Apple update thwarts ‘scareware campaign’ waged against Safari users

An Apple bug being actively harnessed by cybercriminals to scam gullible iPhone users is addressed in a critical mobile operating system update rolled out Monday from Cupertino, security researchers said afterwards.

Apple’s latest iOS update adjusts the way JavaScript pop-ups are processed by the company’s mobile Safari browser, among other features, effectively patching a crude hack that had allowed scammers to conduct a so-called “scareware campaign,” according to Lookout, a San Francisco-based security firm credited with bringing the bug to Apple’s attention.

“The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be ’locked’ out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache,” Lookout’s researchers wrote in a blog post published upon Monday’s iOS update.

Scammers typically exploited the bug in a manner that redirected mobile users to malicious domains designed to resemble those of legitimate law enforcement agencies, according to Lookout. Visitors are usually told upon landing that they’ve been caught accessing illegal content and must pay a fine in the form of an iTunes gift card, all the while an endless loop of pop-up boxes prevents victims from otherwise controlling their browser, the researchers said.

No malicious payloads were delivered in the campaign, meaning victims’ phones were never actually compromised. Instead, rather, its “purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser,” Lookout said.

It was not clear if the extortionists were financially successful in their endeavors or to what extent.

Lookout said it was made aware of the attack last month and reached out to Apple after discovering the root cause of the bug. It was one of 223 bugs affecting a slew of Apple products addressed in a wide-ranging update rolled-out Monday, according to ThreatPost, a blog maintained by Kaspersky Labs, a Russian cybersecurity firm, as well as changes to Apple services including Siri, iTunes and Maps.

Apple sold roughly 77 million iPhones during the last quarter of 2016, giving it the largest market share overall in terms of smartphones sold at 17.9 percent to Samsung’s 17.8 percent, according to a report published last month by Gartner. In terms of operating systems, about 18 percent of all phones sold that quarter shipped with iOS installed.