running El Capital or Yosemite) gave him a scammy looking error message. Need some help figuring out what's going on and how to fix it.

I did some Googling and this is a common issue but I can't tell if it's actual malware or if he somehow got redirected to a scammy site. Here are photos he took and sent to me. I'm not sure of the exact sequence of events -- all I could get out of him was that he was trying to go to etsy.com, then he got this message and called me.

Any thoughts on what I should do? He has TeamViewer and Join.Me so I can log in to his machine if necessary.
posted by radioamy to Computers & Internet (19 answers total)
 
It looks like it's a scam web page. He can just close the Chrome web browser and everything should be ok. He may have to force quit the browser if the pop-up menu won't go away.
posted by praiseb at 7:46 PM on April 13, 2016 [5 favorites]


Tell him DO NOT call the number listed in that popup or give anyone access to his computer except you. He should be able to just force quit the browser without adverse consequences. If the site starts to load back up when he restarts Chrome, he should force quit again.
posted by limeonaire at 7:48 PM on April 13, 2016 [6 favorites]


Note how in the pictures he sent you, the scary looking error messages are both being displayed through Chrome. One is in the browser window and the other is a popup.

It's apparently a variation on a well-known phishing scam. He should quit Chrome--force quit if the popup won't go away--and that should take care of it.
posted by Kutsuwamushi at 7:55 PM on April 13, 2016 [2 favorites]


He said he had trouble shutting down Chrome and the computer. He restarted and is now having keyboard problems. Oy.

Fortunately he knew enough not to call the number! I have trained him well.
posted by radioamy at 8:04 PM on April 13, 2016 [1 favorite]


He's ok; the "keyboard problems" are his own nerves. Telling him that won't help, of course.

If your dad is anything like mine was, he'll need to feel like he's been proactive in solving the problem before he feels genuinely safe. So the thing to do is to coach him through the process of deleting some span of his browser history - in Chrome, that's in History -> Show Full History -> Clear Browsing Data... - for the last day or week.

After that he should be OK and feel like he's got some control over the situation, which matters a lot. Once he's done that, you can ask him not to revisit whatever site caused that fake warning to spring up. But, pro tip, don't ask what that site was.
posted by mhoye at 8:16 PM on April 13, 2016 [14 favorites]


mhoye - you're right, the keyboard problem was a low battery. Terrible timing!

Funny enough, the site was apparently Etsy. Or at least he thought he typed Etsy. Some story about some Italian street artist he met while walking to the post office. Retired life is weird.
posted by radioamy at 8:26 PM on April 13, 2016 [3 favorites]


One other nifty trick that works on safari, and probably chrome as well, is that if you hold down the shift key while re-opening the browser (after quitting or force quitting) it will prevent it from re-opening your previous tabs. This is useful if you can't get the scammy window to shut down or if it keeps causing your browser to freeze.

Also, as already mentioned, this is definitely A Thing. I had my parent contact me in a panic with a similar issue not too long ago. The give away in that case was it being in the browser window as well.
posted by litera scripta manet at 8:38 PM on April 13, 2016


Oh dang... I think I've seen that one before, or something pretty similar. I'm pretty tech saavy, so although the idea that I had something on my mac isn't impossible, it's probably less likely than your dad. Even so, I panicked a bit as well. I cant remember how I got rid of it, but I'm thinking it probably came from a less-than-reputable chrome extension.

Has your dad installed any extensions lately? Might want to go though his settings and remove all the things you don't recognize, just in case.
posted by cgg at 8:59 PM on April 13, 2016


Yeah, if you Google that number you'll see it's currently being used by one of the "your computer has a virus!!!1!" phishing scammers.

(For some reason I've never bothered looking in to, the only times I ever see those are the odd occasion I look at something on Etsy. And that's with running Ghostery & uBlock. I wonder if Etsy's security for links / externally-hosted images is a bit lax?)
posted by Pinback at 9:28 PM on April 13, 2016


Your father dodged a bullet this time. Instead of a simple phishing page, it could have been one of the ransomware sites that encrypt files on his computer and demand payment to get his computer back. There are versions of this in the wild targeting Macs.

You should definitely set him up with AdBlock/Ghostery/NoScript to limit his exposure.
posted by Thorzdad at 5:56 AM on April 14, 2016


Yeah, I've seen this several times, on Windows. A BSOD (Blue Screen of Death) basically means a complete Windows system failure and is not going to show up in a web browser, and never on a Mac. In Windows I just right click on my browser icon in the task bar and close it all. I think you can do similar from OSX, but I can't remember the exact method right now. In summary, it's just a dodgy website with a malicious script which is screwing with your browser and trying to get your dad to call that number.
posted by Diag at 6:07 AM on April 14, 2016 [1 favorite]


I think it's most likely that his Chrome installation has been compromised, not just the one web site. This malware support site identifies the problem as an adware Chrome extension. The instructions for removal there look like overkill to me, it's probably much easier to fix it by hand.

