A scareware attack is targeting Apple iPhone and iPad users, “locking” their browsers unless they pay a ransom.
According to Lookout Inc., “the attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying,” the firm explained in a blog.
The irony of course is that this is not an actual ransomware campaign—it’s just cleverly disguised as one.
“A knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the iOS Settings—the attack doesn’t actually encrypt any data and hold it ransom,” Lookout noted. “Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.”
As such, the attack is contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, the firm said.
As far as victim targeting, the group involved in this campaign purchased a large number of domains that try to catch users who are seeking controversial content on the internet, including pornography and some music-oriented sites. Each site would serve up a different message based on the country code identifier. Once a target is identified the pop-up messages have an email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.
Apple's iOS update yesterday addressed the issue, but users who have not yet updated their devices are still at risk. The computing giant closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app, according to Lookout.