Scary Internet Scam Becoming Disturbingly Common
The mainstream technology press has claimed that there will be lots of viruses for the Macintosh “real soon now,” ever since OS X was released over a decade ago. Combined with the fact that there are a seemingly infinite number of viruses for Windows, it’s easy to see why Mac users would be somewhat paranoid about the possibility of malware.
While the legions of Mac viruses still haven’t appeared, there is a nasty out there that takes advantage of this paranoia. It isn’t a virus, a Trojan Horse, or any other sort of actual malware. Instead, it’s more like a phishing scam, using social engineering to get you to do something that the bad guys want you to do. It does it by scaring the willies out of you, and is becoming disturbingly common. Some call it “scareware” or “ransomware.”
What happens is that you visit a Web site and seemingly have your browser maliciously frozen. You’ll find that you can’t quit, nor can you navigate away from the page by clicking the Back button.
Next, a page or pop-up appears telling you any of a number of stories (often tailored to your location), perhaps that your Mac has a problem or has illegal material on it, or that your data has been encrypted by some malevolent entity.
Many of these pop-ups give a phone number to call, often claiming it’s for “tech support” or “the FBI.” If you call the phone number, the people you talk to will ask you to allow them to connect to your computer via remote control software. It’s likely that during this connection they will install spyware on your computer.
Alternatively, the pop-up may give instructions on how to send ransom money to the people who are responsible for causing your browser to freeze, along with a promise that they will unfreeze your browser and/or decrypt your data once they receive the ransom. (Although there are several pieces of malware for Windows — CryptoLocker and CryptoWall, notably — that actually do encrypt user data and decrypt it only after the user has paid a ransom in Bitcoin, none of these target Macs.)
First off, it’s important to know that if you encounter this scary situation, your Mac hasn’t really been infected with a virus or any other sort of malware and that your data hasn’t been harmed. You should never call the given phone number and you should especially never ever give the people at the given phone number remote control access to your Mac. Also, never pay any ransom requested. You can deal with this situation easily on your own, and it’s likely that if you give the bad guys
remote control access to your Mac, they will do something nasty like infect it with spyware and/or steal valuable data.
If these dire-sounding warnings aren’t the work of malware, what are they? What’s actually happening is that a Web site — possibly an entirely innocent Web site that has been hacked, or that is displaying ads from a compromised ad network — has been infected with a bit of JavaScript. That JavaScript prevents you from quitting the browser or using the Back button, and displays the page or dialog you see — it’s not all that different from a pop-up advertisement, and by itself doesn’t do anything actually harmful. It’s just a phishing scam in that the bad guys are trying to use social engineering (scaring you) to get you to do something foolish (call the phone number in order to take advantage of you, or get you to send
them money). Hence the “scareware” and “ransomware” names — I’ll stick to calling it all scareware from now on.
Luckily, it’s simple to escape from this scareware JavaScript trap. The easiest thing to do is to force-quit your Web browser. There are two main ways of doing this:
- Choose Force Quit from the Apple menu or press its shortcut, Command-Option-Escape.
- Control-Option-click on the Web browser’s icon in the Dock, and choose Force Quit.
Unfortunately, I’ve found that scareware JavaScript often prevents the use of Command-Option-Escape, and the Apple menu sometimes isn’t accessible from within your trapped browser. Either use the second approach, or switch to any other app. You can then choose Force Quit from the Apple menu, select your browser in the Force Quit Applications dialog, and click the Force Quit button.
You aren’t quite done yet. Many browsers can be set to reload the previously displayed Web pages when they next launch, which could put you right back where you started. To prevent this in Safari, press the Shift key before clicking the Safari icon in the Dock or double-clicking the Safari icon in the Applications folder. In Firefox, hold down Option to launch it in Safe Mode, and then click Refresh Firefox in the Firefox Safe Mode dialog. In Chrome, before you force-quit, click the hamburger button to the right of the
address field, choose Settings, and in the On Startup section of the Settings page, select “Open the New Tab page.” (Or, if you want to get fancy, try this AppleScript trick for opening Chrome in Incognito mode).
So, you are probably wondering at this point if there is a way to avoid scareware proactively. You could theoretically turn off JavaScript, but since most modern Web sites rely on JavaScript, that’s not an acceptable solution. Since scareware isn’t malware or advertising, anti-virus software won’t help, nor will ad-blocking utilities. However, there is an extension that will block it for Safari: the free ScamZapper.
ScamZapper automatically identifies instances of scareware and prevents them from loading. If you encounter a particular example that isn’t in its database, ScamZapper has a feature called Troubleshoot Pop-up that takes you through a series of automated troubleshooting steps.
