The kinds of assaults on your Mac from the Internet have changed. As Apple, and others, have shored up OS and browser security, the new preferred assault method is phishing. Apple can’t help you there. You need to know the techniques that will help you defend yourself from phishing attacks.
What is Phishing? Phishing is a message to you, on a website, an e-mail or tweet that exploits the human weakness for curiosity, greed, and inexperience in some combination. The message entices you to take some action — log on to what you think is your bank, click on a link, or download and run some software that turns out to be malware. At that point, the integrity of your computer and/or your privacy and security may be compromised.
Some phishing schemes bypass the normal protections provided by Mac OS X: the firewall and sandboxing. If your system isn’t completely up to date with security patches, visiting a malicious website could deliver a data payload that infects your Mac. Or, if you’re tricked into downloading and running malicious software, all bets are off. Mac OS X could be damaged for good and need reinstallation. Note also that phishing can trick you into doing something foolish at a website without necessarily infecting your Mac. You just cough up private info that you shouldn’t.
This howto covers strategies for preventing a successful phishing attack and also suggests some remedies if your Mac does get infected.
I. Myths
First, to prepare yourself, you need a healthy, informed, rational approach to OS security. For example, just because the Mac is fairly immune from external Internet assaults on its Ethernet ports (the “port scan”) and Safari is being increasingly hardened, doesn’t mean you can’t accidentally fall for one of these phishing attacks. The bad guys love phishing because they trick the user into bypassing the usual protections thanks to the human traits mentioned above: curiosity, greed, naivete.
Some will tell you that a Mac doesn’t need virus protection, and that’s generally true. On the other hand, what you do need is software that can detect, via their software signatures, whether other kinds of malware have been installed on your Mac.
Companies like Symantec maintain data centers (war rooms) where they assess on an hourly basis the most popular and dangerous malware. Signatures are identified, and your Mac’s security software is updated to look for these signatures and, if possible, eradicate the software. So let’s be level headed here: well written software, if given permission, can always infect your Mac’s OS if you give it permission. And by permission, I mean a straight double-click install and/or request for an admin password.
Pundits and amateurs will say that these security companies are crying wolf to scare you and then try to sell you their security software. Ignore the amateurs.
II. Prevention
Here are the five core techniques that will help you defend against phishing attacks. I make strong recommendations based on my experience, but there are certainly variations on a theme that I won’t have space to cover here.
1. A Layered E-mail Defense. Use a large, well-knowm e-mail service that uses blacklists and provides a first level of defense against spam. You can typically log on with your account info and manage security settings. Google mail and Earthlink are two that come to mind. MobileMe doesn’t do this.
Next, if you’re using a compatible e-mail client, like the Apple Mail app, or a host of others, use the terrific SpamSieve software. This combo will ensure that very little spam gets through to you, and that will help a lot. I have found SpamSieve to be preferable to Apple Mail’s junk mail filtering.
Finally, use e-mail rules to separate e-mails from people in your address book from those who aren’t. Anyone who gets through the gauntlet above but is not in your address book should still be treated with considerable skepticism.
E-mail Rules help you isolate strangers from friends
2. Safe Handling Instructions. Once an e-mail does get though your layered defense, and it’s still not from a person you know personally, it could still be a threat. It might look as if it’s from your bank and ask you to go to a link, log on and validate your credentials. Or it could direct you to a website that secretly assesses the security of your browser and tries to exploit unpatched vulnerabilities. Or it could offer you free, trial software with a license key, sometimes even security software, that promises you some benefit or even protection. Or it could ask you to go to a website and enter some private information.
These are all danger signs. You didn’t ask for this e-mail, and you’re being made an offer that seems irresistible. It’s as if some guy in the grocery store approaches you and says, “Hey buddy. If you give me your car keys, I’ll go wash your car for you for free while you shop.”
You might even have to be careful if a friend sends you a forwarded e-mail for something they thought was a good deal or a cute link. Maybe they didn’t exercise the same judgment, and you shouldn’t assume that because they forwarded the e-mail that the links are safe. When in doubt, even if it promises the cutest kitten movies, ignore it. Idle time, something free or ridiculously cheap and and your curiosity are the red alerts you should be attentive to.
The Apple Mail app provides a mechanism to help you assess whether a link has been disguised. E-mail can be tricked into displaying one link that looks innocent, “www.capitalone.com,” but in fact is, “thebadguysinmoscow.ru” To see the real link, hold you cursor over the link, WITHOUT CLICKING!, and wait for the yellow box to reveal the true link. For example, here’s a bogus message I got that appeared to be from Paypal, but holding the cursor over the link shows that it would have taken me somewhere else indeed.
Bogus Paypal Message. Hover over link to reveal the real URL.
