Apple's iOS 10.3 patches mobile Safari bug used in ransomware campaign

Posted:
in iPhone
Nefarious actors using a mobile Safari exploit to extort iTunes gift cards from unwitting iOS device users will need to look elsewhere, as Apple patched the web browser flaw as part of Monday's iOS 10.3 update.




Using the vulnerability, which leveraged the way Safari handled JavaScript pop-up windows, ransomware scammers primarily targeted users viewing pornographic material, bootlegged music and other content, reports ArsTechnica.

In practice, the flaw present in iOS 10.2 allowed scammers to enact an endless loop of pop-ups, effectively locking users out of the browser. The pop-ups would continue -- some incorporating threatening messages -- until victims paid a "fee" in the form of an iTunes gift card code delivered to a phone number via text.

Explaining the scam, mobile security firm Lookout called the exploit "scareware," as social engineering was key to the method's success. Scammers would carry out attacks from domains like "pay-police[.]com" and others named to evoke legitimate law enforcement authorities.

Combined with customized web content published to owned domains, the goal was to elicit fear from targeted users. As seen in the example above, exploit code planted on certain websites would lead users to a landing page containing text claiming their device was locked "for illegal pornography."

The attack would revert to a never-ending loop of pop-ups reading "Cannot Open Page." Tapping "OK" would invoke yet another pop-up containing the same message.

"The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk," writes Lookout researchers Andrew Blaich and Jeremy Richards.

Lookout notes a cache reset, performed by navigating to Settings > Safari > Clear History and Website Data, would rectify the pop-up loop issue, but users not familiar with mobile Safari's inner workings were unlikely to discover the simple fix. Further, victims were perhaps unwilling to ask for help due to the content of pages where the attack code was embedded.

Lookout shared the details of the scareware campaign with Apple after discovering it last month. The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.

Comments

  • Reply 1 of 9
    john.bjohn.b Posts: 2,720member
    This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 
  • Reply 2 of 9
    sergiozsergioz Posts: 242member
    john.b said:
    This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 
    Dude, what the heck are you smoking, what task manager? This article is about iOS 10.3 mobile Safari browser bug. Article instructs to clear history, please don't confuse people!
  • Reply 3 of 9
    john.bjohn.b Posts: 2,720member
    sergioz said:
    Dude, what the heck are you smoking, what task manager? This article is about iOS 10.3 mobile Safari browser bug. Article instructs to clear history, please don't confuse people!
    Sorry, "fast app switcher" or whatever it was that Steve said a phone shouldn't need.
    edited March 2017
  • Reply 4 of 9
    macseekermacseeker Posts: 446member
    john.b said:
    This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 
    There is no "Task Manager" in iOS. Also for the separate macOS, the same applies. What is "Task Manager" anyway? I've been using iOS since version 4 and Mac Classic since System Software version 6.0 and Mac OS X since 10.0 and I never saw "Task Manager."
  • Reply 5 of 9
    coolfactorcoolfactor Posts: 1,505member
    macseeker said:
    john.b said:
    This is not just fake ransomware, a lot of sketchy URL redirects use this same technique. The trick to breaking the JavaScript/popup loop is to put the iPhone/iPad in airplane mode, at that point you can kill the session and/or kill Safari via the task manager. 
    There is no "Task Manager" in iOS. Also for the separate macOS, the same applies. What is "Task Manager" anyway? I've been using iOS since version 4 and Mac Classic since System Software version 6.0 and Mac OS X since 10.0 and I never saw "Task Manager."

    People that come from Windows may apply their own terminology. On Linux/UNIX/macOS/iOS, they are "processes" instead of "tasks", but at the end of the day, he's referring to the same thing — the fast-app switcher that lets you quit running apps.

    Now, as for AppleInsider calling this a "bug", it was not. It was simply an exploit of the design of the application-modal alerts. Apple changed the design to avoid such exploits from hijacking the entire app.

     The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.

