This week, 9to5Mac reported on a tech support scam that caused a Denial of Service (DoS) attack on a Mac. While this DoS was described as an attack caused by malware, it appears to be a malicious script loaded by a web browser instead, in this case Safari.
This DoS attack is not malware in the traditional sense, because nothing is actually installed on the affected system. What is happening is that links to malicious site(s) that run this script are sent via email from email addresses dean.jones9875@gmail.com and amannn.2917@gmail.com. These email addresses are also recorded as registration info for the malicious domains. It is currently unknown if the emails contain a simple text link or an application that may change the browser’s home page to the malicious site.
Some of the websites that trigger the DoS are safari-get[.]com, safari-get[.]net, safari-serverhost[.]com and safari-serverhost[.]net. At the time of writing, all but the last domain are inactive. There could, of course, be many other websites yet discovered that trigger the same behavior.
With one of the known sites still active, Intego was able to test the reported behavior, which we will detail below.
The malicious site loads a script that opens the Mail application and drafts a new email with the subject “Warning! Virus Detected! Immediately Call Apple Support,” and a phone number that is most definitely not Apple’s (it is known to be associated with similar scams). It doesn’t just draft one of those emails, it drafts hundreds until your Mac runs out of memory and locks up.
Attempts to quick or force quick Mail will not work, instead, doing so causes the browser script to open Mail again and begin drafting fresh emails. The browser must be closed first to stop the script, and then Mail can be closed. However, since Safari remembers the last page that was open when it was quit, the next time Safari is launched the fun starts all over again. Even if the Mail application is not configured, it keeps opening and asks to add an account.
The behavior mentioned above was tested on OS X 10.9, 10.10, 10.11 and 10.12, and was observed on all of them. Only macOS 10.12.1 and up (safari 10.0.1 and newer) appear to protect against this attack with Safari recognizing the attempts and warning the user.
On the affected systems, Safari is the most vulnerable to this attack. Google Chrome loads the script and launches Mail, but once Mail is quit, Chrome does not re-open it. Chrome itself does freeze, though. Firefox briefly stalls when loading the website, and then offers to stop the malicious script.
For Mac users who are not running macOS 10.12.1 or newer, the use of Firefox is highly recommended as it is constantly updated even for older OS X versions, and it appears to protect from at least this particular attack. Upgrading to the latest macOS version is of course preferred.
The page checks for a specific version of the operating system and loads a script accordingly. In our testing, on several versions of OS X, only the script that opened Mail was loaded—but when Malwarebytes investigated, they found another script that opened iTunes instead of Mail. We triggered this script by manually tweaking the web address. A different style webpage loads and iTunes is opened, which, in our testing on different OS X versions, crashed immediately.
If this DoS attack has already hit you and you are currently looking at a locked up Mac, or are unable to open Safari without it hijacking your Mail again, there are some steps you can take to clear this up.
'Option-Command-Escape'
On iOS 8, 9 and the current 10, loading the malicious website also results in a new Mail message being drafted—but only one draft is created.
This single draft can be cancelled and deleted, but a new one will pop up straight away. Therefore, you will need to clear Safari history and website data. To clear Safari on the iOS device, it has to be reset, which can be done by going to Settings > Safari > Clear History and Website Data.
Loading the script that calls iTunes on the Mac has no effect on iOS, instead it just shows the webpage without opening any other app.
While not malware in the traditional sense, this DoS shows there are multiple ways to attack a Mac or iOS user. In this case, not a lot of effort was put into the scripting that triggered Mail or iTunes. The authors could have made the emails actually send to various different addresses, acting as a spammer on their behalf, for example. Still there are many, many users who may actually contact the phone number presented on their screen and pay the scammers for “support.” This makes these scams so successful they are likely not going anywhere anytime soon.
Be vigilant when you receive email from someone you don’t know, especially when an email contains links or buttons. On the Mac, hover your cursor over the link to see what site it will really send you to. On iOS devices, just press and hold on a link to see a pop-up with the real URL in it. And remember: If you don’t trust it, delete it.