“Your Mac is infected!” How scareware works and how to get rid of it

Ray Fernandez

Sep 4, 20237 min read

"Your Mac is infected!" How scareware works and how to get rid of it: Header image

Have you ever been browsing the internet when suddenly a pop-up came out of nowhere telling you in bold that your computer was “infected”? Or have you ever come across a site that triggered an “automatic virus scan,” assuring you that it has detected dozens of pieces of malware in your computer? If so, welcome to the world of scareware.

What is scareware? Everything you need to know

Scareware is not malware, spyware, or a virus, but it is potentially an open door to all of them. It is a technique used by cybercriminals and black hat hackers to trick you into taking an action you should not take.

By creating sophisticated pop-ups, notifications, well-crafted emails and messages, and even simulating antivirus operations, criminals try to trick users into clicking a link, buying a fake antivirus, or downloading malware. In this way, it is similar to phishing; both approaches use social engineering that preys on human behavior.

The main goal of scareware is to infuse fear into users by falsely claiming that a computer, phone, or device is infected with malware, or stating that a device is locked, slow-downed, or damaged. Those who fall for this scam click on the pop-up and open the door for real malware and harm to come into their lives.

Clicking on a link or downloading a file from fake scareware messages can undoubtedly have serious consequences — these range from ransomware to identity or financial theft, browser hijackers, adware, and more. Scareware can be integrated into malicious sites that hackers design to rank high in organic search results. It can also spread through email, social media, and messaging apps. Criminals may also make scareware phone calls, impersonating security experts.

Who created scareware?

Scareware evolved in the early 2000s from malvertising, a form of malware distribution done through online advertising. The culprit behind the first scareware program remains unknown, but the first famous scareware attack came in 2006, when Microsoft and the Washington state attorney general filed a joint lawsuit against the software vendor Secure Computer, alleging that it peddled Spyware Cleaner to Microsoft users that was actually scareware.

By 2009, the trend was already defined and well-established. By 2010, it had affected millions of users. Despite the efficiency of modern pop-up blockers, it is still a popular technique among cybercriminal organizations. And while some scareware can affect Mac and PC users alike, others are developed to work on specific operating systems.

Examples of scareware on Mac

In 2010, the Minneapolis Star Tribune newspaper served Best Western ads, which directed readers to malicious sites that ended up infecting their computers with malware. This was one of the first large scareware campaigns to unfold from pop-up ads. Users were told that their devices had been infected, and the scareware then tried to convince them to download an antivirus that cost $49.95. The campaign ended up with the attackers’ arrest, but they still managed to make off with $250,000 by scaring users. This type of campaign, integrated into websites, can affect both PC and Mac users.

The first scareware specifically coded to target Mac users, and still famous today, is the Mac Defender case. Also known as Mac Protector, Mac Shield, and Mac Security, this scam first appeared in early 2011, when Mac users were redirected to fake websites that informed them that their computers were infected with a virus, offering an antivirus as the solution.

The main goal of Mac Defender was not to sell a fake antivirus but to obtain credit card information from users to use fraudulently. The extent of the campaign was so big that in 2011, Apple released a security software update to find and remove Mac Defender from computers.

Another infamous Mac-specific scareware was ChronoPay. In 2009, ChronoPay, a Russian online payment processor, targeted Mac users with scareware to trick them into buying fake antivirus software. Investigations later revealed that ChronoPay was a significant player in the fake antivirus and scareware global market.

How scareware works

As previously mentioned, scareware works by instilling fear into users by presenting an urgent and grave problem and later “selling” the solution. There are several techniques for scareware. These include ad pop-ups, push notifications, and phishing.

Pop-up scareware notifications usually look like trusted antivirus software that you have installed on your computer. This makes it difficult for users to discern whether they are getting a notification from their security solution or something foreign. Plus, the close button in these pop-up notifications is usually well hidden.

Scareware push notifications mimic trusted sources, such as Google, but do not appear to have originated from a website. Hackers can code these notifications to look like they are scanning for viruses when they are not, often using countdowns as an additional method of creating a sense of urgency.

Finally, scareware can reach you through emails or messages on social media. These direct messages may try to convince you that your computer has malware, viruses, or other serious threats. They may also be drafted to direct you to a site that triggers scareware notifications or pop-ups. 

How scareware spreads

Cybercriminals are very good at creating websites and managing them to ensure that they rank high in search engines. The techniques they use to rank these sites can bypass Google, Firefox, Safari, and any other browsers’ algorithms. Scareware mainly spreads by being integrated into these sites. 

