![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/09\/Macs-need-antivirus-600x300-1.png\")
<\/p>\n<\/p>\n
For more than a decade, I’ve been writing about malicious results in search engines. Poisoned search results<\/strong> may appear anywhere, even in Google, Bing, or other popular search engines.<\/p>\n Search results contain links to pages that appear to have valuable information. But not every link in the list is necessarily helpful.<\/p>\n In fact, search results can be worse than unhelpful\u2014they can also be unsafe. They may lead to malware, phishing sites, or other scams.<\/p>\n In this article:<\/p>\n Historically, Web-based malware campaigns targeting Mac users have often led to fake Flash Player pop-up warnings, which led to Trojan horse downloads claiming to be Flash updaters or installers.<\/p>\n This week, Kirk McElhearn (veteran Mac journalist, Intego writer, and fellow Intego Mac Podcast<\/a> host) texted me an interesting screenshot:<\/p>\n At first glance, one might be tempted to think that this is a legitimate page for an app available in the App Store. But upon closer inspection, some things don’t seem quite right\u2014at least to a savvy user.<\/p>\n The big, green “download” button with a down-facing arrow doesn’t look like something Apple would ever use. Where you’d expect to see an app icon, in this case there’s an outline of the Apple logo on a gray background. And the title of this “app” contains the word Torrent; you’d never find torrents or BitTorrent<\/a> client software in the App Store.<\/p>\n But it’s quite likely that the average Mac user would not immediately recognize those warning signs. And that’s exactly what the page is banking on.<\/a><\/p>\n If you click on the download button on a page like this, you may be redirected to Mac malware<\/strong> (for example, a Bundlore<\/a> variant disguising itself as an Adobe Flash Player installer, if you can believe that; Flash was discontinued in 2020<\/a>).<\/p>\n You might instead be redirected to a page designed to trick you into creating an account, thereby capturing your real e-mail address and a password. Given that many people reuse the same password on multiple sites, the site operators could potentially use this to hack into your e-mail, Facebook, or other accounts.<\/strong><\/a><\/p>\n If you think you may have unintentionally downloaded malware onto your computer, download a free trial of Intego’s Mac<\/a> or Windows<\/a> software and start a scan.<\/p>\n To avoid future infections, follow the tips below.<\/a><\/p>\n If you encounter a malicious site like the one described above, simply close the browser tab or page by pressing Command-W (\u2318W).<\/p>\n Whenever possible, download software directly through Apple’s App Store app, which comes preinstalled on your Mac, iPhone, or iPad. If a Mac app that you need isn’t available in the App Store, go directly to the software developer’s site to learn how to purchase or download it.<\/p>\n Be sure to use anti-malware protection software from a trusted developer, like Intego’s Mac Premium Bundle X9<\/a>\u00a0or Intego Antivirus for Windows<\/a>.<\/a><\/p>\n Intego VirusBarrier X9<\/a> detects this malware as OSX\/Bundlore.BEa<\/strong>. This malware family is also sometimes called Bnodlero.<\/p>\n Intego’s research team has encountered numerous examples of these malicious pages hosted on subdomains of weebly.com, a free Web page hosting site. Similar fake App Store pages may be found elsewhere on the Web as well.<\/p>\n We also observed multiple variations on this theme. Sometimes the fake App Store page claimed to offer Google Chrome<\/strong> (which, in reality, cannot be found in the Mac App Store). Aside from fake App Store pages, we also observed fake MediaFire download pages<\/strong>.<\/p>\n These fake download screens appeared after the weebly-hosted pages had begun to load. Upon closer inspection, we found that the weebly sites’ HTML code contained embedded JavaScript code that loaded an iframe (or inline frame). This has the effect of invisibly loading a page hosted on a malicious domain, embedded within the weebly site.<\/p>\n Advanced users may be interested to know that blocking JavaScript<\/strong> in your browser (using NoScript<\/a>, for example) may therefore in some cases prevent the fake App Store screen from loading. However, blocking JavaScript breaks most legitimate Web sites, too, so this technique is not recommended for most users.<\/p>\n Some of the malicious or compromised domains we observed included the following (WARNING: visiting these sites may lead to malware):<\/p>\n <\/a><\/p>\n To read some of our past research into search engine poisoning campaigns, you can check out:<\/p>\n You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Poisoned search results may appear anywhere, even in Google, Bing, or other search engines. If you click on a malicious search result, you may see a fake App Store page. Here is everything you need to know to stay safe.<\/p>\n","protected":false},"author":14,"featured_media":96203,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[86,4096],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n\n
The latest scam: mimicking App Store pages<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/09\/fake-apple-app-store-page.jpg\")
<\/p>\nThe consequences of clicking<\/h3>\n
How can I check whether my Mac is infected?<\/h3>\n
What can I do to prevent infection?<\/h3>\n
Additional technical details<\/h3>\n
aleleim[.]info\r\nasasasasasa[.]vet\r\nasetar[.]info\r\nbasati[.]info\r\nbltlly[.]com\r\ncrophysi[.]ru\r\nehgum[.]xyz\r\neuletep[.]top\r\ngobitta[.]info\r\niminna[.]info\r\nnulnerk[.]top\r\noperaterefinedcompletelytheproduct[.]vip\r\norafukz[.]xvz\r\notucxiixa[.]xyz\r\nqaadxet[.]cfd\r\nsiiwafami[.]xyz\r\nvovantrafline[.]com\r\nxiolade[.]info<\/pre>\n
How can I learn more?<\/h3>\n
\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Twitter-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Facebook-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/YouTube-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Pinterest-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/LinkedIn-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Instagram-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"