Demystifying the Yahoo Search redirect virus on Mac

Widespread Mac malware redirects to Yahoo SearchIt has been years since Yahoo became a piece of cybercriminals’ traffic monetization puzzle, but this is still a scheme whose gist seems murky.

Mixing malware campaigns with reputable services is the norm in today’s computer threat landscape. Not only is this tactic a way to make an attack look quasi-legitimate, but it may also be interpreted as collusion all the involved parties benefit from. At this point, it isn’t entirely clear which motivation is behind the spread of the Yahoo Search redirect virus in the macOS environment. The only sure-shot takeaway from its shenanigans is that its operators’ appetite comes with eating, as the traffic-hijacking wave has grown into a serious issue.

The threat manifests itself as follows: after installing a malware-laden application, a Mac user keeps going to search.yahoo.com whenever they enter search requests in the URL area of Safari, Google Chrome, or Mozilla Firefox. On a side note, the baddie supports all these browsers to the same extent, with some infection reports relating to Opera as well.

Let’s follow the trail of breadcrumbs

In plain words, the victim’s default web browser starts ignoring their real search preferences all of a sudden. Whereas Yahoo Search is an eye-catching central element of this forwarding ruse, the incursion doesn’t make much sense unless you read between the lines. Every redirect commences with a dubious website that sends off the Internet traffic to a series of monetization networks before it gets to the landing page. This trickery happens almost inconspicuously, with the in-between URLs appearing in the status bar of the hijacked browser for only a split second. Here is a list of some of these domains so that you can get the big picture:

  • feed.chunckapp.com
  • search.safefinder.com
  • search.anysearchmanager.com
  • searchmine.net
  • search.chill-tab.com
  • search.landslidesearch.com
  • search.searchpulse.net
  • search.tapufind.com

Since these pages are intertwined with Application Programming Interfaces (APIs) of advertising frameworks, crooks rake in profits by parasitizing all infected Macs. Meanwhile, the stratagem looks like a simple tweak of browser settings, where Yahoo Search substitutes Google or another search engine of the user’s choice.

Mac malware that pulls the strings

The attack sets off due to the activity of malicious code that has most likely trespassed on the Mac via a bundling hoax. In most cases, it is an application with a tilted magnifying glass icon and a weird name consisting of two loosely related words. A few examples are StandardBoost, SkilledControl, IdeaShared, ActiveOrigin, and FlexibleSector. Once inside the computer, the unwanted program installs a new extension on web browsers, enrolls itself in Login Items, and creates a device profile without permission.

To address the issue, the victim has to find and uninstall this app along with the Launch Daemons, Launch Agents, and other auxiliary components it has added. The fix should also include a good deal of tidying up at the browser level. The main prerequisite for avoiding such attacks further on is to stay away from software installers that promote extra items shoulder-to-shoulder with something seemingly harmless.

Tags: , , , , ,

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>