Skip to comments.OSX Users hit with ransomware websites posing as FBI Notices
Posted on 07/16/2013 10:53:47 PM PDT by Swordmaker
Malwarebytes takes a look at a method cyber-criminals have begun using to target Mac users with "ransomware", hijacking the user's browser with a notice demanding payment of $300 in order to release control of the application. While similar malware has affected Windows systems for a number of years, Mac users have only rarely seen such efforts targeted at themselves.
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.
Warnings appearing to be from the FBI tell the victim: you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.
The report details one method to escape the ransomware involving resetting Safari, but misses a far simpler tactic: Simply holding down the Shift key while relaunching Safari will prevent it from reopening windows and tabs from the previous session. Users can also completely disable the reopening feature across OS X from the General pane of System Preferences. Many OS X users may, however, be unfamiliar with such options and find themselves trapped by the ransomware webpage.
The report notes that the ransomware authors are targeting users based on popular search terms, with one example stumbled upon through an image search result for Taylor Swift on Bing.
If you want on or off the Mac Ping List, Freepmail me.
My daughter’s laptop caught this one....had to take it in to Best Buy to get it restored...system restore was possible but the malware (or whatever it’s called) kept it from taking the system restore back far enough.....think it put a false date for the malware install.
Unpossible - everyone knows this cannot happen to a Mac.
Funny i see a thread on this the day after it happened to my wife’s desktop. She was searching glassware prices and got this on her windows desktop.
alt/ctl/delete, stop the browser, empty the cache folder completely, then restart the browser.
The bad guys who write the variants on this malware are good. Very good. It changes constantly. It gets harder to clean each time.
With the ecosystem of the Mac pretty much demanding that the only real remedy is the “restore” I wonder what will happen once most of the malware damages restore so it won’t work properly? People will be REALLY happy then. :) Guess what, just like Windows, but without the decades of experience making cleanup tools.
I had one of these pop up while viewing the Marlin firearms page, kind of lost the scare tactic of “viewing an unlawful porn site” when I was looking at firearms. I was using windows and all I did was reboot to safe mode, restore my system and viola! bad scary web page was gone for good. Pissed me off somewhat however and those guys better hope I never find out who they are.
So, are they jumping all the iphone-users?
Some of these boys are good enough - and professional “AV” people, working at av companies.
We know this. And have delivered the proof (sources, bins and proof-of-origin) to the police. So far, no reaction.
I got this stuff a couple of times years ago but ìt came with a logo that mimicked the AVG logo and said my machine had 20,000 virii and I had to update my antivirus software by using my credit card to send, yes- $300, over a supposedly secure website the warning was trying to direct me to. I got rid of it myself and added Malwarebytes to my arsenal and it is the last virus or other malware to have troubled me.
this happens on Windows - usually its already too late
Perhaps you should try an antivirus.
I have seen it - Win - will not let user even open program manager
it did not seem to have safe mode - which threw me off
It's not a virus or even a Trojan, just a nuisance WEBSITE script that won't go away until you respond to it 150 times. . . It would work on a Windows 8 machine too. But since they don't restore previous sessions automatically... They don't revert.
No, you are wrong. The Mac ecosystem does not rely on the restore but on time machine. Much easier. This was NOT malware. Just a JAVE script trick. Easy to get out of and does not even require time machine, or anything but relaunching Safari. There was no "damage" and no malware can damage them system software on a Mac. It does not operate with the permissions like a Windows machine that allow that to happen.
Nope... Not possible. iPhone doesn't lock up with requesters or restore sessions in the same way. Easy reset too. Different handling of tabs and windows.
Read the article... It's NOT A VIRUS OR EVEN A TROJAN. It's a malicious website . . . It invokes a repetitious JAVA script, that's all, no virus checker can catch this. It's easily gotten out of with the proper knowledge of how to use your Safari browser.
on Windows the same-looking thins is a virus
I thought macs didn’t get viruses. I guess that’s a myth.
Yes, it is... But they can’t get one into an OSX Mac.They’ve tried for fifteen years since OSX Server came out in 1998. Viruses have no viable vector, and the Trojans are being identified by the OS and the user is being warned against downloading them, so they faked their malware with this hokey WEBPAGE as a “quasi-Trojan”, using the JAVA scripting built into HTML coding, hoping to fool users into paying them to do something totally unnecessary. The user can either click the “Leave this Page” requester 150 times to dismiss the script, or much more easier, just quit the Safari browser and relaunch Safari holding down the Shift key to prevent reloading the tabs and pages he’d been visiting before. Voilá! Problem solved. No big deal.
also no problem on my Linux
And this IS NOT A VIRUS. it's not even truly Malwareit's not installed on the computer, downloaded to it, or even running on itit's a maliciously designed website that uses a particularly long recurring requestor loop in a JAVA script to give the illusion that your browser has been locked. In a way, you might call it a Quasi-Trojan, but it fails to meet even the loose definition of a Trojan horse app. It's more of a snare, a trap, or perhaps a puzzle page.
