Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

OSX Users hit with ransomware websites posing as FBI Notices
Macrumors ^ | 7/16/2013

Posted on 07/16/2013 10:53:47 PM PDT by Swordmaker

Malwarebytes takes a look at a method cyber-criminals have begun using to target Mac users with "ransomware", hijacking the user's browser with a notice demanding payment of $300 in order to release control of the application. While similar malware has affected Windows systems for a number of years, Mac users have only rarely seen such efforts targeted at themselves.

The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.

Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.”

Rather than a sophisticated hijack of the actual browser software or an installation of a trojan, the ransomware is merely a simple webpage using JavaScript to load 150 iframes that require confirmation to be dismissed, with the authors hoping that users will give up long before they dismiss all of the dialog boxes and simply pay the ransom. As the report notes, a feature on OS X that reopens previously open windows after relaunching an app means that users generally can not simply close and reopen Safari in order to escape the ransomware.

The report details one method to escape the ransomware involving resetting Safari, but misses a far simpler tactic: Simply holding down the Shift key while relaunching Safari will prevent it from reopening windows and tabs from the previous session. Users can also completely disable the reopening feature across OS X from the General pane of System Preferences. Many OS X users may, however, be unfamiliar with such options and find themselves trapped by the ransomware webpage.

The report notes that the ransomware authors are targeting users based on popular search terms, with one example stumbled upon through an image search result for Taylor Swift on Bing.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; mac; macmalware; malware; osx; ransomware
This is not truly malware but a hostile WEBPAGE. Just quit Safar, then hold the shift key while relaunching Safari.
1 posted on 07/16/2013 10:53:47 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker; ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; ...
WARNING!!! OSX USERS!!! WARNING!!! There are now some RANSOME TAKING WEBPAGES that will attempt to extort $300 from you by holding your Safari browser hostage! Seriously. This is easily cleared. It is merely a JAVA script that requires you to dismiss a requester 150 times to make it go away! But the easy way is to quit, or force quit Safari if necessary, then hold the Shift key while relaunching Safari. . . And that page will not reload. Done. —PING!


Apple Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 07/16/2013 10:59:57 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

My daughter’s laptop caught this one....had to take it in to Best Buy to get it restored...system restore was possible but the malware (or whatever it’s called) kept it from taking the system restore back far enough.....think it put a false date for the malware install.


3 posted on 07/16/2013 11:03:16 PM PDT by TheErnFormerlyKnownAsBig (It is going to be Foot to Ass combat on election day....my foot and a Rat's ass.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Unpossible - everyone knows this cannot happen to a Mac.


4 posted on 07/16/2013 11:05:11 PM PDT by NonValueAdded (Unindicted Co-conspirators: The Mainstream Media)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Funny i see a thread on this the day after it happened to my wife’s desktop. She was searching glassware prices and got this on her windows desktop.

alt/ctl/delete, stop the browser, empty the cache folder completely, then restart the browser.


5 posted on 07/16/2013 11:09:24 PM PDT by Safrguns (PM me if you like to play Minecraft!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TheErnFormerlyKnownAsBig

The bad guys who write the variants on this malware are good. Very good. It changes constantly. It gets harder to clean each time.

With the ecosystem of the Mac pretty much demanding that the only real remedy is the “restore” I wonder what will happen once most of the malware damages restore so it won’t work properly? People will be REALLY happy then. :) Guess what, just like Windows, but without the decades of experience making cleanup tools.


6 posted on 07/16/2013 11:10:18 PM PDT by Advil000
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

I had one of these pop up while viewing the Marlin firearms page, kind of lost the scare tactic of “viewing an unlawful porn site” when I was looking at firearms. I was using windows and all I did was reboot to safe mode, restore my system and viola! bad scary web page was gone for good. Pissed me off somewhat however and those guys better hope I never find out who they are.


7 posted on 07/16/2013 11:17:41 PM PDT by calex59
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

So, are they jumping all the iphone-users?


8 posted on 07/16/2013 11:24:02 PM PDT by Hardraade (http://junipersec.wordpress.com (Obama: the bearded lady of Muslim Brotherhood))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Advil000

Some of these boys are good enough - and professional “AV” people, working at av companies.

We know this. And have delivered the proof (sources, bins and proof-of-origin) to the police. So far, no reaction.


