I Think My Mac Computer Just Got Held For Ransom

  • Posted by a hidden member.
    Log in to view his profile

    Sep 02, 2014 4:31 PM GMT
    I've been reading about stuff like this lately. I was doing a Yahoo! search, on a world history topic, (trust me, not porn). All of a sudden I got redirected to some site I couldn't recognize, containing a lengthy citation of international law and US Code that I had broken, with ominous references to the US FBI and to Interpol.

    It further said that my "PC" (I have a Mac) had been frozen because of this illegal usage, and my browser was under their control until I paid a fine, written as 300$ instead of $300. And a smaller window appeared with instructions how to send the money online. I'm not aware of any law agency that can assign a fine in this manner, and without the opportunity to dispute it. Nor had I been doing anything illegal.

    But they were right, I couldn't do anything with my Safari browser, not even close it. So I force quit it, but when I restarted it I got the same messages and lock-up. Same when I rebooted the entire computer.

    So I turned off my WiFi connection to the router, force quit Safari again, and rebooted once more. This time I didn't restart Safari but first ran a virus scan from the internal flash drive. It didn't find any problem files, no malware.

    When I restarted Safari this time it opened cleanly, but without an Internet connection which I had disabled, and without that mystery site reappearing in the browser URL line. Then I turned the WiFi back on, and Safari remained quiet. I selected one of my regular news sites, which connected normally without interference, and next RealJock to share this with you here.

    But very scary for a short time. You feel so helpless when you've lost control of your computer like that. But I was able to break its hold, and both my virus programs, with today's latest updates running, still report nothing permanent has been done to my computer. But of course that's no absolute guarantee, with the sophistication of today's hackers.
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 4:25 AM GMT
    People still use Safari? icon_neutral.gif
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 4:55 AM GMT
    Does this look familiar?

    http://marcelbrown.com/2013/07/18/fbi-phishing-scam-affects-mac-users-how-to-bypass/

    It's not really malware (it's incapable of reaching beyond your current browser session), it's just using all of the convenience/security/safety features that the browser has for navigating important but poorly-designed sites (tax forms, banking, etc., which often don't recover well from being left unexpectedly - a familiar theme here on RJ now that I think of it) to convince the browser not to leave the page.

    Your strategy was quite clever - forcing the browser to start without a connection bypassed automatic session recovery -- but according to the article above you should be able to do the same thing in the future by just holding 'shift' while launching the browser. This is also a good reason to have a browser or two installed that you never use except to look up scams like this one.

    Gotta love the internet. And the sort of wasted time and talent that goes into designing HTML/JavaScript code to simulate malware. icon_rolleyes.gif
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 12:29 PM GMT
    xrichx saidPeople still use Safari? icon_neutral.gif

    I love Safari. And it integrates beautifully with the rest of the Mac ecosystem.

    BTW, that article has an update:

    "This scam seems to affect Firefox, Chrome, and other browsers in addition to Safari" And they're susceptible to malware from this scam with Windows, whereas Safari on a Mac is not.
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 12:42 PM GMT
    yetanotherphil saidDoes this look familiar?

    http://marcelbrown.com/2013/07/18/fbi-phishing-scam-affects-mac-users-how-to-bypass/

    It's not really malware (it's incapable of reaching beyond your current browser session), it's just using all of the convenience/security/safety features that the browser has for navigating important but poorly-designed sites (tax forms, banking, etc., which often don't recover well from being left unexpectedly - a familiar theme here on RJ now that I think of it) to convince the browser not to leave the page.

    Your strategy was quite clever - forcing the browser to start without a connection bypassed automatic session recovery -- but according to the article above you should be able to do the same thing in the future by just holding 'shift' while launching the browser. This is also a good reason to have a browser or two installed that you never use except to look up scams like this one.

    That is precisely what was happening to my iMac, including the $300 demand. And as they say, I didn't know there were "only" 150 copies of that message I had to keep clearing. After I continued to fail at about 10 attempts to close the pop-up I abandoned that approach.

    Thanks also for the tip about the "Shift-relaunch". I didn't know that Safari trick. I'll try it next time, should this occur again.

    Yeah, I hoped maybe I could defeat the automatic session recovery if there was no connection, as I suspected it was a culprit in this. The article also describes why my anti-virus software said my Mac is clean - because it is. WHEW!!!!
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 4:27 PM GMT
    pazzy saiddon't know if i could be of much help because i had this happen to me a few times and it was like hell to get out. that's either malware, adware, or a trojan virus. had it before. you need a good virus program and would suggest that you don't mess with safari because of that. it's probably unsafe to use. firefox or internet explorer either. haven't had any problems with google chromes web surf engine. not to say that it couldn't happen from using chrome. it would be best to have an adware and a reliable virus scanner. what virus scanner you use?

