Malware developers targeting MacKeeper settlement Web page

BurnIconXFollowing the recent announcement of the MacKeeper legal settlement, malware developers are creating routines that redirect people from the settlement site to nefarious Web pages that use javascript hacks to “lock” a browser. When this happens, you will see an alert window that has an OK button, but clicking the button just pops open another alert.

Often these alerts are formatted to appear official, and contain details about security problems and require you call some provided number to free your system. Sometimes they may outright demand a ransom to fix your system. This is a common trap used by cybercriminals to convince people to hand over money, and is being used by interested parties to block access to the MacKeeper settlement options.

MacIssues reader J. Neill wrote in describing his experience: “I clicked one of the highlighted links ‘claim refund’ and it went directly to a virus thing…”

This problem happens only because you have malware on your Mac that is allowing this redirection to occur. A healthy Mac accessing a valid Web url will not redirect to another location, so if this is occurring then it means your system is compromised. With some malware packages, the malware will “call home” and receive updates for what sites to affect, so an affected system may have been compromised a while ago, and all that interested parties have to do is update a URL list to have new URLs be redirected.

This approach is often taken when new malware removal techniques and tools are published online. Unfortunately it means that those who are in need of the information or tools located at the URLs will not be able to get them.

If this is happening to you, then you have several options. First, you can get out of the Javascript trap by following the instructions I outlined here, which in essence is to force-quit your browser and then open it while holding the Shift key to prevent prior windows from opening. When fixed, you can use another system (such as an iPhone or iPad) to access the settlement site and get the information you need.

Finally, download Thomas Reed’s AdwareMedic program (now a part of MalwareBytes’ Mac offerings) and use it to check your Mac for known adware and malware. Follow the instructions to remove any detected malware, to prevent your browser from redirecting to other nefarious Web sites in the future.

5 thoughts on “Malware developers targeting MacKeeper settlement Web page

  1. B. Jefferson Le Blanc

    Irony of ironies. MacKeeper’s settlement site is hacked. Malware hacking malware. I wouldn’t be surprised if the MacKeeper developers created the exploit to discourage people cashing in on the settlement. It’s not like they have an ethical bone in their bodies. The best result of the settlement would be if legitimate web sites stopped accepting ads for MacKeeper. Sadly, many of the sites that show those ads are run by people hardly more ethical than the folks at Zeobit.

  2. DigitalMan

    I noticed that the MacIssues article page had several “InfoLinks” links, in addition to the “real” link to the settlement.

    I clicked one of the InfoLinks links and was taken to one of those fake alert-leads-to-alert-leads-to-another-alert-etc pages.

    I’ve got those InfoLinks links appearing, only on the MacIssues site, on two different computers. No other signs that I might have malware. If MacIssues is using InfoLinks for revenue, that’s too bad… those links are virtually useless and are easily misused to direct people to malware.

    So… MacIssues… maybe the settlement site isn’t hacked? Maybe people are just clicking bad links on your page?

    Is anyone else seeing those InfoLinks links on the page (on Safari 8.0.7, the links appear as dotted lines rather than solid lines, distinguishing them from actual links)? Or is it just me?

  3. Derek Currie

    Apple attempted to block Javascripts (ECMAscripts) that take over Safari with the most recent update. Since that update, I’ve run into pages that have attempted the deceitful trickery and found I only needed to close that tab on the browser, no force quit etc. required. I’m wondering if people using old versions of Safari are experiencing this hack. As of this morning, anyway, it appears that hack has been removed from the Yencha v. ZeoBIT page.

    BTW: In my explorations on the net, I’ve found the Kromtech (aka ZeoBIT) has started using new tactics to push MacKeeper and has also renamed parts of MacKeeper as separate “Removal” tools for Mac. I found two such tools and associated pages when I searched the net via Google for “How To Remove …”, fill in a Mac application name. All of the pages associated with these renamed tools have deliberately hidden owners, preventing any living thing from discovering that they’re actually Kromtech. They did this via what is potentially an illegal strategy in the USA: Using a WHOIS anonymizer service out of the country of Panama. The contortions these deceitful people go through is amazing. As usual, I consider this company a detriment to the Mac community and wish them gone.

  4. Novy, Dr. Robert A.

    I use an iMac, with OS X Yosemite & 4 GB RAM from mid-2011. One thing that bugs me is its noise-making fan. [Constant, WHIRR.]

    I feel that this may be a dose of Planned Obsolescence. The Chinese who made my iMac learned-well from Americans, yes? (Bah!)


Leave a Reply to Novy, Dr. Robert A. Cancel reply

Your email address will not be published. Required fields are marked *