9 posted on 07/16/2013 11:29:32 PM PDT by Hardraade (http://junipersec.wordpress.com (Obama: the bearded lady of Muslim Brotherhood))
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker

I got this stuff a couple of times years ago but ìt came with a logo that mimicked the AVG logo and said my machine had 20,000 virii and I had to update my antivirus software by using my credit card to send, yes- $300, over a supposedly secure website the warning was trying to direct me to. I got rid of it myself and added Malwarebytes to my arsenal and it is the last virus or other malware to have troubled me.


10 posted on 07/16/2013 11:34:39 PM PDT by arthurus (Read Hazlitt's Economics In One Lesson ONLINE http://steshaw.org/econohttp://www.fee.org/library/det)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

this happens on Windows - usually its already too late


11 posted on 07/16/2013 11:34:46 PM PDT by GeronL
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Perhaps you should try an antivirus.


12 posted on 07/16/2013 11:36:07 PM PDT by JCBreckenridge ("we are pilgrims in an unholy land")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Safrguns

I have seen it - Win - will not let user even open program manager


13 posted on 07/16/2013 11:36:56 PM PDT by GeronL
[ Post Reply | Private Reply | To 5 | View Replies]

To: GeronL

F8- fix-restore


14 posted on 07/16/2013 11:43:33 PM PDT by bunkerhill7 (("The Second Amendment has no limits on firepower"-NY State Senator Kathleen A. Marchione.))
[ Post Reply | Private Reply | To 11 | View Replies]

To: bunkerhill7

it did not seem to have safe mode - which threw me off


15 posted on 07/16/2013 11:47:52 PM PDT by GeronL
[ Post Reply | Private Reply | To 14 | View Replies]

To: NonValueAdded
Unpossible - everyone knows this cannot happen to a Mac.

It's not a virus or even a Trojan, just a nuisance WEBSITE script that won't go away until you respond to it 150 times. . . It would work on a Windows 8 machine too. But since they don't restore previous sessions automatically... They don't revert.

16 posted on 07/16/2013 11:49:32 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Advil000
With the ecosystem of the Mac pretty much demanding that the only real remedy is the “restore” I wonder what will happen once most of the malware damages restore so it won’t work properly? People will be REALLY happy then. :) Guess what, just like Windows, but without the decades of experience making cleanup tools.

No, you are wrong. The Mac ecosystem does not rely on the restore but on time machine. Much easier. This was NOT malware. Just a JAVE script trick. Easy to get out of and does not even require time machine, or anything but relaunching Safari. There was no "damage" and no malware can damage them system software on a Mac. It does not operate with the permissions like a Windows machine that allow that to happen.

17 posted on 07/16/2013 11:55:12 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Hardraade
So, are they jumping all the iphone-users?

Nope... Not possible. iPhone doesn't lock up with requesters or restore sessions in the same way. Easy reset too. Different handling of tabs and windows.

18 posted on 07/16/2013 11:58:18 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 8 | View Replies]

To: JCBreckenridge
Perhaps you should try an antivirus.

Read the article... It's NOT A VIRUS OR EVEN A TROJAN. It's a malicious website . . . It invokes a repetitious JAVA script, that's all, no virus checker can catch this. It's easily gotten out of with the proper knowledge of how to use your Safari browser.

19 posted on 07/17/2013 12:02:47 AM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Swordmaker

on Windows the same-looking thins is a virus


20 posted on 07/17/2013 12:08:40 AM PDT by GeronL
[ Post Reply | Private Reply | To 19 | View Replies]

To: Swordmaker

I thought macs didn’t get viruses. I guess that’s a myth.


21 posted on 07/17/2013 12:21:00 AM PDT by JCBreckenridge ("we are pilgrims in an unholy land")
[ Post Reply | Private Reply | To 19 | View Replies]

To: GeronL

Yes, it is... But they can’t get one into an OSX Mac.They’ve tried for fifteen years since OSX Server came out in 1998. Viruses have no viable vector, and the Trojans are being identified by the OS and the user is being warned against downloading them, so they faked their malware with this hokey WEBPAGE as a “quasi-Trojan”, using the JAVA scripting built into HTML coding, hoping to fool users into paying them to do something totally unnecessary. The user can either click the “Leave this Page” requester 150 times to dismiss the script, or much more easier, just quit the Safari browser and relaunch Safari holding down the Shift key to prevent reloading the tabs and pages he’d been visiting before. Voilá! Problem solved. No big deal.