Cybercriminals have also perfected the technique of drafting persuasive emails and social media messages. They can send millions of emails in one day, spamming users worldwide with their scareware campaigns.

Finally, while scareware phone calls were common years ago and not as much today, hackers still use this method. Phone calls can be very convincing and can be much more personal than an email or website. They can also be a more effective way to scare people into taking action.

How to tell a scareware pop-up from a legitimate antivirus

There are several clear signs that you can look for to differentiate a fake, malicious pop-up or push notification from real antimalware. 

These include: 

  • The close button (x) is hidden or is very hard to find or click.
  • A visible close button (x) is placed in the ad but only to direct users to a malicious site when clicked.
  • When the pop-up is closed, it repeatedly reopens.
  • The message of the pop-up is over the top. Remember, real antivirus software will not seek to scare you.
  • You are asked to download a file or click on a link, and you get multiple pop-ups.
  • The pop-up looks like nothing you have seen before.
  • There are misspellings or logos that do not look accurate.
  • There is a countdown on the pop-up. Legitimate sites do not run countdowns.

How to stop scareware pop-ups on your Mac or iPhone

You can do several things to stop this threat and keep your Mac, iPhone, or iPad safe.

These include:

  • Keep your device updated.
  • If you get a pop-up, close the browser window. Do not click on the pop-up’s close button.
  • Avoid browsing sites that look suspicious.
  • Don’t click links from sources you do not know, and don’t download files from unverified sites or people.
  • Keep your browser updated and set to a high level of privacy and security.
  • Use a trusted pop-up blocker.
  • Use trusted search engines and browsers only.
  • Make sure your firewall is active and updated.
  • Run regular antimalware scans.

How to get rid of scareware on your Mac

Although you can remove any unwanted app from your Mac manually simply by trashing it, scareware can affect your computer configuration. It can also create temporary and registry files and is good at hiding.

CleanMyMac X has a Malware Removal module, powered by Moonlock Engine. It detects malware and can help you remove scareware from your Mac.

To remove scareware with CleanMyMac X:

  1. Open CleanMyMac X.
  2. Choose Malware Removal from the sidebar.
  3. Press Scan.
  4. When the results of the scan appear, check all checkboxes and click Remove.
The Malware Removal module in CleanMyMac X, powered by Moonlock Engine

CleanMyMac X can also give you more details and information on the type of malware it found during the scan. To get this information, click on each category of malware that the scan found.

Additionally, with CleanMyMac X, you can turn on a malware monitor. 

To enable the malware monitor:

  1. Open CleanMyMac X.
  2. Go to Menu by clicking the iMac icon in the menu bar.
  3. Hit the gear icon in the bottom right corner and select Preferences.
  4. Click on the Protection tab.
  5. Now check the boxes to enable the malware monitor and background scan.
  6. Close Preferences.

CleanMyMac X will now run in the background and monitor malware activity, alerting you if any action is necessary.

How to remove scareware from your iPhone

There are several processes you can utilize to remove scareware from your iPhone. The first step you will want to take is to delete any unwanted apps from the App Library.

To delete unwanted apps on your iPhone:

  1. Go to the App Library and tap the search field to open the list. 
  2. Search for any app that is suspicious or that you did not intend to download.
  3. Touch and hold the questionable app icon, then tap on the Delete App (trash can icon).
  4. Tap Delete again to confirm.

You will now want to restart your iPhone and update your system’s software. Additionally, you should clear your browser data.

To clear data in Safari:

  1. Open Settings.
  2. Select Safari.
  3. Select Clear History and Website Data.
  4. Tap Clear History and Data. 

If you still have a problem after doing all this, you can restore your phone to a previous backup.

To restore a previous backup of your iPhone:

  1. Go to Settings and tap General.
  2. Scroll to the bottom and select Transfer or Reset iPhone.
  3. Choose Erase All Content and Settings.
  4. Select Erase Now or Backup Then Erase.
  5. When the Apps & Data screen appears, select Restore from iCloud Backup.
  6. Sign in to iCloud and select the backup you’d like to use.

You may want to consider installing a professional, trusted iPhone antimalware tool that will run scans to remove anything that might damage your phone.

Scareware is one of the oldest tricks in the hacker’s book, and it can be more convincing than you might think. Overall, always keep updates set to automatic, avoid interacting with strange messages, websites, or links, and never download unverified files or attachments. And if you ever see a scary pop-up or notification message, think twice before clicking it.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.