Updating Apple iOS will protect you from this fake ransomware attack

Lookout researchers warned of a campaign involving fake ransomware attacks that attempt to extort money from users of mobile Safari. Victims are accused of accessing illegal pornography and the browser appears to be locked up unless a “ransom” is paid.

“Your device has been locked for illegal pornography,” the message stated on a site with security agency icons such as NSA and Interpol at the bottom of the page. An overlay pop-up warned that Safari “cannot open page” with “OK” underneath the message. However, the dialog would not go away no matter how many times the victim tapped “OK.”

Lookout said, “Each time he tapped ‘OK’ he would be prompted to tap ‘OK’ again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.”

A different message on police-pay[.]com instructed victims to pay a fine of 100 pounds—roughly $125—with an iTunes pre-paid card.

There were similar “ransomware” warnings accusing victims of accessing pirated music.

Scareware, not ransomware

But it wasn’t actually ransomware locking up Safari; it was scareware. Lookout researchers said,” The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.”

The attackers were using JavaScript pop-ups to keep Safari in an endless loop until the ransom was paid. No data was actually encrypted. Lookout explained:

The attack code creates a popup window, which infinitely loops until the victim pays the money. The ransom is paid by sending, via SMS, an iTunes gift card code to a phone number displayed on the scam website. The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code.

When Apple released iOS 10.3 earlier this week, it closed the attack vector by changing how Safari handled pop-up dialogs. If you updated your OS and surf onto a pesky site using mobile Safari now, you can close that tab instead of the entire app being locked up.

Victims of the scareware campaign who use older mobile Safari versions could clear the cache to regain control of the browser. Lookout called it a “quick fix”—go to Settings > Safari > Clear History and Website Data.

“Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated,” the company said.

Lookout reportedly discovered the attacks in the wild last month and shared the details with Apple.

The attack had previously been documented on a Russian website, Lookout said. The attackers purchased numerous domains to use in this campaign and the message displayed to victims was based on their country code identifier. Each message had a different email address to contact and appears to be part of a wider phishing campaign.

Lookout advised iOS users to update to version 10.3. Millions of users have already done so, and most articles are full of praise for Apple’s newest iOS update. For the geeky, Apple also published a new iOS security whitepaper (pdf).