    Actually I'm spooked to say now, lest it assist the bad guys in another attack on me. But it is highly rated, and I purchase it, not freeware. Its virus definitions are the latest.

    That article says malware will not pass to Mac OS X through Safari with this kind of attack. But it can happen with Windows using other browsers.
  • kuroshiro

    Posts: 786

    Sep 03, 2014 4:36 PM GMT
    I can't help but laugh at the screenshot on that website article... it's so obviously a fake. Far too shiny to be a government page anyways icon_razz.gif
  • Posted by a hidden member.
    Log in to view his profile

    Sep 03, 2014 6:03 PM GMT
    xrichx saidPeople still use Safari? icon_neutral.gif


    But of course! Don't you?

    Important nota bene in the referenced article for Windoze users:

    marcelbrown.com/2013/07/18/fbi-phishing-scam-affects-mac-users-how-to-bypass/ ...However, even if you do stumble upon it more than once, your Mac is not infected or compromised in any way. But as I mentioned earlier, if you are a Windows user and you run into this scam, you are infected with malware and you will need to have it professionally cleaned.
  • Posted by a hidden member.
    Log in to view his profile

    Sep 04, 2014 2:23 PM GMT
    kuroshiro saidI can't help but laugh at the screenshot on that website article... it's so obviously a fake. Far too shiny to be a government page anyways icon_razz.gif

    And as I said in my OP, $300 was written as 300$. Lots of other more subtle errors, too.
  • Posted by a hidden member.
    Log in to view his profile

    Sep 04, 2014 2:30 PM GMT
    Well, it happened to me again. So I tried yetanotherphil's advice about relaunching Safari with the Shift key, after force quitting it, and it worked perfectly. Thanks! icon_biggrin.gif

    Which would further confirm which scam this is. But this could become disruptive in itself, since I don't wanna lose work I've been doing, and have to go back and replicate online searches I've done. Seems like these hackers get away with murder, and most never get caught. Especially those based in Eastern European and Asian countries. icon_mad.gif
  • Posted by a hidden member.
    Log in to view his profile

    Sep 09, 2014 4:35 AM GMT
    Art_Deco saidWell, it happened to me again. So I tried yetanotherphil's advice about relaunching Safari with the Shift key, after force quitting it, and it worked perfectly. Thanks! icon_biggrin.gif

    Which would further confirm which scam this is. But this could become disruptive in itself, since I don't wanna lose work I've been doing, and have to go back and replicate online searches I've done. Seems like these hackers get away with murder, and most never get caught. Especially those based in Eastern European and Asian countries. icon_mad.gif


    Sorry I missed this; I was out of town and "AFK".

    I've had very good luck with adblock:

    https://getadblock.com/

    This doesn't disable the exploit, but it blacklists a lot of scummy sites that may be injecting it (intentionally or not) into more legitimate sites via ads (which almost never come from the site you're visiting these days).

    I haven't verified the information here, but aside from the dead "JavaScript Blacklist" link, the shortcuts may be useful:

    http://www.tuaw.com/2011/01/04/quickly-enable-or-disable-javascript-in-safari/

    If you can't figure out which sites are injecting this code, you may just need to enable JavaScript conservatively until you do (or Apple fixes Safari to disallow this garbage). I've had good luck using separate browsers for work and play; if you've got a few sites that you can't interrupt, you may want to visit them in one browser and do your random surfing in another. Chrome is fast and solid but with massive privacy issues, Firefox has tons of addons to help with stuff like this but can be slow and even crash if you push it too hard, and as you've seen Safari is well-integrated but lacking in security options once someone finally finds an exploit.

    EDIT: There's also Opera, which combines the worst features of Firefox and Safari so nobody even *wants* to hack it. I rather like it. icon_wink.gif

    Good luck...
  • Posted by a hidden member.
    Log in to view his profile

    Sep 09, 2014 4:52 AM GMT
    yetanotherphil said
    I've had very good luck with adblock...

    Good luck...

    I've been running AdBlock for a long time. It certainly hasn't prevented the scam I've been encountering. Nor did I think that was its purpose.
  • Posted by a hidden member.
    Log in to view his profile

    Sep 09, 2014 5:05 AM GMT
    Art_Deco said
    yetanotherphil said
    I've had very good luck with adblock...

    Good luck...

    I've been running AdBlock for a long time. It certainly hasn't prevented the scam I've been encountering.


    Damn. So much for that. I'm not using it at the moment, but I seem to recall that AdBlock has its own update system. Do you know if your lists are up to date?

    At any rate, it looks like the "Disable JavaScript" trick should re-enable the "Back" button. That should give you a much less destructive way out, though you'll probably still need to save any work and clear your session to be sure. Have you been able to narrow down which site(s) tend to trigger this event?