Like all computers on which applications can be downloaded and installed, Macs ARE vulnerable to Trojan Horse Applications that claim to offer a benefit but also carry a malevolent payload. These use "Social Engineering" means to persuade the user to install the malware themselves. There are currently about forty known Trojans for Mac OSX in about seven families. Apple Mac OSX has a built-in system to identify these known trojans and any variants based on them. OSX warns the user if he attempts to download, install, or run one of these known or variant Trojans. Apple pushes updates as necessary. These Trojans are not considered "viruses" by definition.
A computer virus is malware that is self-replicating, self-transmitting, and self-installing. There have been about fifteen or sixteen attempts at creating a true OSX virus in the past twelve years. . . all have been abject failures for a simple reason: the lack of a viable vector in OSX that could be exploited to promulgate the infection, and the lack of a reliable method of guaranteed installation. One candidate used Blutooth as a vector to transmit his virus. However, it took two Macworld techs, and two Semantic security engineers SIX HOURS just to get it to copy itself from one Mac to another. . . And then, it wouldn't run because it hadn't installedh! Another was successful in copying itself to another Mac via WIFI as data, but was stymied because the data stacks on Macs are hardware non-executable memory locations and code cannot be executed in data stacks. FAIL!
So, Macs are pretty secure when it comes to malware, compared to the competition. . . And it's not because of obscurity. It's by design.
“So, Macs are pretty secure when it comes to malware”
Apparently not secure enough.
Are you seriously comparing a web page with 150 popup windows to a Windows virus that causes permanent corruption to system files? I knew once I saw people talking about "restore" that we were dealing with dumb Windows users. This ransonware may prove there are dumb Mac users, but their dumbness doesn't result in system file alteration. It would be interesting to see the hit rate for such malware on Mac vs PC.
It's not a virus or even a Trojan, just a nuisance WEBSITE script that won't go away until you respond to it 150 times. . . It would work on a Windows 8 machine too. But since they don't restore previous sessions automatically... They don't revert.Unpossible - everyone knows this cannot happen to a Mac.
A friend was just asking me about malware, which term she didnt understand. As compared to a virus. I told her that malware was whatever anyone induces your computer to do that you dont want it to do. So if you look at it that way, simply clicking on a link - it even happen to me on FR once - which had been contaminated with a porno picture would qualify as "induces your computer to do that you dont want it to do."On a related topic, I should probably to to the Apple Store and get the genius (their term for tech which is crafted to be polite to the customer by suggesting that you dont have to be stupid to have difficulty with a computer) to explain to me some of the fool things I have been doing lately to cause my Mac to sometimes get the slows.
Probably just too many tabs open in Safari, or sumpn.
I run OSX, which is basically unix. You cannot damage the unix OS without the root password. That is why unix systems are not very susceptible to viruses. Now Safari OTH, an application running on OSX can be hacked. But that has nothing to do with the underlying OSX.
Show me anything that is "secure enough."
How many icons do you have on your desktop? That is one thing that will slow down an OSX Mac. Too many and it can slow things significantly. Keep them to just Aliases of folders elsewhere on your hard drive and the problem will go away.
Also, leave your Mac on overnight. The Mac’s UNIX system does housekeeping tasks such as that memory recovery that PAengineer mentioned and defragging and optimizing of the hard drives when the system has been idle for a period. . . but if you turn it off instead of just letting it go to sleep, these never get done. Leave it turned on.
By-the-way, you are STILL misunderstanding this. This is not at all about security. Nothing was breeched with this illusion. Nobody's computer was violated. Nothing was stolen. People MAY have been tricked into GIVING these people $300, freely, because they believed they had to, to get their computers back into working condition, but that was ALL ILLUSION, a trick.
The web browser was just forced into opening 150 sub-windows on the screen, one on top of the other, each demanding to be closed, before the main screen could be closed, or before the user could move to another tab or window. JAVA has that ability built into it to make sure that transactions are fully completed and not left hanging or secure data is not left where it can be mined. These miscreants have merely used it for no good. Combine that with Apple's reloading of previous browser sessions on opening of the browser, and you have a nightmare to get out of it.
There is a simple way, if the user knows it. Most do not, so I posted that solution on FreeRepublic.
Anyone who isn’t running NoScript and only selectively enabling JS as needed is a fool, these days...more proof here.
Your daughter’s laptop wasn’t a Mac, was it? Best Buy folks are incredibly ignorant of computer repair - and Macs - LOL...
Now - there are trojans that show similar behavior - maybe that is what your daughter’s laptop was infected with (assuming again it is not a Mac - which there still isn’t a major threat for).
hitmanpro worked for me when nothing else would
had to use a thumbdrive from another computer and start in boot mode
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.