Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's iOS 10.3 patches mobile Safari bug used in ransomware campaign

Nefarious actors using a mobile Safari exploit to extort iTunes gift cards from unwitting iOS device users will need to look elsewhere, as Apple patched the web browser flaw as part of Monday's iOS 10.3 update.

Using the vulnerability, which leveraged the way Safari handled JavaScript pop-up windows, ransomware scammers primarily targeted users viewing pornographic material, bootlegged music and other content, reports ArsTechnica.

In practice, the flaw present in iOS 10.2 allowed scammers to enact an endless loop of pop-ups, effectively locking users out of the browser. The pop-ups would continue — some incorporating threatening messages — until victims paid a "fee" in the form of an iTunes gift card code delivered to a phone number via text.

Explaining the scam, mobile security firm Lookout called the exploit "scareware," as social engineering was key to the method's success. Scammers would carry out attacks from domains like "pay-police[.]com" and others named to evoke legitimate law enforcement authorities.

Combined with customized web content published to owned domains, the goal was to elicit fear from targeted users. As seen in the example above, exploit code planted on certain websites would lead users to a landing page containing text claiming their device was locked "for illegal pornography."

The attack would revert to a never-ending loop of pop-ups reading "Cannot Open Page." Tapping "OK" would invoke yet another pop-up containing the same message.

"The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk," writes Lookout researchers Andrew Blaich and Jeremy Richards.

Lookout notes a cache reset, performed by navigating to Settings > Safari > Clear History and Website Data, would rectify the pop-up loop issue, but users not familiar with mobile Safari's inner workings were unlikely to discover the simple fix. Further, victims were perhaps unwilling to ask for help due to the content of pages where the attack code was embedded.

Lookout shared the details of the scareware campaign with Apple after discovering it last month. The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.



9 Comments

john.b 16 Years · 2733 comments

This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 

🎄
sergioz 12 Years · 338 comments

john.b said:
This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 

Dude, what the heck are you smoking, what task manager? This article is about iOS 10.3 mobile Safari browser bug. Article instructs to clear history, please don't confuse people!

🎁
john.b 16 Years · 2733 comments

sergioz said:
Dude, what the heck are you smoking, what task manager? This article is about iOS 10.3 mobile Safari browser bug. Article instructs to clear history, please don't confuse people!

Sorry, "fast app switcher" or whatever it was that Steve said a phone shouldn't need.

❄️
macseeker 8 Years · 541 comments

john.b said:
This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 

There is no "Task Manager" in iOS. Also for the separate macOS, the same applies. What is "Task Manager" anyway? I've been using iOS since version 4 and Mac Classic since System Software version 6.0 and Mac OS X since 10.0 and I never saw "Task Manager."

coolfactor 20 Years · 2342 comments

macseeker said:
john.b said:
This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 
There is no "Task Manager" in iOS. Also for the separate macOS, the same applies. What is "Task Manager" anyway? I've been using iOS since version 4 and Mac Classic since System Software version 6.0 and Mac OS X since 10.0 and I never saw "Task Manager."

People that come from Windows may apply their own terminology. On Linux/UNIX/macOS/iOS, they are "processes" instead of "tasks", but at the end of the day, he's referring to the same thing — the fast-app switcher that lets you quit running apps.

Now, as for AppleInsider calling this a "bug", it was not. It was simply an exploit of the design of the application-modal alerts. Apple changed the design to avoid such exploits from hijacking the entire app.

 The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.

The alerts functioned as they were designed, so there was no "bug" or "code flaw". But a "design flaw" in the larger scheme of things is not wrong, though. Apple changed the design to mitigate the behaviour.

Let's not spread FUD by over-generalizing terms, eh?