March 27, 2017
Mobile Safari Scareware Campaign Thwarted
However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.
Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.
An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.
This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.
Abuse of pop-ups in Mobile Safari
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.
The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.
The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.
The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.
Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.
Preventing the attack
Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.
Investigation into the campaign
“saved from url=(0070)http://apple-ios-front.gq/29300000/index.php?DATARE=Vylet%3A30_15%3A29”
“'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4'”
The code on this page also runs the following script before executing the obfuscated code:
Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.
The phishing domains and email addresses for each payload:
- U.S.: us.html networksafetydept@usa[.]com
- Ireland: ie.html justicedept@irelandmail[.]com
- UK: gb.html cybercrimegov@europe[.]com
- Australia: au.html federaljustice@australiamail[.]com
- New Zealand: nz.html cybercrimegov@post[.]com
Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.