Scammers scare iPhone users into paying to unlock not-really-locked Safari

Credit to Author: Gregg Keizer| Date: Tue, 28 Mar 2017 13:28:00 -0700

Apple yesterday patched a bug in the iOS version of Safari that had been used by criminals to spook users into paying $125 or more because they assumed the browser was broken.

The flaw, fixed in Monday’s iOS 10.3 update, had been reported to Apple a month ago by researchers at San Francisco-based mobile security firm Lookout.

“One of our users alerted us to this campaign, and said he had lost control of Safari on his iPhone,” Andrew Blaich, a Lookout security researcher, said in a Tuesday interview. “He said, ‘I can’t use my browser anymore.'”

The criminal campaign, Blaich and two colleagues reported in a Monday post to Lookout’s blog, exploited a bug in how Safari displayed JavaScript pop-ups. When the browser reached a malicious site implanted with the attack code, the browser went into an endless loop of dialogs that refused to close no matter who many times “OK” was tapped. The result: Safari was unusable.

At the same time, the attack showed a message, purportedly from a law enforcement agency, demanding payment to unlock the browser for, in one instance at least, simply steering to a URL that suggested the site’s content was pornographic. Payment was to be made by texting a £100 ($125) iTunes gift card code to a designated number.

Blaich stressed that the attack was as much scam as scare: To regain control of Safari, all one had to do was head to Settings, tap Safari, then Clear History and Website Data.

“This was a scareware attack, where [the attackers] were trying to get people to not think and just pay,” said Blaich.

Scareware is a label applied to phony security software that claims a computer is heavily infected with malware. Such software nags users with pervasive pop-ups and fake alerts until they fork over the “registration” fee, sometimes in the hundreds of dollars.

Ransomware has largely replaced scareware as the go-to shakedown; the former compromises a computer, encrypts some or all the contents of the local storage, then promises to hand over an encryption key in return for a large payment.

What Lookout found was definitely not a ransomware attack against iOS. “The device was never compromised nor was its data exposed to the hackers,” Blaich said. “You would have to compromise the device and encrypt the data [to conduct a ransomware attack]. The app sandbox prevented this from happening.”

In iOS 10.3, Apple re-engineered Safari so that it handles JavaScript pop-ups on a per-tab basis. iOS 10.3 also patched 84 security vulnerabilities.

“[The hackers] hoped you would just react, want to cover it up, then pay and move on,” Blaich said.

Scammers hobbled Safari with an endless loop of pop-ups, then tried to scare iPhone users into paying $125.

http://www.computerworld.com/category/security/index.rss