    The alerts functioned as they were designed, so there was no "bug" or "code flaw". But a "design flaw" in the larger scheme of things is not wrong, though. Apple changed the design to mitigate the behaviour.

    Let's not spread FUD by over-generalizing terms, eh?
    gatorguysmiffy31bloggerblogjbishop1039
  • Reply 6 of 9
    SoliSoli Posts: 9,190member
    coolfactor said:
    the fast-app switcher that lets you quit running apps.
    Kinda-sorta. The Fast App Switcher (FAS) simply lists apps in descending order in which they were last opened. They may or may not still be actively running a process, and may not even be taking up any RAM, but they are still listed in the order in which they were last used.

    We can even test this by loading a few apps that have a nice long startup screen. Large games, for example. Load them, then activate FAS to see them in the order in which they were last active, then restart your iDevice. After it restarts you can load FAS again to see those app still listed and in the same order before the restart, but if you click one you'll now get the initial load screen because it wasn't preloaded into RAM with the reboot.
    edited March 2017 chia
  • Reply 7 of 9
    netroxnetrox Posts: 758member
    I was threatened for watching a midget porn.

    Anyway I ignored the warnings and just double clicked home button and slid safari off. Went to safari settings and turned off JavaScript and went back to safari and it totally disabled it. 
    lostkiwi
  • Reply 8 of 9
    john.bjohn.b Posts: 2,720member
    Soli said:
    coolfactor said:
    the fast-app switcher that lets you quit running apps.
    Kinda-sorta. The Fast App Switcher (FAS) simply lists apps in descending order in which they were last opened. They may or may not still be actively running a process, and may not even be taking up any RAM, but they are still listed in the order in which they were last used.

    We can even test this by loading a few apps that have a nice long startup screen. Large games, for example. Load them, then activate FAS to see them in the order in which they were last active, then restart your iDevice. After it restarts you can load FAS again to see those app still listed and in the same order before the restart, but if you click one you'll now get the initial load screen because it wasn't preloaded into RAM with the reboot.

    Yes, I got the vernacular wrong. "A rose by any other name… "

    And yet, it's the only way to kill an app running as a background process or an app that insists on  reloading data when it restarts (like the JavaScript scareware from the article). However you want to sugar coat, that's a task manager (and something Steve said no smartphone should need.)
  • Reply 9 of 9
    SoliSoli Posts: 9,190member
    john.b said:
    Soli said:
    coolfactor said:
    the fast-app switcher that lets you quit running apps.
    Kinda-sorta. The Fast App Switcher (FAS) simply lists apps in descending order in which they were last opened. They may or may not still be actively running a process, and may not even be taking up any RAM, but they are still listed in the order in which they were last used.

    We can even test this by loading a few apps that have a nice long startup screen. Large games, for example. Load them, then activate FAS to see them in the order in which they were last active, then restart your iDevice. After it restarts you can load FAS again to see those app still listed and in the same order before the restart, but if you click one you'll now get the initial load screen because it wasn't preloaded into RAM with the reboot.
    Yes, I got the vernacular wrong. "A rose by any other name… "

    And yet, it's the only way to kill an app running as a background process or an app that insists on  reloading data when it restarts (like the JavaScript scareware from the article). However you want to sugar coat, that's a task manager (and something Steve said no smartphone should need.)
    Sure, no denying that short of restarting the device, it's the only way to kill an app that may be acting funky, but I think it doesn't do the average person any good to think of it as a "Task Manager" when it's effectively just showing recent apps without any indication of whether they're using any background processing or being held in RAM.

    To put it another way, I know plenty of people that will constantly clear out their FAS because they believe it works just like Windows Task Manager so they think they're saying themselves battery life (when they're likely hurting it from having to constantly relaunch frequently used apps), and are just wasting their time since most apps, most of the time, are doing what they should and performing as efficiently as possible under Apple's strict and excellent guidelines for using background processes after the app is no longer on screen.
Sign In or Register to comment.