More generally, the real solution to the scareware problem has to come from Web browser makers. Luckily, they are working on it. Recent updates to Safari are supposed to prevent impossible-to-dismiss JavaScript alerts (see “Safari 8.0.7, 7.1.7, and 6.2.7,” 30 June 2015). Even better, Google has developed Safe Browsing technology that puts up a warning when you attempt to visit Web sites that are known to be infected with scareware JavaScript, phishing sites, and sites that host other malicious content. Safe Browsing is in Google Chrome, as you’d expect, but it’s also a public API that Apple and Mozilla have built
into Safari and Firefox.
Google constantly pushes out updates to their warning list. As you would expect, Google continually scans its index for sites that might be compromised by malware, and uses statistical methods to identify potential phishing sites, but you can also report scareware sites manually. The company says that reported sites are checked, and if necessary, added to the list within 30 minutes.
Those manual reports are key. If users diligently report sites that contain scareware, it shouldn’t take long for any particular site to be neutralized. So, if you encounter a Web site that contains scareware, please report the site!
When reporting to Google, note that the Web address of the infected Web site isn’t the one that’s shown when your browser appears to be frozen. That’s a spoofed address. Instead, it’s the Web address of the Web site that you were trying to access just prior to encountering the scareware.
I hope that you now know enough not to be scared by scareware, and can thus both deny the bad guys any ill-gotten gains and help prevent others from encountering the same sites you hit.
[Randy B. Singer has been writing about the Macintosh for close to 30 years. He has several Web sites, the most popular of which is currently Mac OS X Routine Maintenance.]
Also, use OpenDNS' DNS Servers and filtering service to protect you from bad web sites. Check it out, it's free for individuals! https://www.opendns.com
Wait? Isn't the real problem that browsers even allow this to happen? Closing the tab should close these dialogs, if they are being kept up at a system modal level, then shame on the browser makers. Let's fix this right, nit just the symptoms.
Yeah, it's a tension, since the JavaScript that makes these pages hard or impossible to close isn't unreasonable to support, so the browsers need to special-case the kind of behaviors that can be used maliciously, as the latest Safari apparently has.
Thanks for your writeup, Randy! Two of my clients, including one of my parents, have already become engaged in this nefarious scheme. Fortunately, I got them out before they paid gobs of money for services not needed.
It's worth noting that Apple's recent release of Safari 8.0.7, 7.1.7, and 6.2.7 address part of this: the part with the Javascript alerts you can't effectively dismiss.
Yes, though I'd like to test that in a real-world situation before I'd assume that it would help in all cases.
Thank you, Randy. As always, you provide invaluable information and help. I'm saving the "what to do" elements of this post, just in case.
So, apparently, one way to proactively deal with scareware is to update to OS X 10.10.4 (the latest version of Yosemite) which includes the latest version of Safari!
https://support.apple.com/en-us/HT204928
There was a recent update for Safari for Mt. Lion and Mavericks, but Apple hasn't indicated that that version includes the patch:
https://support.apple.com/en-us/HT204950
I'm told that scareware also exists for the iPhone/iPod-touch.
Martin Pickering has created a Web page about this:
http://www.glodark.com/iPhone_scam.htm
The scare iI got was from a company called LiveTechinician. who called and told me Googl's firewall had expired and I was at risk because I had a gmail account. I gave over control of my screen, the guy ran a permissions repair, Clean my Mac, but nothing else I could see. But he did charge me $199.99 to help me sleep at night. Plus an international charge showed up on my credit card statement. So they're not even here. He did take me to Wikipedia to show me Koobface, a worm getting in thru social media, to convince me that I needed to pay him. I feel pretty foolish, what's done is done. But it was scareware, alright!
No, when someone calls *you* on the phone, that's a different type of social exploit.
http://www.consumer.ftc.gov/articles/0346-tech-support-scams
If you have allowed someone remote control access to your computer, I'd wipe it clean and restore it from an older backup. You don't know what sort of spyware they might have installed on your computer, what financial information they have stolen, what passwords they have, etc..
I was just about to ask a question about this. My daughter fell hook, line, and sinker for one of these scammers, all the way to giving them access to her laptop for about 15 minutes before she freaked, called me, and shut her laptop down upon my instruction. Now I'm wondering what I need to do to get the laptop back to a point where it can be used without worry; is wiping clean and restoring really the only way to go? Should I be worrying about possible repercussions upon the other computers on our house network as well?
