Scammers scare iPhone users into paying to unlock not-really-locked Safari

Apple fixed the bug Monday with iOS 10.3 update

Apple yesterday patched a bug in the iOS version of Safari that had been used by criminals to spook users into paying $125 or more because they assumed the browser was broken.

The flaw, fixed in Monday's iOS 10.3 update, had been reported to Apple a month ago by researchers at San Francisco-based mobile security firm Lookout.

"One of our users alerted us to this campaign, and said he had lost control of Safari on his iPhone," Andrew Blaich, a Lookout security researcher, said in a Tuesday interview. "He said, 'I can't use my browser anymore.'"

The criminal campaign, Blaich and two colleagues reported in a Monday post to Lookout's blog, exploited a bug in how Safari displayed JavaScript pop-ups. When the browser reached a malicious site implanted with the attack code, the browser went into an endless loop of dialogs that refused to close no matter who many times "OK" was tapped. The result: Safari was unusable.

At the same time, the attack showed a message, purportedly from a law enforcement agency, demanding payment to unlock the browser for, in one instance at least, simply steering to a URL that suggested the site's content was pornographic. Payment was to be made by texting a ÂŁ100 ($125) iTunes gift card code to a designated number.

Blaich stressed that the attack was as much scam as scare: To regain control of Safari, all one had to do was head to Settings, tap Safari, then Clear History and Website Data.

"This was a scareware attack, where [the attackers] were trying to get people to not think and just pay," said Blaich.

Scareware is a label applied to phony security software that claims a computer is heavily infected with malware. Such software nags users with pervasive pop-ups and fake alerts until they fork over the "registration" fee, sometimes in the hundreds of dollars.

Ransomware has largely replaced scareware as the go-to shakedown; the former compromises a computer, encrypts some or all the contents of the local storage, then promises to hand over an encryption key in return for a large payment.

What Lookout found was definitely not a ransomware attack against iOS. "The device was never compromised nor was its data exposed to the hackers," Blaich said. "You would have to compromise the device and encrypt the data [to conduct a ransomware attack]. The app sandbox prevented this from happening."

In iOS 10.3, Apple re-engineered Safari so that it handles JavaScript pop-ups on a per-tab basis. iOS 10.3 also patched 84 security vulnerabilities.

"[The hackers] hoped you would just react, want to cover it up, then pay and move on," Blaich said.

Safari scam Lookout

Scammers hobbled Safari with an endless loop of pop-ups, then tried to scare iPhone users into paying $125.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Daily Briefing

More about AppleLookout

Show Comments