Scary Mac Scam Freezes Screens, Tries to Rip You Off
Malwarebytes has discovered malicious websites that freeze your Mac and direct you to call phony Apple tech-support numbers.
UPDATED 3:00 p.m. EST with new information from security firm Intego.
Beware of where you go online when surfing the web using Apple's desktop Safari browser.
A family of relatively new scam websites has surfaced that could cause your Mac's memory to be overloaded and your Mac to freeze, according to Jérôme Segura, a researcher at security firm Malwarebytes. Segura says that if you head over to a malicious site — called safari-get or safari-serverhost, with either .com or .net suffixes — then code embedded in the sites will force either your Mail application or iTunes to run amok on your machine.
The sites will analyze which version of macOS you're running, push the relevant denial-of-service attack to you, then try to get you to call a fake Apple tech-support number. Don't call it! These are scams, and a forced restart should take care of the problem. (UPDATE: It isn't that easy. See below.)
MORE: How to Protect Yourself From Tech Support Scams
If you're running OS X 10.10 Yosemite or earlier, the site will use legitimate prompt commands to gain access to your Mail application and try to compose an endless number of new Mail messages without ever sending them.
Before long, your Mac's memory will be flooded with Mail requests and you'll be left with nothing but a computer that has frozen and needs to be reset. Then a message will pop up stating that "Your Apple Device May Have Adware/Spyware Virus," telling you to call a fake Apple tech-support number.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
If you're running macOS Sierra 10.12.2, then iTunes will open up and a similar message appears: "Warning!! Virus Detected!! Transferring Your Personal Data and Pictures." A different phony Apple tech-support number is listed. Neither system freeze should cause any permanent damage, as no real malware is infecting the machine.
It's not clear which variant of the attack affects OS X 10.11 El Capitan, or older versions of Sierra. Segura clarified that the Mail exploit did work on OS X 10.8 Mountain Lion.
Luckily, avoiding the flaw is as simple as not going to these sites (or not using Safari as your default browser). However, unsuspecting victims might fall victim to the threat by clicking on a link they think is legitimate, only to be redirected to the malicious page. Good Mac antivirus software should block access to the malicious sites.
Email messages luring victims to the pages were said to be coming from the email addresses "dean.jones9875@gmail.com" and "amannn.2917@gmail.com." Remaining vigilant, then, and adhere to basic security principles is critical.
In a blog post, Malwarebytes said that a trend has developed in recent months of tech-support scammers using denial-of-service attacks to freeze your computers. This is just the latest in a long line. It's unclear at this point whether Apple might address the flaws and offer fixes in a future software update.
UPDATE: In a blog posting yesterday, Apple-centric security firm Intego revealed that it had tested the sites using Safari on different versions of OS X/macOs.
Intego found that the Mail exploit worked on OS X 10.9 Mavericks, 10.10 Yosemite, 10.11 El Capitan and earlier versions of macOS 10.12 Sierra.
Only macOS 10.12.1 Sierra and later were immune to the Mail exploit, in which case a message popped up stating that "This website has been blocked from automatically composing an email." Tweaking the web address in the browser address field brought up the iTunes exploit, which crashed iTunes instantly.
Intego found that Chrome froze when loading the malicious page, but that even though Mail was launched, the computer did not freeze. Firefox hiccuped a bit, then offered to stop the malicious script.
Getting out of the Mail rabbit hole isn't as easy as force-restarting your computer, however. You may have to manually clean out your Safari saved state and your Mail drafts. Intego has detailed instructions.
Tom's Guide tested one of the malicious sites in Chrome for Windows on Windows 7, and saw a few Microsoft Outlook compose-mail windows appear, then a flurry of half a dozen at once. The site also temporarily froze Chrome, but we were eventually able to close the active tab. Firefox on Windows 7 froze for a second, spawned a few Compose Mail windows, then offered to stop the script. We also noticed a couple of dozen pop-under dialogue boxes offering to open a link in iTunes.
Don Reisinger is CEO and founder of D2 Tech Agency. A communications strategist, consultant, and copywriter, Don has also written for many leading technology and business publications including CNET, Fortune Magazine, The New York Times, Forbes, Computerworld, Digital Trends, TechCrunch and Slashgear. He has also written for Tom's Guide for many years, contributing hundreds of articles on everything from phones to games to streaming and smart home.