Macs are being increasingly torpedoed by malware that causes all searches to return Bing instead of Google or another preferred service.

Although this frenzy may look like a plot masterminded by a search provider to outstrip a hugely popular rival, this is an utter misconception. Bing itself and the malicious Mac app that forces hits to it are unrelated things, except that a high-profile cybercrime gang has added the legit service to their intricate scheme on a whim. The only reason why Google might switch to Bing on a Mac computer all of a sudden is that a strain of malware settled down in the system and subdued the victim’s default browser. Safari, Google Chrome, and Mozilla Firefox are the most-targeted Internet navigation apps in this regard. It’s not because they are less secure than the alternatives – it’s because they dominate the niche of browsers used on Macs.

Google switches to Bing due to Mac malware interference

The hijack manifests itself in the same way regardless of the browser that got hit. Every time the user enters search terms in the address bar, they end up on Bing.com although Google is their search engine of choice defined in the browser preferences. This predicament assumes some common sense once you dive into the route of the noxious redirect. Before hitting Bing, the browser resolves several interim URLs. The list of these dubious domains is as follows:

  • searchmarquis.com
  • searchbaron.com
  • searchitnow.info
  • searchsnow.com
  • mybrowser-search.com
  • api.lisumanagerine.club
  • search.surfharvest.xyz
  • hut.brdtxhea.xyz.
Safari forwarded to Bing via searchbaron.com

These URLs appear in the URL and status bar for only a split second, but they play a decisive role in the Bing rerouting campaign. They fit the context of a sketchy scheme involving application programming interfaces (APIs) that bridge the gap between malicious actors and traffic monetization services hidden in plain sight. In other words, each redirect creates a tiny portion of rogue web traffic that mimics user-initiated activity and thereby generates revenue for the malware authors.

Why is Bing the landing page? It’s just because the criminals are trying to lace their campaign with something people trust. Visiting Bing certainly appears to be a more benign occurrence than hitting one of the sites listed above that the user has never heard of. By and large, the search engine is simply a smokescreen that obfuscates a crafty money-making hoax.

A serious problem with the Bing redirect taking over a browser on a Mac machine is that it’s impossible to revert to the right preferences by manually specifying them. Moreover, the browser settings may look correct and need no modifications at all. The pivot of the attack is obscured deep down the system configuration. Once inside a Mac, the malware quietly adds what’s called a configuration profile via the Terminal command-line utility. This profile enforces an unwanted policy that starts managing the behavior of web browsers without the victim’s permission.

With that said, if Google automatically switches to Bing on your Mac, you should look for the culprit that brought your browser under control behind your back. For a start, purge the administrative profile by heading to System Preferences > Profiles. Then, vanquish the malicious application’s file traces manually or using an effective automatic cleaner. Finally, rid your default browser of the impact by clearing caches, cookies, and data stored by websites. To avoid such issues down the road, think twice before downloading and installing apps off of unofficial software marketplaces.