Scammers have reportedly leveraged a recently patched flaw in iOS devices to scare users with fake pop-ups that suggest federal authorities have locked down their phones due to illegal activity.
Scammers have reportedly leveraged a recently patched flaw in iOS devices to scare users with fake pop-ups that suggest federal authorities have locked down their phones due to illegal activity.

Apple on Monday released security updates for multiple products, and in the process also reconfigured iOS to address a pop-up issue that scammers were abusing to lock users out of their Safari mobile browsers in an attempt to extort money.

According to mobile security company Lookout, its research team reported the pop-up problem last month, after discovering that the Safari browser executed JavaScript-based pop-up dialogs on iOS devices in such a way that could render a device inoperable, if maliciously exploited. 

Indeed, online scammers have been using this exploit to trick users into thinking law enforcement agencies such as Interpol have locked their devices due to supposedly illicit activity. Victims receive a threatening message purportedly from these agencies demanding that they pay a fine in the form of an iTunes gift card code sent via SMS, Lookout explained in a company blog post. In at least one published example, a message warned that failure to comply would result in the delivery of digital evidence to London's Metropolitan Police.

Lookout first learned of the scam after a client complained of visiting a website and subsequently receiving a ransom message from pay-police[.]com, along with an overlaid "Cannot Open Page" pop-up from Safari. Clicking "OK" on the dialog did nothing other than to present the same prompt over and over in a loop.

In its blog post, the security company explained that the group behind this campaign "purchased a large number of domains that try to catch users [who] are seeking controversial content on the Internet" such as pornography or music downloads. Upon visitation, these websites download the malicious JavaScript code that launches the unceasing pop-ups and fools victims into thinking they've been caught committing a illegal act.

"Users should be aware of these types of tactics that are designed to scare the user into making a payment they normally would not," said Andrew Blaich, security researcher at Lookout, in an email interview with SC Media. "The user is never in any real harm with regards to this attack, as no data is being stolen and the device is not being broken into." 

Apple closed the attack vector, Lookout noted, by updating iOS so that Safari pop-up dialogs are now limited to individual tabs, rather than being able to take over the entire app. That way, if a pop-up loop has locked down one particular tab, the user can simply close it out and open a new one.

Even before Apple's fix, scam victims could have avoided paying the ransom simply by clearing the Safari browser's cache. But this is not an obvious solution to all users.

Because this was a software reconfiguration as opposed to a bug repair, Apple did not associate the fix with a CVE, nor did it list the fix among its software updates, according to Lookout. SC Media has reached out to Apple for comment.

"A user that is informed of attacks like this can realize they have the power to make it go away if they think through the message and try resetting apps like their browser to see if the messaging continues," said Blaich. "The user should also be careful about the sites they visit on the Internet, as while this attack was relatively benign in nature, other attacks that look to break into the device could have much different results."

Apple's latest batch of updates addressed the following products: macOS Server (three fixes); tvOS 10.2 (39 fixes); watchOS 3.2 (31 fixes); iOS 10.3 (65 fixes); macOS Sierra, El Capitan and Yosemite (65 fixes); Safari 10.1 (24 fixes); and iWork for Mac and ioS (one fix).

Cisco's Talos division also released research addressing one of Apple's newly patched vulnerabilities. Officially designated CVE-2017-2485, the flaw was a use-after-free vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS, which, if exploited, could have resulted in remote code execution. 

"This vulnerability manifests due to improper handling of X.509v3 certificate extensions fields," the company explained in a Monday blog post. A specially crafted X.509 certificate delivered via malicious files, websites or mail servers "could trigger this vulnerability and potentially result in remote code execution on the affected system," the post continued.

Talos and Apple specifically credited Talos researcher Aleksandar Nikolic with discovering the bug.

- Users should be aware of these types of tactics that are designed to scare the user into making a payment they normally would not. The user is never in any real harm with regards to this attack as no data is being stolen and the device is not being broken into. A user that is informed of attacks like this can realize they have the power to make it go away if they think through the message and try reseting apps like their browser to see if the messaging continues. The user should also be careful about the sites they visit on the internet as while this attack was relatively benign in nature other attacks that look to break into the device could have much different results.