Skip to main content

iOS 10.3 update stops Safari ransomware campaign in its tracks

Find out what new feature in iOS 10.3 addresses an aggressive scareware campaign that wreaked havoc with Safari Mobile in pursuit of a fee for unblocking it.

Apple has lately fine-tuned their iOS platform so that cybercrooks could no longer manipulate Safari Mobile to pull off aggressive browser locker attacks. The remarkable tweak that took effect in the brand new iOS 10.3 revolves around the way Safari processes certain JavaScript objects. A group of online ne’er-do-wells used to take advantage of this routine to gain control of the browser, return a rogue law enforcement page with a plausible-looking warning in it, and trigger a “Cannot Open Page” popup dialog. The URLs involved in this campaign included, or similar. Obviously, such a choice of domain names has some firm reasoning behind it – the criminals wanted to put additional pressure on victims by trying to convince them that the alerts actually came from the police.

Spoof police warning in Safari accompanied by a persistent popup dialog

The popup overlaying the site proper contains an OK button, but tapping it will only close the persistent dialog for a very short time, the malicious JavaScript code instantly generating a new one. Ultimately, victims find themselves in a vicious circle that won’t break until they follow the scammers’ demands. The phony lock site contains accusations of alleged cyber felonies, such as storing and distributing illegal pornography or copyright violation. Of course, this is all bluff, but it looks fairly persuasive.

The message also expresses a clear-cut demand, where the plagued user is instructed to submit a fine of $100 or £100 with iTunes pre-paid gift card. More specifically, they are supposed to send SMS with the corresponding iTunes code to a phone number indicated on the page. The more tech-savvy users were able to figure out that simply clearing cache in Safari (Settings – Safari – Clear History and Website Data) would do the trick. A lot of victims, however, end up thinking it’s all for real.

So, what Apple did in their new iOS 10.3 release is they patched a Safari security vulnerability that allowed such a defiant fraud to be deployed in the first place. By the way, this particular exploit was originally described on a Russian hacking site a while ago. The recent iOS update has changed the way Safari treats JavaScript-backed popup dialogs. These types of popups are now isolated to a single tab rather than the entire browser. Therefore, even if the perpetrating script happens to interrupt one’s web browsing session with the deceptive legal warning, closing the tab is enough to get rid of the problem. Be advised, though, that earlier iOS builds (pre-10.3) are still susceptible to this fraud, so be sure to run upgrade as soon as possible.


Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in