This article originally appeared in TidBITS on 2015-07-07 at 12:00 p.m.
The permanent URL for this article is:
Include images: Off

Scary Internet Scam Becoming Disturbingly Common

by Randy B. Singer

The mainstream technology press has claimed that there will be lots of viruses for the Macintosh “real soon now,” ever since OS X was released over a decade ago. Combined with the fact that there are a seemingly infinite number of viruses for Windows, it’s easy to see why Mac users would be somewhat paranoid about the possibility of malware.

While the legions of Mac viruses still haven’t appeared, there is a nasty out there that takes advantage of this paranoia. It isn’t a virus, a Trojan Horse, or any other sort of actual malware. Instead, it’s more like a phishing scam, using social engineering to get you to do something that the bad guys want you to do. It does it by scaring the willies out of you, and is becoming disturbingly common. Some call it “scareware” or “ransomware.”

What happens is that you visit a Web site and seemingly have your browser maliciously frozen. You’ll find that you can’t quit, nor can you navigate away from the page by clicking the Back button.

Next, a page or pop-up appears telling you any of a number of stories (often tailored to your location), perhaps that your Mac has a problem or has illegal material on it, or that your data has been encrypted by some malevolent entity.

Many of these pop-ups give a phone number to call, often claiming it’s for “tech support” or “the FBI.” If you call the phone number, the people you talk to will ask you to allow them to connect to your computer via remote control software. It’s likely that during this connection they will install spyware on your computer.

[image link] [1]

Alternatively, the pop-up may give instructions on how to send ransom money to the people who are responsible for causing your browser to freeze, along with a promise that they will unfreeze your browser and/or decrypt your data once they receive the ransom. (Although there are several pieces of malware for Windows — CryptoLocker and CryptoWall, notably — that actually do encrypt user data and decrypt it only after the user has paid a ransom in Bitcoin, none of these target Macs.)

[image link] [2]

First off, it’s important to know that if you encounter this scary situation, your Mac hasn’t really been infected with a virus or any other sort of malware and that your data hasn’t been harmed. You should never call the given phone number and you should especially never ever give the people at the given phone number remote control access to your Mac. Also, never pay any ransom requested. You can deal with this situation easily on your own, and it’s likely that if you give the bad guys remote control access to your Mac, they will do something nasty like infect it with spyware and/or steal valuable data.

If these dire-sounding warnings aren’t the work of malware, what are they? What’s actually happening is that a Web site — possibly an entirely innocent Web site that has been hacked, or that is displaying ads from a compromised ad network — has been infected with a bit of JavaScript. That JavaScript prevents you from quitting the browser or using the Back button, and displays the page or dialog you see — it’s not all that different from a pop-up advertisement, and by itself doesn’t do anything actually harmful. It’s just a phishing scam in that the bad guys are trying to use social engineering (scaring you) to get you to do something foolish (call the phone number in order to take advantage of you, or get you to send them money). Hence the “scareware” and “ransomware” names — I’ll stick to calling it all scareware from now on.

Luckily, it’s simple to escape from this scareware JavaScript trap. The easiest thing to do is to force-quit your Web browser. There are two main ways of doing this:

Unfortunately, I’ve found that scareware JavaScript often prevents the use of Command-Option-Escape, and the Apple menu sometimes isn’t accessible from within your trapped browser. Either use the second approach, or switch to any other app. You can then choose Force Quit from the Apple menu, select your browser in the Force Quit Applications dialog, and click the Force Quit button.

[image link] [3]

You aren’t quite done yet. Many browsers can be set to reload the previously displayed Web pages when they next launch, which could put you right back where you started. To prevent this in Safari, press the Shift key before clicking the Safari icon in the Dock or double-clicking the Safari icon in the Applications folder. In Firefox, hold down Option to launch it in Safe Mode, and then click Refresh Firefox in the Firefox Safe Mode dialog. In Chrome, before you force-quit, click the hamburger button to the right of the address field, choose Settings, and in the On Startup section of the Settings page, select “Open the New Tab page.” (Or, if you want to get fancy, try this AppleScript trick [4] for opening Chrome in Incognito mode).

So, you are probably wondering at this point if there is a way to avoid scareware proactively. You could theoretically turn off JavaScript, but since most modern Web sites rely on JavaScript, that’s not an acceptable solution. Since scareware isn’t malware or advertising, anti-virus software won’t help, nor will ad-blocking utilities. However, there is an extension that will block it for Safari: the free ScamZapper [5].

ScamZapper automatically identifies instances of scareware and prevents them from loading. If you encounter a particular example that isn’t in its database, ScamZapper has a feature called Troubleshoot Pop-up that takes you through a series of automated troubleshooting steps.

More generally, the real solution to the scareware problem has to come from Web browser makers. Luckily, they are working on it. Recent updates to Safari are supposed to prevent impossible-to-dismiss JavaScript alerts (see “Safari 8.0.7, 7.1.7, and 6.2.7 [6],” 30 June 2015). Even better, Google has developed Safe Browsing [7] technology that puts up a warning when you attempt to visit Web sites that are known to be infected with scareware JavaScript, phishing sites, and sites that host other malicious content. Safe Browsing is in Google Chrome, as you’d expect, but it’s also a public API that Apple and Mozilla have built into Safari [8] and Firefox [9].

Google constantly pushes out updates to their warning list. As you would expect, Google continually scans its index for sites that might be compromised by malware, and uses statistical methods to identify potential phishing sites, but you can also report scareware sites manually. The company says that reported sites are checked, and if necessary, added to the list within 30 minutes [10].

Those manual reports are key. If users diligently report sites that contain scareware, it shouldn’t take long for any particular site to be neutralized. So, if you encounter a Web site that contains scareware, please report the site [11]!

When reporting to Google, note that the Web address of the infected Web site isn’t the one that’s shown when your browser appears to be frozen. That’s a spoofed address. Instead, it’s the Web address of the Web site that you were trying to access just prior to encountering the scareware.

I hope that you now know enough not to be scared by scareware, and can thus both deny the bad guys any ill-gotten gains and help prevent others from encountering the same sites you hit.

[Randy B. Singer has been writing about the Macintosh for close to 30 years. He has several Web sites, the most popular of which is currently Mac OS X Routine Maintenance [12].]