Until now, hackers have played with proof of concept malware against the Mac, but there have been no serious attempts to part users from their cash. But in the last months of 2007, Sophos says it has seen the first signs of cybercriminals targeting Mac users for financial gain.
The first attacks are the work of a crime ring known as the Zlob gang, who send out emails inviting people to look at a video clip. Recipients are told they need to download a special codec to view the clip, and in the process, they infect their machine with something like the OSX/RSPlug Trojan horse, which first appeared last November and which already has many variants.
Graham Cluley, senior technology consultant at Sophos, said that a combination of factors – from difficulties with Microsoft Vista and the "halo of the iPod and the hype around the iPhone" – had persuaded more users to move from PC to Mac. And although the Mac population is still small by comparison with Windows PCs, it is now becoming a worthwhile target for criminals, he said.
The Sophos findings reinforce a similar conclusion by F-Secure of Finland in December which also noted the targeting of Mac users .
"Mac users have a chance to cut this threat off at the pass," said Cluley. "It is critical that they don't fall for these schemes. They won't get another opportunity like this to nip it in the bud. They need to realize the days of being immune are long gone."
The Sophos threat report for 2007 paints a worsening security picture where even the most innocent web surfing is fraught with danger. "We're seeing about 6000 new websites infected every day – that's about one every 14 seconds," said Cluley. "83% of those sites belong to innocent companies or individuals. Victims we've seen include anything from embassies and large commercial organisations, down to antique dealers and ice-cream manufacturers."
He said it was essential to have filtering software loaded that could scan websites in real-time as they were accessed, rather than relying on a blacklist of known infections. "The whole thing is changing so fast, that any list will be out of date immediately." He also emphasised the need for companies to protect their web servers from infection.
Infections are by no means a Microsoft problem alone. Sophos research found that nearly half (48.7%) of all infected web servers were running Apache, while 40% ran Microsoft IIS.
The sharp rise in infection of legitimate sites is confirmed in the latest report from Websense Security Labs, which covers the second half of 2007. The report says that the number of legitimate websites with infected code has now overtaken the number of criminal sites. The most notorious example it cites dates back to last August when the United Nations' HIV/AIDS Asia Pacific portal became infected. That resulted in unprotected visitors to the site unwittingly downloading a Trojan and becoming part of a giant botnet.