Attackers Launched a Safari Scareware Campaign to Extort Users Watching Porn

Author Photo
Mar 27, 2017
11Shares
Submit

With the release of iOS 10.3, Apple has today fixed a flaw that scammers were using to extort iOS users. Security researchers at Lookout explained in a blog post earlier today that scammers abused the way Safari displayed JavaScript pop-up dialogs, locking victims out of the browser. Victims wouldn’t be able to use Safari browser until they paid attackers money in form of iTunes Gift Cards. Scammers also displayed threatening messages until they were paid to coerce uninformed users into making the payment.

Safari bug exploited to extort iOS users – several other security flaws also resolved

Researchers from the mobile security provider explained how scammers planted the exploit code on multiple websites causing an endless loop of windows to be displayed, preventing users from accessing the browser. The scammers usually targeted those browsing adult entertainment sites and other “controversial content.”

icloud-mainRelatedWhere Are My iCloud, iTunes & App Store Options After iOS 10.3 Update?

Lookout added that scammers registered domains such as police-pay.com to launch the attacks. The naming choices were apparently made to scare “users looking for certain types of material on the Internet into paying money,” researchers said. “Examples range from pornography to music-oriented websites.”

The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.

To fix this endless loop of pop-ups, Apple is changing how Safari handles website pop-up windows, making them per-tab rather than having them take over the entire browser. Lookout said that while informed users could get rid of this mess by clearing the device cache, many users easily fell for the trick, especially since attackers posed as law-enforcement, falsely claiming that the victim had to pay a fine to get the browser access back.

Lookout reported this attack to Apple last month after discovering it in the wild. Apple has now released the fix with iOS 10.3 rolled out earlier today. Users can install the latest OS version to stay safe from this particular attack, along with a number of other security bugs. You can also go to Settings > Safari Clear History and Website Data to get Safari back on iOS without paying anything.

ios-10-securityRelatediOS 11 Will Reportedly Drop 32-bit App Support This Fall

“Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated,” Lookout said.

Apple has also fixed several other security flaws, including a memory corruption issue due to which processing a maliciously crafted image could have led to arbitrary code execution. Another issue in Safari could have enabled a local user to discover websites a user has visited in Private Browsing. Apple’s macOS Sierra has also received a whopping 127 security patches with version 10.12.4, which was also released today. For more details about today’s super-long security bulletin, visit Apple.

Submit