22 posted on 07/17/2013 12:34:43 AM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Swordmaker

also no problem on my Linux


23 posted on 07/17/2013 12:49:12 AM PDT by GeronL
[ Post Reply | Private Reply | To 22 | View Replies]

To: JCBreckenridge
I thought macs didn’t get viruses. I guess that’s a myth.

And this IS NOT A VIRUS. it's not even truly Malware—it's not installed on the computer, downloaded to it, or even running on it—it's a maliciously designed website that uses a particularly long recurring requestor loop in a JAVA script to give the illusion that your browser has been locked. In a way, you might call it a Quasi-Trojan, but it fails to meet even the loose definition of a Trojan horse app. It's more of a snare, a trap, or perhaps a puzzle page.

Like all computers on which applications can be downloaded and installed, Macs ARE vulnerable to Trojan Horse Applications that claim to offer a benefit but also carry a malevolent payload. These use "Social Engineering" means to persuade the user to install the malware themselves. There are currently about forty known Trojans for Mac OSX in about seven families. Apple Mac OSX has a built-in system to identify these known trojans and any variants based on them. OSX warns the user if he attempts to download, install, or run one of these known or variant Trojans. Apple pushes updates as necessary. These Trojans are not considered "viruses" by definition.

A computer virus is malware that is self-replicating, self-transmitting, and self-installing. There have been about fifteen or sixteen attempts at creating a true OSX virus in the past twelve years. . . all have been abject failures for a simple reason: the lack of a viable vector in OSX that could be exploited to promulgate the infection, and the lack of a reliable method of guaranteed installation. One candidate used Blutooth as a vector to transmit his virus. However, it took two Macworld techs, and two Semantic security engineers SIX HOURS just to get it to copy itself from one Mac to another. . . And then, it wouldn't run because it hadn't installedh! Another was successful in copying itself to another Mac via WIFI as data, but was stymied because the data stacks on Macs are hardware non-executable memory locations and code cannot be executed in data stacks. FAIL!

So, Macs are pretty secure when it comes to malware, compared to the competition. . . And it's not because of obscurity. It's by design.

24 posted on 07/17/2013 1:06:53 AM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Swordmaker

“So, Macs are pretty secure when it comes to malware”

Apparently not secure enough.


25 posted on 07/17/2013 2:15:12 AM PDT by JCBreckenridge ("we are pilgrims in an unholy land")
[ Post Reply | Private Reply | To 24 | View Replies]

To: JCBreckenridge

(Sigh)

This is not a virus or a trojan. It does not install any software on your computer. It does not access any information on your computer. It’s a javascript that launches 150 windows. That’s all. It’s more social engineering than malware.


26 posted on 07/17/2013 3:50:44 AM PDT by ReignOfError
[ Post Reply | Private Reply | To 25 | View Replies]

To: JCBreckenridge
Apparently not secure enough.

Are you seriously comparing a web page with 150 popup windows to a Windows virus that causes permanent corruption to system files? I knew once I saw people talking about "restore" that we were dealing with dumb Windows users. This ransonware may prove there are dumb Mac users, but their dumbness doesn't result in system file alteration. It would be interesting to see the hit rate for such malware on Mac vs PC.

27 posted on 07/17/2013 4:00:00 AM PDT by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Swordmaker; NonValueAdded
Unpossible - everyone knows this cannot happen to a Mac.
It's not a virus or even a Trojan, just a nuisance WEBSITE script that won't go away until you respond to it 150 times. . . It would work on a Windows 8 machine too. But since they don't restore previous sessions automatically... They don't revert.
A friend was just asking me about “malware,” which term she didn’t understand. As compared to a virus. I told her that malware was whatever anyone induces your computer to do that you don’t want it to do. So if you look at it that way, simply clicking on a link - it even happen to me on FR once - which had been contaminated with a porno picture would qualify as "induces your computer to do that you don’t want it to do."
On a related topic, I should probably to to the Apple Store and get the “genius” (their term for “tech” which is crafted to be polite to the customer by suggesting that you don’t have to be stupid to have difficulty with a computer) to explain to me some of the fool things I have been doing lately to cause my Mac to sometimes get the “slows.”

Probably just too many tabs open in Safari, or sumpn.


28 posted on 07/17/2013 4:55:33 AM PDT by conservatism_IS_compassion (“Liberalism” is a conspiracy against the public by wire-service journalism.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: conservatism_IS_compassion
On a related topic, I should probably to to the Apple Store and get the “genius” (their term for “tech” which is crafted to be polite to the customer by suggesting that you don’t have to be stupid to have difficulty with a computer) to explain to me some of the fool things I have been doing lately to cause my Mac to sometimes get the “slows.”/i>

Probably just too many tabs open in Safari, or sumpn.


