Skip to main content

AppleCare worker admits Mac malware is rampant

A media storm is heading in Apple's direction as details of a covert interview with an Apple employee are revealed.

ZDNet has published a report which not only exposes the level of current malware attacks on what has always been considered to be one of the safest platforms available, but also reveals how Apple staff face disciplinary action or even dismissal if they go beyond Cupertino's official diktats on malware removal.

As we reported last week, a new variant on a common social engineering trojan is currently targeting Mac users by dropping false anti-virus alerts into malicious web pages. The malware requires the user to execute several clicks and even expose the root account password for the machine before it can do any real damage, but may trick unwitting users into exposing credit card an other personal details, by offering to sell bogus AV software masquerading as the genuine Mac Defender application.

Despite the level of user interaction needed to allow the malware to do its dirty work, one AppleCare insider has told ZDNet that the tricksters are making an impact.

"Many, many people are falling for this attack," the call centre worker told ZDNet. "Our call volume here at AppleCare is 4-5x higher than normal and [most] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls."

The report goes on to publish a full transcript of a further conversation the author had with the same Apple employee who says he (gender assigned at random by us) is one of 600 workers taking calls in 14 centres for CPU support, taking as many as 30 calls a day on the subject of Mac Defender infections.

It's an unbelievably big number, but we're sure we won't be the last news outlet to suggest that applying some tabloid maths to those numbers extrapolates out to 90,000 calls a day. The mole also says that call centre workers who would typically have 7-12 minutes between calls are now on the phone constantly.

Perhaps the most damning revelation of the whole exposé, however, is the allegation that Apple policy dictates that AppleCare staff aren't allowed to help people remove the Mac Defender infection, even though it is a simple and painless process.

"Our notice for Mac Defender is that we’re not supposed to help customers remove malware from their computer," the insider said.

Let's just run that one by you again. Apple's policy, for people who have PAID for an AppleCare support package, is for staff not to help them remove a known and documented strain of malware from their computers.

"The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can’t set the expectation to customers that we will be able to remove all malware in the future. That’s what antivirus is for," the worker said.

Now we all know the poo-storm that ensued when Apple blamed its own customers for holding their handsets 'the wrong way' during the whole Antenna-gate saga. The whole thing blew over eventually but Apple's reputation was permanently damaged, even among hard-core Macolytes.

There's bound to be another backlash about the malware policy which has admittedly come to light because hapless users aren't following the most basic of security measures, and despite the fact that Apple workers are doing all they can to bypass the policy despite the threat of disciplinary action.

"Just because we’re told we’re not to help people get rid of it, most of us do. We are monitored, but I can’t personally justify telling a father who’s freaking out about what his six-year-old daughter just saw that I can’t help him out. Our on-floor managers and QA guys do their best to let it slide, but if they start getting pushed from higher-ups, we could face write-ups and even termination."

The anonymous worker also told how users who had been tricked into buying the bogus software, which when installed actually infects the Mac for the first time in the whole process, were having several credit cards declined when they tried to carry out the transaction, meaning that the scammers are gathering multiple sets of credit card details from each user.

Apple has revelled in its reputation as the most secure operating system out there for many years, in the main relying on a single factor for its continuing ability to dodge malware bullets.

Security by obscurity meant that most money-making scams - which rely on a few ill-informed people from a vast pool of users falling into what might seem to thinq_ readers like an obvious trap - would never work to a large enough degree to make it financially worthwhile. Why pick on a small group of tech savvy Mac users when there are vast herds of PC cattle just waiting to be picked off?

Unfortunately for Apple, it has become a victim of its own success. The halo effect surrounding the iPod, iPhone and iPad has pushed the Mac out of the hands of Hoxton-dwelling media types with £100 haircuts and into the mainstream.

Apple's ease-of-use for technophobes is creating a generation of users who wouldn't know a hard drive from a handbag, but these same users are going to need some extra hand-holding when it comes to sophisticated social engineering like the Mac Defender trojan.

Perhaps its time Apple admitted that its walled garden is coming under assault, and that perhaps the next iteration of OSX, which is being designed to replicate the simplicity of the iOS user interface, should have its own anti-virus protection built in?

Whatever the Cupertino company decides to do, telling its customers that they have to clean up their own mess quite simply isn't good enough for a company which constantly tops customer service polls.

We've asked Apple to comment on the matter, but don't expect a reply. What we do expect is for the backlash to this unfortunate mess to be brutal enough to force a press briefing in the next few days, and when that happens we'll keep you posted.