OS X Ransomware via the Web Browser

16 July 2013

Today it was announced on MacRumors that there is a new threat to OS X users in the form of Ransomware. In this threat, a user happens upon a website, usually through a search engine and is greeted with what looks like an FBI website page warning you that you've done something wrong.

You have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.

Instead of actually hijacking your web browser and locking it down, as seen over recent years on the Windows platform, this is a simple web page that loads 150 iFrames via JavaScript that require confirmation to be dismissed, in the hopes that the user will give and pay the $300.

For the savvy computer user, this will be greeted with suspicion and quickly set to Force Quit the browser and start again. However, for the less savvy and maybe even naïve users, this may scare them, which is the intent of the message.

What we need to remember and educate others on is that the FBI doesn't hijack browsers or anything of the sort. In today's message, it says you have been viewing pornographic material and whatnot. If that were the case and the FBI was really looking at your activity, they wouldn't send you a message over the Internet or email, and they wouldn't demand $300 and then look the other way. Instead, what they would do, if your activities were illegal, would be to get a warrant and kick in your door and arrest you.

Here are a few extensions for popular web browsers on both OS X and Windows which will help you guard against these threats that use JavaScript.

For Firefox there is NoScript which is probably the most popular and well used extension of its sort.

For Chrome there is ScriptNo, designed by the same person who helped write NoScript.

For Safari there is Javascript Blocker.

There is a caveat on the extension for Safari that makes it not as effective as the other two for Firefox and Chrome.

*Unlike NoScript, this tool only blocks scripts when they are loaded from an external file or a data URI. What this means is that any scripts that are within the page itself can still run. Usually this is enough to remain safe on the web and block trackers, advertisers, etc. Unfortunately this is a limitation of the Safari extension design, not mine.

Here is an MP3 URL for the Podcast episode ScriptNo on Security Now. Its a great listen to know and understand how it works and its history of development. Here is the transcript page of the podcast if you want to read about it.

Another good episode from Security Now is about ClickJacking which is related to the Javascript issues in browser security.

Download the pdf version with pictures here.