Skip to main content

Once again: Why you shouldn't blindly install things on your Mac

A new group of bad people (the Internet is filled with them) have found a way to prey on unsuspecting folks who are typo prone. As someone who is habitually not paying attention when banging on the keys, It caught my eye.

It seems that people who accidentally misspell a URL and end it with .om versus .com are being redirected to sites that only exist to serve malware. Sites many of us visit every day have been spoofed, such as Citibank, Dell, Macy's and Gmail. Our testing hasn't seen the issue on the listed sites, but it's always better to be safe than sorry.

According to Endgame:

Our discovery of the malicious led us to focus our research on typosquatting via registrations of domains using alternate TLDs. As of March 9, there are 1247 TLDs on the Internet according to the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for handling the overall Internet namespace. This includes commonly seen TLDs like .com, .org, and .gov that are familiar to most Internet users. There are 251 ccTLDs representing nearly every country on Earth (many countries may have more than one ccTLD). Beyond this, since 2013, ICANN began approving hundreds of new TLDs such as .guru, .tech, .florist, and many more. This is a huge set of alternate TLDs which could be abused.The most interesting set of TLDs for typosquatters are those that are likely to be mistyped. We have seen some research on typosquatting of .co and .cm, the ccTLDs for Colombia and Cameroon, respectively. Similarly, as we discovered with the Netflix example, the ccTLD assigned to the country of Oman, .om, is a prime candidate. Simply drop the "c" in ".com" and you're there. An alternative method we also considered is flipping the "c" and the ".". For example, "" becomes "".

People who land on a typosquatted page are faced with a pop-up that suggests they install an update to Adobe Flash, but instead are installing OS X malware known as Genieo, which "entrenches itself on the host by installing itself as an extension on various supported browsers (Chrome, Firefox, and Safari)."

We want to send out a heads-up and also remind everyone to never install any software you didn't specifically ask for.

Stay safe.

I'm an RHCE and Electrical Engineer who loves gadgets of all kinds. You'll find my writings across Mobile Nations and you can hit me on Twitter if you want to say hey.

  • Natural Selection at work on the Internet. The stupid and naive are eaten alive.
  • Your comment really goes with your avatar. Well, not entirely. While Larry was a Stooge, he was never arrogant.
  • It seems like not installing Adobe Flash at all solves a lot or problems.
  • +1 Sent from the iMore App
  • "A new group of bad people (the Internet is filled with them) have found a way to prey on unsuspecting folks who are typo prone" I'm Type O Negative. Sent from the iMore App
  • No need to be sO Negative about it ;)
  • Oh wow! These guys are just preying on any and everyone they can.
    Thanks for this story and awareness!
  • How to stop it? Because the pop up can't be avoided. It forces you to click something Sent from the iMore App
  • Force Quit the browser you're using Sent from the iMore App
  • We all need to be really vigilant at all times and practice safe computing.
  • And websites even if name is miss-spelt can be very hard to spot a fake, since no one looks in the URL bar... If its an Apple web page, it *must be* ... Probably not... Check URL before u click (usually displayed by hover over the link in bottom left corner of browser window) Easy to miss, because it not big enough to notice, and by the time u do, its can be too late. Many of these "fake" pages can self install without any user.
  • There is a good feature in all browsers that can prevent people misspelling their web address: it's called... bookmarks! If these people use more this "fantastic" feature, less attack like this would happen. And, of course, all said about security: do not install, NEVER, software from dubious source, always suspect email attachments, links and whatever (above all, if it comes in unsolicited mail - AKA spam), keep all your software up to date, even in Mac, if in doubt, use security software - doesn't hurt.
  • Bookmarks are helpful, not as a replacement.
  • I don't think it's worth it to bookmark everything though. If I bookmarked every single page, the bookmarks would be overwhelming. So I only bookmark what might be hard to remember, in spelling and other ways.
  • I don't have Flash installed on my computer. On the rare occasion that I need it for a website, I load said site in Chrome, which has its own version of flash that's sandboxed from the rest of the computer.
  • or just run Firefox with sanboxie (Windows only)
  • Gawd **** it! Something new I have to tell my elderly parent. This is really going to make her not want to do anything on the net any more Sent from the iMore App
  • I have my parents set as a standard user.. You can let em browse anything they like.. Nothing can be installed as standard user on Windows.. same for Mac
  • One solution would be to switch to iOS full-time Sent from the iMore App
  • True. I may try that one of these days, See how long i last before the Mac-cravings set in.