Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > New 'ransom' malware exploits JavaScript flaw to plague OS X users

New 'ransom' malware exploits JavaScript flaw to plague OS X users
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 16, 2013, 01:49 AM
 
A new bit of "ransomware" that has long been a plague to Windows users has been "ported" to work on Mac browsers, taking advantage of a flaw in JavaScript (not to be confused with Java) to prevent it from being easily dismissed or gotten rid of. The exploit takes advantage of the "restore from crash" to keep bothering the user, and scares them into thinking they must surrender payment information in order to "unlock" their browser and use it normally again, often under threat of persecution. There is a relatively easy fix, though inconvenient.

The ransomware page can be landed on or pushed to users who are using alternative search sites to look for certain kinds of keywords having to do with pirated software or pornography. The page appears to be from the US Federal Bureau of Investigation and claims that the user has been viewing or distributing illegal software or pornography, and that in order to "unlock" the computer they are obligated to pay a release fee of $300, using a fake URL that starts with "fbi.gov" to fool unsuspecting users.

Closing the window or dismissing the warning creates another pop-up that also cannot be closed without re-spawning. Quitting or force-quitting the browser will return the user to the same page with the cycle beginning again. The code will actually allow the user to quit after 150 or so prompts, but few users are willing to go that far and are not aware that the JavaScript snippet will ever quit.

Users can escape the scam by choosing to reset their browser. In Safari the command is located in the application menu and choosing all aspects of the reset. The action does not remove bookmarks but does clear out saved name and passwords as well as resetting any Top Sites that have been saved.

Apple has built-in malware protection software in Snow Leopard and later systems that was recently updated, but it's not yet known if it will successfully block this particular malware yet. Assuming it does not yet block the scam, the company is likely to update XProtect to avoid the problem in the near future. The hack does not yet appear to work on mobile browsers.


     
Senior User
Join Date: Apr 2001
Location: Victoria, Australia
Status: Offline
Reply With Quote
Jul 16, 2013, 02:11 AM
 
Hold down the "Shift" key when you launch Safari, and it won't reload pages. No need to reset the browser.
     
Dedicated MacNNer
Join Date: Jul 2009
Status: Offline
Reply With Quote
Jul 16, 2013, 02:37 AM
 
Also: in Safari, at least, you can clear the page contents using a bookmarklet which will erase the document contents using "document.write" and then you can close the window without any hassle at all. (At least, I checked the URL they gave and it worked.) MacNN's comment system may eat this, but my bookmarklet was:

javascript:%20void(function(){document.write('%3Ch tml%3E%3Chead%3E%3Ctitle%3E%2D%2D%20Page%20has%20b een%20erased%20%2D%2D%3C%2Ftitle%3E%3C%2Fhead%3E%3 Cbody%20style%3D%22margin%3A0in%3Bpadding%3A25%25% 3B%22%3E%3Ch1%20style%3D%22size%3Axx%2Dlarge%3Btex t%2Dalign%3Acenter%3Bcolor%3Ared%3Bmargin%3A25%25% 3Bfont%2Dweight%3Abold%3B%22%3EThis%20page%20was%2 0erased%20using%20a%20bookmarklet%2E%3C%2Fh1%3E%3C p%20style%3D%22text%2Dalign%3Acenter%3B%22%3EThis% 20page%20has%20had%20its%20content%20replaced%20wi th%20this%20message%2E%20If%20you%20want%20the%20c ontent%20back%2C%20you%20will%20need%20to%20reload %20the%20page%2E%3C%2Fp%3E%3C%2Fbody%3E%3C%2Fhtml% 3E');}())
     
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Jul 16, 2013, 03:05 AM
 
Good tips, guys, but I think you're missing the point. Nerds like us (and typical MacNN readers) aren't going to be troubled with this. It's the people who don't know these sorts of things that are the most vulnerable. Luckily, Apple is probably already on top of this (or soon will be) and the anti-malware companies a lot of non-power users rely on will likely update definitions in no time as well, so we're hopeful that this problem doesn't get much traction in the Mac community.
Charles Martin
MacNN Editor
     
Dedicated MacNNer
Join Date: Jul 2009
Status: Offline
Reply With Quote
Jul 16, 2013, 04:14 AM
 
@chas_m:

Actually, finding a painless and simple way out of this is a useful thing. Even if you aren't likely to trigger it yourself, you may well be called on to fix it for someone else at some point, and knowing how to do that would be useful.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Jul 16, 2013, 08:26 AM
 
Originally Posted by chas_m View Post
Good tips, guys, but I think you're missing the point. Nerds like us (and typical MacNN readers) aren't going to be troubled with this. It's the people who don't know these sorts of things that are the most vulnerable. Luckily, Apple is probably already on top of this (or soon will be) and the anti-malware companies a lot of non-power users rely on will likely update definitions in no time as well, so we're hopeful that this problem doesn't get much traction in the Mac community.
The point of the comment was that the article mentions a baby-and-bathwater solution that is just as unlikely to occur to a non-techie user, while simply holding shift is a usually completely painless and much simpler alternative.
     
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Jul 16, 2013, 06:05 PM
 
Point taken. Thanks, guys.
Charles Martin
MacNN Editor
     
Fresh-Faced Recruit
Join Date: Jul 2013
Status: Offline
Reply With Quote
Jul 18, 2013, 11:52 AM
 
Malware and ransomware are often a result of software piracy. Don't participate and don't allow corporations to get away with this crime – report software piracy to the BSA: http://nopiracy.net/13YiULF
     
Fresh-Faced Recruit
Join Date: Aug 2001
Location: Cincinnati, Ohio
Status: Offline
Reply With Quote
Jul 18, 2013, 03:59 PM
 
I'll be making all kinds of cash "fixing" this issue
     
Dedicated MacNNer
Join Date: Jul 2009
Status: Offline
Reply With Quote
Jul 18, 2013, 04:44 PM
 
Oh, or you can bring the window to the front of Safari and then run this AppleScript:

tell application "Safari"
tell document of window 1 to do JavaScript "document.write('');"
end tell
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 01:06 PM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2