Over the weekend, I got an e-mail from an AppleCare support rep, who was responding to my recent reports of Mac malware being found in the wild. At least one prominent voice in the Mac community dismisses these reports as “crying wolf.” The view from inside an Apple call center says it’s for real:
I can tell you for a fact, many, many people are falling for this attack. Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls.
I contacted this person and arranged an interview. I’ve edited our conversation to remove any details that might identify this individual or the call center location, but otherwise this is a verbatim transcript.
Update In the Talkback comments, some people express skepticism about these conclusions. Be sure to read my follow-up: Crying wolf? Apple support forums confirm malware explosion. It includes direct quotes from Apple customers caught up by this attack.
EB: Until this latest round of fake AV software started, what was a typical week like for you?
AC: There’s usually about 600 or so of us spread around 14 centers for CPU support. Before this started happening, we had 7-12 minutes between calls generally. Now we're lucky to have any time between calls.
We started getting a trickle of calls a couple weeks ago. However, this last week over 50% of our calls have been about it. In two days last week I personally took 60 calls that referred to Mac Defender.
EB: Do you have a support database that you share for cases like this?
AC: What do you mean? As in articles for new issues we're running into?
EB: Yes, there must have been a point where you noticed that a lot of people were dealing with this Mac Defender thing and that it wasn't just your calls.
AC: We have a team of people who go though all case notes and find new issues that are popping up a lot and send notices to all of AppleCare. Our notice for Mac Defender is that we're not supposed to help customers remove malware from their computer.
AC: That's about what i said when I read it. The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That’s what antivirus is for.
EB: I would imagine most of the people who are calling are fairly panic-stricken.
AC: Well, I'm sure you're aware of what Mac Defender pops up on your screen if you don't buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn't want them seeing the images. So, panicking, yes, I'd say that would be the situation usually. I had a teacher call about Mac Defender last week.
EB: So you are supposed to tell them that the Terms of Service don't allow you to help them remove it, and they should ... what?
<-- Previous page
AC: Well, in the agreement for AppleCare, it does state we don't help with malware. However, just because we're told we're not to help people get rid of it, most of us do.
EB: Taking a little risk there? i assume your calls are randomly monitored and you could get a warning if someone decides to be a hardass.
AC: Indeed we are monitored, but I can't personally justify telling a father who’s freaking out about what his 6-year-old daughter just saw that I can’t help him out. Our on-floor managers and QA guys do their best to let it slide, but if they start getting pushed from higher-ups, we could face write-ups and even termination.
EB: Have any of the customers that you helped paid money to the Mac Defender pushers?
AC: My calls? No. However, the rep that works next to me has had a few people who have. It kept "denying their card" and asking them to put another in. One person ended up trying five different cards. I'm going to assume criminals now have ahold of the info.
EB: Ugh. Adding insult to injury.
AC: Its been quite a mess for us lately.
EB: Do you see any signs that it is easing at all, staying the same, accelerating?
AC: It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.
EB: That doesn't bode well for the future.
AC: No, not at all. I've worked with computers for a while. Removing Mac Defender is easy, but if it ends up like malware for Windows, we're going to have a lot of unhappy customers, which is bad for the advisors. If our customers aren't happy, our pay goes down.
EB: When the bad guys find something that works, they tend to push on it and morph it into other variations.
AC: It’s going by a few names—Mac Defender, Apple Security, and a few less used name variants. So far the only difference is the names. As long as you don't give it your administrative password you're usually OK.
EB: So customers who get hit by this are installing it and giving their admin password?
EB: if they stop before that, nothing bad happens?
AC: Yes, the file will download but for it to install it requres the password. it tries to trick you into giving it by saying its required to remove the infections.
EB: Ah yes, social engineering.
AC: Indeed, looks rather real, if you ignore the fact it pops up in your browser... but for most of us that know computers that’s a giveaway there.
EB: What sort of advice do you leave customers with after you've helped them with this issue?
AC: That even though they're using a Mac, they need antivirus/antimalware. We give them links to Norton. McAfee, and Sophos.
EB: It’s also important to be suspicious online.
AC: Indeed, a lot of it does seem to stem from hearing from the sales person that there’s built in antivirus, and they believe that’s what they're seeing when it comes up.
EB: Good luck dealing with this.
AC: Thanks, I'm sure it won't be long before we have a lot more of this, a lot harder to get rid of, too.