FBI Ransomware Now Targeting Apple’s Mac OS X Users

FBI Ransomware Now Targeting Apple’s Mac OS X Users

0 3590

Note: this is a JavaScript attack which works on Apple Mac / OS X, this is not an Apple Mac Trojan (binary).

For years, Windows users have been plagued by ransomware demanding several hundred dollars to unlock their computers.

The bad guys know there is a growing market of Apple consumers who, for the most part, feel pretty safe about browsing the Internet on a Mac without the need for any security product.

Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.

ransomware1

The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.

Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited p**nographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.

A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users.

If you choose to ignore the message (which you should), you cannot get rid of the page:

lock1

Repeated attempts to close the page will only lead to frustration as even the “Leave Page” browser trick does not work:

lock2

If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle.

This is how it is done, by using some JavaScript code:

JS

The “infinite loop” (which really isn’t) is made possible by 150 iframes created dynamically by this JavaScript snippet:

loop

There is a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:

reset

Make sure all items are marked and hit the Reset button:

reset2

You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets.

Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it.

The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images.

The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.”

This scam is unfortunately all too efficient and is not going away anytime soon.

SOURCE: Malwarebytes

I have over 25 years experience in Information Technology and Information Security. In the last 7 years, my focus has been on Information Security and Risk Management, with day to day responsibility for managing all aspects of Information and Technology Risk Management (Information Risk, Technology Risk, Business Continuity and Cyber Crime). Previous roles included Solutions Architecture, Security Engineering, Network Engineering, IT System administration of Unix, Linux and Windows infrastructure services, IT Quality Assurance and Software Testing, IT Development. Specialties include: + Risk Management (Assessment, Threat Mitigation and reporting) + Cyber-crime – Anti-malware (Trojans, MITB, MITM, Viruses, Spyware), Anti-phishing (Fraudulent websites and scams) + Information Security, Ethical Hacking /Penetration Testing, ISO 27001 + Fraud management + Development and Testing + Infrastructure services, IT Infrastructure Library (ITIL), + Business Continuity and Disaster Recovery.