A flaw in the mobile Safari browser has been targeted by cybercriminals and used to extort money from people who have previously used their mobile device to access pornography or other illegal content. The Safari scareware stops the user from logging on to the Internet on their device by loading a series of pop-up messages.
A popup is shown that states Safari cannot open the requested page. Clicking on OK to shut the message triggers another popup warning. Safari is then locked in an endless loop of popup ads that cannot be removed.
A message is shown in the background stating the device has been locked because the user has been identified as having viewed illegal web content. Some users have reported messages including Interpol banners, which are intended to make the user believe the lock has been put on their phone by law enforcement. The only way of regaining access to the device, according to the popups, is to pay a fine.
One of the domains used by the hackers is police-pay.com; however, few users would likely be tricked into thinking the browser lock was put in place by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages tell the user that police action will be taken if the payment is not made. The hackers claim they will send the user’s browsing history and installed files to the Metropolitan Police if the ransom is not paid.
This sort of Safari scareware is nothing new. In this example, the hackers loaded code onto a number of websites which targeted a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.
The Safari scareware campaign was discovered by Lookout, which passed details of the exploit onto Apple which addressed the flaw to block the attacks in iOS version 10.3. Scareware attacks such as these are common.
Scareware is not the same as ransomware, although both are used to extort money. In the case of ransomware, access to a device is obtained by the hacker and malicious file-encrypting malware is installed. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not maintained, the user faces loss of data if they do not pay the hackers for the key to decrypt their locked files.
Scareware may incorporate malware, although more commonly – as was the case with this Safari scareware campaign – it involves inserting malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The thinking behind scareware is to scare the end user into paying the ransom demand to unlock their computer. In contrast to ransomware, which cannot be unlocked without the necessary decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowledge. In this instance, control of the phone could be regained by clearing the Safari cache of all cookies and data.
