Apple squashes Safari bug scammers used in scareware campaign
Apple has released an update with the release of iOS 10.3 that aims to fix a Safari bug used by scammers. This causes a pop-up to render the browser unusable, making users think they had to pay to use it again.
According to security firm Lookout, which found the bug and reported it to Apple, the scammers show the pop-ups on various types of websites, from porn sites to music websites. For example, those sites open a pop-up, which could not be closed even after repeatedly clicking ‘ok’. This made it seem as if the Safari browser was no longer usable. In the background, the scareware displays a message asking victims to make a payment in the form of an iTunes gift card in order to use the ‘blocked’ device again.
Lookout writes that the bug was related to Safari’s handling of pop-ups. Apple’s solution ensures that pop-ups no longer take over the entire app, but are only shown per tab. The javascript code that the scammers use has been used before in a previous campaign. The criminals use a variety of domains to display pop-ups to users viewing “controversial content”.
In this case it is scareware, because in reality the device is not blocked at all. This can be given the impression that the pop-ups keep appearing in an endless loop, but the phenomenon can be solved by clearing the Safari cache. So no code was used to break Safari’s sandbox, according to Lookout. The fix is in iOS 10.3, an update that Apple released Monday evening.
Image via Lookout