JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3

[MacRumors]

iOS 10.3, released to the public this morning, fixes a bug that allowed scammers to attempt to extort money from iOS users through a JavaScript pop-up in Safari.

As explained by mobile security firm Lookout (via Ars Technica), the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user didn't know how to bypass it.

Using "scareware" messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be "locked" out from using Safari unless they paid a fee -- or knew they could simply clear Safari's cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money.

The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.

Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.

Article Link: JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3

 

[seanmcbay]

Great news. These pop-up loops are the worst thing and they don't belong in 2017. Now Apple needs to prevent Safari ads from automatically taking you to the App Store for some crappy IAP fest game.

 

[DBZmusicboy01]

And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.

 

[cerote]

I haven't had one of those in a long time. But when I got it I knew to clear cache. I am sure there are many that did not know that.

 

[man3ster]

Finally, I can search for porn again.

 

[John.B]

The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.

Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.

The other approach to fix this was to put the phone in airplane mode (or turn off both Wi-Fi and cell data), then the session could be killed.

Good to hear this is fixed.

 

[coolfactor]

And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.

There is a switch to stop app updates, but that doesn't include iOS itself? Unfortunate that Apple hasn't provided user control over that yet, but they do provide a way of deleting the downloaded update now.

https://www.igeeksblog.com/how-to-remove-software-update-download-from-iphone-ipad/

 

[JamesPDX]

Went to site, discovered that it was clickbait.

iOS 10.3, released to the public this morning, fixes a bug that allowed scammers to attempt to extort money from iOS users through a JavaScript pop-up in Safari.

As explained by mobile security firm Lookout (via Ars Technica), the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user didn't know how to bypass it.

Using "scareware" messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.

Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.

Article Link: JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3

 

[wikiverse]

There is a switch to stop app updates, but that doesn't include iOS itself? Unfortunate that Apple hasn't provided user control over that yet, but they do provide a way of deleting the downloaded update now.

https://www.igeeksblog.com/how-to-remove-software-update-download-from-iphone-ipad/

Except they force the download on you again as soon as you are connected to a Wifi Network, not only wasting space on your phone but wasting your download quotas on wifi - something extremely annoying and expensive if you live in a rural area, or are using hotel wifi. How about just having an opt-out option, or at least not immediately downloading it again if it is deleted.

 

[C DM]

And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.

Except they force the download on you again as soon as you are connected to a Wifi Network, not only wasting space on your phone but wasting your download quotas on wifi - something extremely annoying and expensive if you live in a rural area, or are using hotel wifi. How about just having an opt-out option, or at least not immediately downloading it again if it is deleted.

Install a tvOS profile and it will prevent downloads of updates.

 

[PortableLover]

Had to workaround this before but thanks apple. Great asked for this a while back!

 

[44267547]

Nice adjustment. The advertisements on Safari are still an issue that divert someone back to the App Store.

 

[alexgowers]

The thing about scammers, even if they only catch one person and it's not profitable they'll still do it. That people actively do google analytics spamming goes to show that they will do even the most stupid things just to make a few bucks. I think it's all on apple to stop these scams and also refund anyone duped by them, because they've allowed a third party to effectively break the device and allow the scam to work.

The worst ones are redirects, especially to the App Store. I hope to see apple clamp down on these areas too.

 

[zzLZHzz]

And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.

as a developers, i hope they will continue with the automatic update.

the moment user have a choice in that, people will never update their OS and it just goes downhill from there.

 

[C DM]

as a developers, i hope they will continue with the automatic update.

the moment user have a choice in that, people will never update their OS and it just goes downhill from there.

Users have choices with all kinds of things and many still update, be it Windows or Macs or anything else. It's certainly not as drastic as being too much one way or another. Having automatic downloads (they are automatic updates, just downloads of updates) with the option in settings to disable those like there are options for automatic app updates and the like isn't likely to change that much for most.

 

[zzLZHzz]

Users have choices with all kinds of things and many still update, be it Windows or Macs or anything else. It's certainly not as drastic as being too much one way or another. Having automatic downloads (they are automatic updates, just downloads of updates) with the option in settings to disable those like there are options for automatic app updates and the like isn't likely to change that much for most.

Look at windows 8 and windows 10. The update for windows 10 are pushed much more aggressive than windows 8.

I had personally notice the different between the rate of updates.

I wouldn't deny the inconvenient that it bring when a update is forced.

that being said, if there is insufficient space, an available update should be notified to the user but not instantly downloading it. i doubt it could download if there is insufficient space available.

 

[recoil80]

Good news! My relatives run into that several times, and I always had to instruct them how to recover

 

[576316]

Great news. These pop-up loops are the worst thing and they don't belong in 2017. Now Apple needs to prevent Safari ads from automatically taking you to the App Store for some crappy IAP fest game.

I thought they claimed to have fixed that a couple iOS generations ago? I seem to remember hearing in a keynote when they were like, "In iOS [n], websites cannot auto direct you to the App Store." But we still have the problem...

 

[Michaelgtrusa]

Glad to hear this has been nailed.

 

[ApfelKuchen]

I think it's all on apple to stop these scams and also refund anyone duped by them, because they've allowed a third party to effectively break the device and allow the scam to work.

"Allowed" how? Did they give the scammers instructions on how to "break" the device?

Good luck suing the makers of door locks or plate glass for "allowing" a burglar to pick the lock or break a window. Good luck suing the police for "allowing" the break-in. Good luck suing the telephone company for "allowing" a scammer to place a call, or the city for "allowing" a scammer to ring your doorbell. Failing to provide 100% safety is not the same as "allowing" a crime to occur.

The creators of these browser scams find weaknesses in the software. The developers of browsers plug the weaknesses. That's the same cat-and-mouse game you find anywhere there's crime.

Browsers are a particularly good target because, among other things, browsers are expected to correctly display web pages, regardless of who created that web page. Open Internet, and all that. You want a guarantee of 100% safety? Don't use the Internet.

I love the diversity around here. Some people complain that Apple's software allowed a scam to occur. Apple (presumably) attends to their needs by issuing software updates to combat the scams. Others are all up in arms, "How dare Apple force these updates upon us!"

 

[flyinmac]

It's nice to have Apple fix something before I had even heard it was a problem. Nice change.

 

[sudo1996]

JavaScript popups are still a problem? Geez.

 

[wxman2003]

Nothing worse than porn being interrupted by popups, unless they are in my pants.

 

[InfoTime]

This is not ransomware.

At least not in my IT circle of colleagues. Ransomware encrypts your files and holds them for ransom and the only way to get them decrypted is by paying the ransom (or restore from a backup).

I don't consider something that jams up a program or app and is easily defeated to be ransomware.

 

[Macneck]

Thank you, Apple. Appreciated!