Unless you know how to look for and uninstall complex spyware, wiping and restoring is probably the best way to go. But you also have to worry about what financial information the bad guys now have access to (such as your credit card information if they had access to that) and any passwords you have to various services. Basically, if you give the bad guys remote control access to your computer, they have access to anything on it, they can do anything that you could do, and they can install anything that they want to. That's why you should never let anyone have remote control access to your computer unless you are really, really sure who they are and you trust them completely.
Okay, thanks for the help, I'll wipe and restore and hope that a certain teenager has learned her lesson….
It wouldn't hurt if you set her up with Time Machine so you could restore rather than delete the system.
The link to the FTC page above seems to be incorrect.
I think it should be:
http://www.consumer.ftc.gov/articles/0346-tech-support-scams
Yes, sorry - our commenting system munged it at some point. Fixed now.
Great article, Randy. Thanks for going into so much detail and explaining the fixes and WHY they work.
Yeah, happened to me a few days ago (site: mac-pops.com/high-risk03; no idea how I got there, may have accidentally clicked a link).
I suspected it was a scam, because I couldn't close the window; even upon force-quitting Safari the frozen page came up again.
Here is an alternative solution I found: disconnect your internet connection and restart Safari, then you can close the window.
Since I realized it was a scam I DID call the guys and gave them a shitstorm not quotable here (obviously without giving them access to my computer or any payments).
Since there is a phone number I wonder if you could report them to the police?
> Since there is a phone number I wonder if you could report them to the police?
You could try. I'd bet that the perpetrators aren't resident in this country, though.
Yes, but it may be possible to swiftly block those phone numbers :)
Randy, nice article. I've got friends who have seen this kind of thing. Question... you recommend Scamzapper, however it only seems to work with Safari. What about other browsers like Firefox?
For now, there are no other solutions that are specifically tailored to to deal with scareware that I know of, other than those mentioned in the article. If you use a browser other than Safari, you might try an ad-blocking utility and see if that works.
I've been using ScamZapper for a while. It seems to do the job, but it's a minor hassle that the Safari extension cannot update itself.So I periodically get an email with a download link of the latest version, and away I go.
I've only turned over control of my computer twice, once to Apple to resolve an issue I was having, and the other to Filemaker after I called them with an issue I was having. I would trust both of them or a legitimate business software supplier, but never anyone else.
I've heard from a couple users who say that they can't get rid of the pop-up page by force-quitting their Macintosh. Some research shows that this is because the problem is being caused by a browser extension. 8-(
Adware Medic didn't fix the problem either.
This article explains how to uninstall the extension:
http://malwaretips.com/blogs/remove-tech-support-scam-popups/
Scroll way down to:
Remove Tech Support Scam pop-up ads from Apple Mac OS X
A client gave away the keys to the kingdom along with his credit card number.
This web page is directed at users of iPhones:
fixpc99.com/ggn/ios/index.(take this part out)html
I've added the brackets and content so people won't click on the link. It "hung" Safari when I clicked on the link on my Mac. I include this info because iPhones were mentioned in Randy's article.
I found the above link when I Googled the number:
800-881-3179
These are folks that scammed my client. I called them and it appears they have an Indian accent, I could also hear children in the background. When challenged, they hung up on me. The Google search for the above number comes up with multiple businesses. When I asked what company it was, he replied "Aspire Tech Support". Chase says there has been no posting to my client's credit card, yet.
Since the above article was published, there has been an instance of actual ransomware (malicious software that encrypts your data and holds it hostage) that can infect a Macintosh in the wild. KeRanger was the first and only such beast, and it was only distributed on illegal file sharing services. Apple has since sent out an automatic patch to block it on OS X. See:
https://blog.malwarebytes.org/cybercrime/2016/03/first-mac-ransomware-spotted/
If you update to Safari 9.1 for OS X 10.9.5 Mavericks, 10.10.5 Yosemite, and all versions of 10.11 El Capitan via Software Update, malicious JavaScript is precluded from trapping you on a particular Web page. In other words, it keeps scareware from making it appear that your browser is frozen.
See:
http://tidbits.com/article/16360
My parents just caught by this scam, gave them $1600 over a period of 6 months (before they told me!) In the latest interaction my father gave them the admin password for their machine and they logged in remotely and did God-knows-what. I'm on the other side of the world, so I've sent them to a local Mac repairs place to have the machine wiped and rebuilt from time machine. For reference, the blurb from their 'invoice' is:
Company Name - Aspire IT Services
Merchant Name - Centro Bill
Email Id - [email protected]
Technician Number :- 1-866-391-6166 /1-844-307-3399
Customer Service & Billing Inquiry - 1-844-307-3377
We may be able to get some money back via the credit card, but the identity theft is most concerning.