Bad news if you still believe Macs don’t get viruses (and, phishing still works)

Something that I really thought I wouldn’t be hearing by now is “I bought a Mac because Macs don’t get viruses”. Unfortunately, I’m still hearing it and, unfortunately, it’s still not true. That said, a recently discovered piece of malware targeting the Apple / Mac platform offers a good opportunity to highlight a few important things to remember.

  1. Macs do get viruses. This can’t be overstated enough. Viruses (malware, ransomware, etc.) are just applications / programs. Applications are typically specific to the platform (Windows, Apple / Mac, Linux, etc.) and cost time (and usually money) to develop, test and deploy. Apple / Mac has always been a very small player in the computer market (in 2009, less than 5% and, even now, typically less than 8%). In many cases, not writing viruses for the Apple / Mac platform is based on market share (and potential earnings), not because Macs can’t get viruses.

  2. Antivirus is behind the curve, by design. At a very high level, most antivirus software uses either signature based detection or heuristics or both. The signature based model requires that the antivirus company have a sample of the virus that they can use to create the signature (kindof like the flu vaccine). The signature, by design, has to be created after the virus. The heuristics model is a little better in that it looks for suspect activity (e.g., did you open a picture that’s now trying to open a connection to a shady website without your knowledge) but, again, the heuristics can be bypassed by delivering the virus in multiple stages (like this one does).

  3. Phishing works. In order to work, a virus has to have a “way in”. That way in can be an unpatched vulnerability in your operating system (Mac OSX, Windows, iOS, Android, Linux, Irix, HP/UX, etc.) or application software or a poor configuration (e.g., default credentials, overly lax permissions, etc.) OR it can be the human sitting at the console, controlling the computer. Vulnerabilities can be patched (Microsoft and Adobe release updates at least monthly, for example) and poor configurations can be difficult to find unless you already have access somewhere else. Attacking the human though is relatively easy and, depending on how well the bad guy crafts the attack (use fear, urgency or both, something like ‘your bank account has been compromised, click here’ or ‘something very expensive was ordered on your Amazon account, click here for details’ or ‘your boss wants you to do this or your fired, click here’), can completely circumvent any technical controls (antivirus warnings, invalid security warnings, etc.) that may be in place.


  1. Don’t believe the myth, Apple / Mac computers can (and do) get viruses. They’re less frequent than, say, Windows viruses, but they’re out there.
  2. There’s no silver bullet. Having antivirus is good but it should only be one of several layers in your security framework. Some others should be access control, patch management, etc.
  3. After you’ve applied all of the technical controls that are available, you still have a human being (in most cases) sitting at the console that’s a tempting target for an attacker. In the same way that it’s important to test your technical controls with things like vulnerability assessments and penetration testing to make sure that you’re not missing anything, it’s important to train and test your people as well. Help them understand what a legitimate email looks like to make it easier for them to spot a fake. Have clear policies in place for things like money transfers or passing sensitive information that requires a second factor (phone call, etc.) to verify before any action is taken. Then, test how well your people understand and implement those policies with simulated phishing engagements.

Misc / Erratta

Leave a Reply