Apple released iOS 10.3 earlier today and included in it were a host of new features. As usual, however, there are a number of under-the-hood changes as well. Arstechnica notes that iOS 10.3 fixes a bug that in Safari allowed for scammers to trick users into paying fees.
Sylvania HomeKit Light Strip
The report explains that the flaw allowed ransomware scammers to display popup windows in a sort of endless cycle. The user would end up on an attacker website that posed as a law enforcement site informing them that they had to pay a fine for some sort of illegal action. In most cases, Arstechnica says the ransomware targeted users viewing pornography or attempting to illegally download music or other content.
Researchers from Lookout describe how hackers were able to capture users and trick them into paying the ransom fee. Essentially, the hackers would prevent users from accessing any function of Safari until the ransom fee had been paid.
The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.
The flaw was first discovered when a user was led to the website pay-police dot com and thereby lost control of Safari. The screenshot above shows how the user ended up on the site and the endless cycle of popups that they experienced.
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache.
A detailed explanation of the issue can be read on the Lookout blog.