A Mac is not a fortress, but it’s remained resilient against the worst sorts of attacks that have plagued Windows over decades and Android over years. Ransomware and other malware routinely appears to target macOS users, but it typically requires something extra to move into play. We made a misstep in judgment, or we trust something is true that is not.
So that your columnist doesn’t appear to be looking down at mere mortals, I should note that I received a text message from DHL the other day about an upcoming package. I had, in fact, a package I was expecting from the UK, saw the link, and clicked it—and three-tenths of a second later hastily closed the browser tab that opened. My defenses were down, as I expected a DHL text.
A normal DHL text looks like this:
DHL Express 1234567890 from SENDER NAME. estimated Wed Jul 31. Manage delivery: https://delivery.dhl.com/US/adsfad Reply END to stop msgs
But the one I received said something like:
Hello, mate, your DHL package is attempting to deliver http://98098adfadfasd.alsdfjas.com/98adf098asf0adf9
The text shouldn’t have fooled me, but my normal skepticism was overridden expectation. So far as I know, this click wasn’t to a zero-day exploit that loaded—an unpatched bug used for high-value targets, typically—but to an ad. May I interest you in some fine beluga caviar, very cheap, or knock-off leather bags? Click here.
Anyway, it can happen to any of us, but we can prepare for the worst. Here’s how.
Make backups. Make backups. I’m a broken record, but it’s the single easiest and best thing you can do. With multiple backups, even if someone manages to corrupt your machine, infect it, or delete files, you will have some way to recover. Use the 3-2-1 strategy described in this previous column. Generally, have a local backup, have an offsite one you rotate through, and have a secure online archive.
Only run known software
The main conduit for malware on the Mac is software you download and install. Don’t click on links in email to download software. Don’t accept online recommendations for software from people and sites you don’t know. Google search results are polluted at the top with bad actors, unfortunately. If you limit software installations to that from the Mac App Store and from well-known developers, using downloads directly from their websites, you’ve eliminated most risk.
While macOS is so far resistent to self-installing malware, a category of apps called Potentially Unwanted Programs (PUPs) remains a burden. This is software that’s installed alongside a useful app because you might think it’s useful, and then it rewrites URLs in your browser or performs other activities that interrupt your computing (like a full-screen interstitial ad on your Mac!), but aren’t technically malware. Jason Snell wrote extensively about this PUP danger recently. Apple is increasingly blocking these apps from running, but they’re still in wide use, and I routinely receive email from users who can’t install an app or find their Safari homepage hijacked. Like Jason, I also don’t recommend the routine installation of anti-malware software, because it offers little protection against Mac users’ biggest risks. If you routinely exchange files with Windows or Android users, however, anti-virus software is helpful in stripping malware that you might pass on, like a carrier, to those users if they don’t have AV software in place.
Don’t bypass macOS app protection
Apple allows developers in its program to submit and have their apps digitally signed, which sets a bar a bit higher than software that isn’t. Most people engaged in active development of free and paid software pony up the money to be in the program and get signed for their users’ reassurance. When you have an app that makes you go through the extra steps to bypass this, think twice. (There are some very useful apps, generally free and updated through the goodness of volunteer programmers’ hearts, that aren’t signed. But you need to check the provenance very carefully on that small set of apps.)
Don’t click unknown URLs
Don’t be like me (see above) and click URLs that appear in messages or email unless you absolutely know the source of the message or email. I often type a known site’s URL in rather than click through to avoid being misled. Recently, the company where I rent a virtual private server (VPS) had a spate of fake emails not sent by them—but which looked shockingly legitimate—blanket the internet. I typed in their URL instead, and found the problem documented on their blog. (They hadn’t leaked any email addresses. It was just massive spam.)
What to do if you are attacked
If the worst happens, remember:
The best response is to wipe and restore from your most recent unaffected complete backup—typically one that’s offsite, but which may be a rollback on Time Machine. You can spend a lot of time playing whack-a-mole to eradicate a problem. A clean reversion is your best strategy.
Don’t blame yourself for being a victim of an attack. Hundreds of thousands, maybe millions of people around the world spend their days and nights trying to find your weakness. Blame them!
This Mac 911 article is in response to a question submitted by Macworld reader Rick.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.