The same goes for Twitter. I got a tweet once that said, “Like your iPad? I got mine free. Find out how I did it.” A URL followed. Needless to say, I didn’t click on the link. Also, odd formatting, poor grammar and spelling are sure signs the sender isn’t a native English speaker. Watch for that.
In summary, treat e-mail and all other social networks as communication between acquaintances. As soon as a stranger makes you an offer of any kind, delete the message. If it seems to be someone you do business with, don’t use the phone number in the e-mail. Use your own address book records or Google/Bing to verify their contact info and ask for verification. Banks will never ask you to go to a link/website and log on to fix some fabricated problem that sounds dubious.
3. Check for Patches Daily. In System Preferences -> Software Update, Apple graciously gives you the option to check for updates monthly. That isn’t nearly often enough, and I recommend daily.
System Preferences -> Software Update
You may hear about exploits by security researchers, but it typically takes some time from when it’s discovered until kits that are distributed to bad guys have a weaponized version of the exploit. Even, so, criminals live on Internet time, and so should you. Let your Mac watch for updates daily and always apply them right away. The same goes for 3rd party software, say, Firefox if you use that as your browser.
4. Use Trusted Security Software. Get to know about the respected and legitimate security software for the Mac. TMO and others publish reviews from time to time. These are products from Intego, McAfee, and Symantec. Don’t install security software that you’ve never heard of, haven’t read a review of, and is introduced to you for the first time in an e-mail or a tweet.
Example Security Software: Virus Barrier X6 from Intego
Well-known and respected products are VirusBarrier X6 from Intego and Symantec (Norton) Internet Security for Mac. Don’t let the word “virus” in the name deceive you; the Intego product does a whole lot more to protect you.
As I mentioned above, these companies track all the current threats for Macs and PCs in so-called war rooms. They send out updated files, daily for PCs and weekly for Macs, that contain information about how to detect malware on your machine. In most cases, the security software will provide the ability to delete the malware.
These companies will also advise you in their news sections about major new threats or phony security software. For example, there is a bogus one going around now called Mac Defender. Mac Defender was introduced to users via phishing. (Here’s more info from TUAW.) Another good watering hole for Mac users to help stay on top of the news is SecureMac.com.
5. Watch Where You Walk. Finally, just be careful out there. Stick to legitimate websites and, if you do get led astray, watch for when you seem to be led down a deeper and darker alley on the Internet. When in doubt, stop, close the tab and walk away.
If you haven’t heard, pornography sites are often pre-loaded with special software kits designed to probe your browser for weaknesses and insert malicious code into your Mac. Stay away from them.
Browser plug-ins like “Web of Trust” (WOT) link to a worldwide web of users who have earmarked certain sites as dicey or dangerous. I have it installed and have found it useful.
Learn to recognize the appearance of warnings from your own security software. This is so that if you see a weird popup that says something alarming, you’ll be able to diagnose that it’s a phony message. The classic example is the Windows popup ad from a decade ago that said: “Warning your PC has been infected! Click here to clean your computer.” Of course, as soon as you click on it, software was downloaded that infected your PC.
This just touches the surface, but should get you started. There are lots of other articles that are helpful if you take a look around. Here’s one from just yesterday from Business Insider with some good advice.
III. Remedies
Let’s say you have some strange popups that entice you to go somewhere you shouldn’t. Or your Mac is acting strangely, slowing down, or starts to exhibit some of the symptoms described in this article. Or your security software puts up an alert. What can you do about it?
1. Security Software. If you have security software installed, let it try to deal with the problem. Don’t call AppleCare, and don’t pack up your Mac and take it to the local Apple store. You’re on your own here. Most of the time, the security software will be able to delete the malware. In the process of scanning your Mac, note that it may also pick up PC viruses that were inadvertently transmitted to you in an e-mail from Windows users. They generally can’t harm your Mac, but delete them too.
2. Restore from a Time Machine Backup. If you have wisely maintained Time Machine backups, you can go back in time, before you were infected, and restore your system to exactly how it was at a previous date. You’ll lose work you did since then, but it beats having to reinstall your whole OS. Instructions for how to do that have been published by Apple.
3. Reinstall the OS. The worst case senario is that you’ll need to reformat your hard disk and reinstall Mac OS X from scratch. Then use the lastest Combo Updater to bring you up to date. Of course, you’ll lose all your documents, settings, licences, and installed software. Again, this is why you’ll want to have a backup of your entire user directory (directories if multiple users) even if it’s just a Finder copy to an external disk.
This last option can get complicated, time consuming and risk all your data. More detail is outside the scope of this howto. I mention it only to create some angst so that you’ll take backups of any kind, including the easy to use Time Machine, more seriously.
Conclusion
You are your own system administrator. It does require a little bit of time and education to tune up your Mac and educate yourself for optimum security against phishing. Hopefully, this article will get you started with the essentials of staying safe on the Internet. But be aware that it just scratches the surface, and constant vigilance and learning is essential.