Ever since Internet traffic became an extensively monetizable commodity, bad actors have been focused on intercepting it to generate profit. Unsuspecting users’ devices, including computers and smartphones, are on the receiving end of this exploitation. Macs are in the same boat – moreover, they appear to be targeted the most.
When reporting such abuse, users often mention recurrent instances of visiting search.yahoo.com instead of their preferred search engine, such as Google, Bing, DuckDuckGo, or Ecosia. Unsurprisingly, this situation is typically blamed on an entity dubbed the Yahoo redirect virus. What is it – a classic virus, a dodgy browser extension, or something else? How does it infect and then affect a Mac? How hard is it to purge? Let’s get the lowdown on this.
So what kind of a culprit is it, anyway?
Strictly speaking, calling this parasite a virus is a misconception. It doesn’t spread itself in a system through exponential self-replication, nor does it inject its code into legitimate applications. Instead, it reorganizes web surfing customizations on a Mac to make the native Safari and third-party browsers, such as Google Chrome and Mozilla Firefox, return search results via Yahoo.
At first sight, given that browsers are in the spotlight, it seems that some kind of a malicious add-on should be the catalyst for this activity. However, this isn’t the case. The unauthorized change of the victim’s default settings happens because a harmful program has struck at the level of the system preferences.
Specifically, the Yahoo redirect virus (let’s go with the flow in terms of this name despite the above-mentioned categorization discrepancy) mismanages the configuration profiles feature on a just-plagued Mac to impose dubious browser behavior. This resembles policy enforcement done by an administrator on a corporate network. The pest executes this stage of its attack by piggybacking on the built-in macOS command line tool, which explains why it goes unnoticed. This facilitates a foothold inside the system, intertwined with the ability to modify various settings without permission.
Lesser-known facts about the Yahoo redirect Mac campaign
Once the infection has cropped up in a Mac and established a strong grip, it starts redirecting every single Internet search to Yahoo. In other words, when you enter a keyword in the browser’s address area, the results will be returned via search.yahoo.com. The landing URL includes random characters plus the “YHS” string, which stands for “Yahoo Hosted Search”. This indicates that the malefactors have some sort of a business relationship with this legitimate service, except that they apparently abuse the ethical part of it.
Not all victims notice another oddity that accompanies the rerouting loop. It’s one or several interstitial sites visited along the way. The most-encountered examples are as follows:
The role of each domain on this list is to integrate fishy ad networks with the long-running redirect scheme in question. They are associated with APIs of advertising services, and therefore the traffic interception process brings extra money to crooks on top of sketchy affiliate ties with Yahoo.
Easy to get infected, hard to clean up
This malware is distributed in a fairly vanilla way, that is to say, via bundles that combine harmless and dangerous applications under the same roof. The notorious Adobe Flash Player fake update pop-ups used to be the driving force of this propagation, but now that this product is no longer supported, the criminals are switching to other popular free apps, such as YouTube video downloaders, file format converters, and various multimedia players.
If the user keeps the “express” installation option on, they are several clicks away from being hit. It’s not that trivial to get rid of the threat, though. There is more to it than finding a potentially unwanted program in the Applications folder and sending it to the Trash. It also presupposes stopping the related process, deleting the rogue Mac profile, tidying up the LaunchAgents and LaunchDaemons repositories, and resetting the misconfigured browser to its original condition. That said, it’s best to avoid this redirect “virus” by adhering to safe online practices.