The iOS security bug that was used by cybercriminals to blackmail users into paying a ransom fee to unlock their Mobile Safari browsers has been fixed by Apple.
This week, the company released an update – iOS10.3, that changes the way Safari deals with JavaScript pop-up ads. The update puts an end to the attack vector which enabled crooks to use pop-ups to lock users out of their browsers.
This problem is now solved but, on Monday, Lookout security experts released a research, explaining how exactly the threat actors used the handling of pop-up tabs to scam victims into paying a fee. According to the Lookout researchers, this campaign was targeting mostly controversial or pirate web pages visitors and pornography watchers.
The hackers were targeting users who were visiting particular websites and bombarded them with an array of pop-ups, thus preventing them from using their Safari browsers. Safari displayed a “Cannot Open Page” alert message and each time a user clicked the “OK” button, they were forced to click it again. This effectively created a never-ending loop of dialog prompts.
Aside from this message, the victims received notifications that their devices “have been locked” and they had to “pay 100 pounds with an iTunes pre-paid card” in order to regain access to Safari.
Relying on the victims’ fear, the crooks registered domains with names like “police-pay.com” in an attempt to trick them into believing that the pirate/adult material they were looking for has been detected by the police and, as a result, they have to pay a fine and they have been locked out of their browsers.
“The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.” – the researchers noted.
All these hackers relied on the victims` fear as, in order to solve this problem, all the users had to do is clearing the Safari cache via the iOS settings. There was absolutely no need for a fee to be paid as the attack didn’t actually lock users out of Safari nor did it encrypt any data stored on the device.
As we already stated, Apple was informed of the issue and the flaw was patched in iOS10.3. The company changed the way Safari handles pop-ups by forcing them to open in tabs instead of taking over the entire browser app which, in turn, closed the security loophole.