If the problem comes back, see if the same thing happens in Chrome in Incognito mode. You can open an incognito window with ⌘ + Shift + N, or via menus. That will load the page without extensions and cookies and stuff. Another thing to test is if the same popup happens in Safari. In either case if it shows up in Chrome but not incognito Chrome or Safari, then there's probably a malware extension loaded in Chrome.

It's pretty easy to remove extensions in Chrome. AFAIK the malware extensions aren't able to stop you from removing them.

(If this diagnosis is correct it may be worth having a chat with your dad about not installing any software that a web site tells him to. Particularly one with dodgy videos.)
posted by Nelson at 7:39 AM on April 14, 2016


I strongly recommend running a pass of the (free) Malwarebytes for Mac after even a slight brush with this stuff.
posted by churl at 9:54 AM on April 14, 2016


Hmm. I think the only Chrome extension he has running is Adblock.

I was able to do a Join.Me session and I followed Apple's rundown of how to search for and get rid of MacDefender and it didn't look like it was installed. I think I'll run Malwarebytes just to be safe, good idea churl.
posted by radioamy at 10:03 AM on April 14, 2016


Which AdBlock? There are several and some are a little shady, although none that I know of are outright malware. I prefer uBlock Origin these days FWIW.
posted by Nelson at 10:44 AM on April 14, 2016


Depending how tech savvy he is, or how involved you want to be, it may be useful to change his user account on the Mac to a non-administrative account. This means that in order for anything to install on the machine, you would have to log in with a different account. It makes things a bit more tedious for updates and the like, but can prevent things like him downloading and installing a compromised version of flash, for instance. This assumes he would be ok with you maintaining admin privileges. Here's a discussion on the subject. All that being said, that won't protect against what happened today, i.e. a scammy website trying to phish. But it will prevent other sorts of issues.
posted by bluloo at 10:46 AM on April 14, 2016


Seconding demoting his user account to non-admin to minimize future risk.
posted by Johnny Wallflower at 8:08 PM on April 14, 2016 [1 favorite]


Agreed! Note, too, that for the last few versions of Mac OS, even a non-admin account can install software from the Mac App Store (since it's vetted), so if he needs a program in a pinch he's probably still in good shape.
posted by churl at 7:35 PM on April 15, 2016


We had this at our house! Or the same kind of error message screen, saying to "Call technical support", with a phone number. It appeared on multiple devices, including Macs and PCs, and Android phones and iPhones, all connecting to our wi-fi. We eventually figured out it was a problem with the router/cable modem -- it had been compromised in a DNS hack.

Manually changing the DNS settings in the affected computer is a way to test -- you can change the DNS away from "use whatever the router assigns me" to one of Google's (configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers). If that fixes it, then it was a DNS hack.

Then you can contact your ISP, tell them the problem, and they should be able to fix the hack from their end.

- - - -
Just for future searchers, this is the text of the message from the photos above. We had similar messages with "Microsoft technical support" on our PCs, too:
BSOD: DLLRegisterServer failed with th
MacOS Defender Error Status: 0X80072AFC
0x00008CE DLL_DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Error Code 0xd800903w3 when starting Mac OS Defender
Mac OS Defender Time Out Error code 0xd800903w3.
Error Code 0xd800903w3 when trying to open Mac OS Defender

breach.pw says:
Mac OS detected suspicious activity on your computer
Please contact Technical Mac OS Support for immediate help:
(844) 311-5096 (toll-free)
Please contact Technical Support and have your Computer ID (1455) ready to resolve the issue.
Do Not open any additional internet browser to avoid data corruption on the registry of your operating system. Contact certified Mac OS technicians at
Toll-free Helpline (844) 311-5096
Do not shut down or restart the computer. Doing that may lead to data loss and possible failure of your operating system, causing a non-bootable situation resulting in complete data loss. Contact certified Mac OS support technicians immediately to resolve the issue at (844) 311-5096. Immediately contact Certified Mac OS technicians to rectify the issue.

posted by LobsterMitten at 11:00 AM on May 14, 2016


« Older Flower bouquet/arrangement delivery in San Diego —...   |   While my guitar gently weeps Newer »
This thread is closed to new comments.