Check out "Memory Clean" from the App Store. If you have multiple tabs open (I keep a bunch of related topics open in tabs on multiple pages) for a couple of days, you will have a great deal of RAM space inactive and fragmented. It is a small menu app that just does what it does by freeing up that memory. Install it and click. It may take about a minute to free up the memory and your browser speed will improve.

Another option is to set your preferences to reopen your last browser session. Quit Safari and restart. Finally, it sometimes helps just to do a restart your computer with your preferences set to reopen your previous Apps and pages.

Hope that helps.

I prefer Memory Clean over Free Memory.
29 posted on 07/17/2013 5:18:07 AM PDT by PA Engineer (Liberate America from the Occupation Media.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: JCBreckenridge

I run OSX, which is basically unix. You cannot damage the unix OS without the root password. That is why unix systems are not very susceptible to viruses. Now Safari OTH, an application running on OSX can be hacked. But that has nothing to do with the underlying OSX.


30 posted on 07/17/2013 5:33:45 AM PDT by central_va (I won't be reconstructed and I do not give a damn.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: JCBreckenridge
Apparently not secure enough.

Show me anything that is "secure enough."

31 posted on 07/17/2013 1:53:11 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 25 | View Replies]

To: conservatism_IS_compassion

How many icons do you have on your desktop? That is one thing that will slow down an OSX Mac. Too many and it can slow things significantly. Keep them to just Aliases of folders elsewhere on your hard drive and the problem will go away.

Also, leave your Mac on overnight. The Mac’s UNIX system does housekeeping tasks such as that memory recovery that PAengineer mentioned and defragging and optimizing of the hard drives when the system has been idle for a period. . . but if you turn it off instead of just letting it go to sleep, these never get done. Leave it turned on.


32 posted on 07/17/2013 1:59:51 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 28 | View Replies]

To: JCBreckenridge
Apparently not secure enough.

By-the-way, you are STILL misunderstanding this. This is not at all about security. Nothing was breeched with this illusion. Nobody's computer was violated. Nothing was stolen. People MAY have been tricked into GIVING these people $300, freely, because they believed they had to, to get their computers back into working condition, but that was ALL ILLUSION, a trick.

The web browser was just forced into opening 150 sub-windows on the screen, one on top of the other, each demanding to be closed, before the main screen could be closed, or before the user could move to another tab or window. JAVA has that ability built into it to make sure that transactions are fully completed and not left hanging or secure data is not left where it can be mined. These miscreants have merely used it for no good. Combine that with Apple's reloading of previous browser sessions on opening of the browser, and you have a nightmare to get out of it.

There is a simple way, if the user knows it. Most do not, so I posted that solution on FreeRepublic.

33 posted on 07/17/2013 2:08:42 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Swordmaker

Thanks


34 posted on 07/17/2013 5:21:43 PM PDT by conservatism_IS_compassion (“Liberalism” is a conspiracy against the public by wire-service journalism.)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Swordmaker

Anyone who isn’t running NoScript and only selectively enabling JS as needed is a fool, these days...more proof here.


35 posted on 07/17/2013 7:24:36 PM PDT by Fire_on_High (RIP City of Heroes and Paragon Studios, victim of the Obamaconomy.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: TheErnFormerlyKnownAsBig

Your daughter’s laptop wasn’t a Mac, was it? Best Buy folks are incredibly ignorant of computer repair - and Macs - LOL...

But to get back to the original post - this isn’t really malware. It is simply a web page opening a bunch of windows via javascript (a big vector for all sorts of computer issues these days). But no computer “catches” this.

Now - there are trojans that show similar behavior - maybe that is what your daughter’s laptop was infected with (assuming again it is not a Mac - which there still isn’t a major threat for).


36 posted on 07/18/2013 9:43:54 PM PDT by TheBattman (Isn't the lesser evil... still evil?)
[ Post Reply | Private Reply | To 3 | View Replies]

To: GeronL

hitmanpro worked for me when nothing else would

had to use a thumbdrive from another computer and start in boot mode


37 posted on 09/01/2013 3:51:18 PM PDT by TurboZamboni (Marx smelled bad & lived with his parents most his life.)
[ Post Reply | Private Reply | To 13 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson