Scary Mac Scam Freezes Screens, Tries to Rip You Off

UPDATED 3:00 p.m. EST with new information from security firm Intego.

Beware of where you go online when surfing the web using Apple's desktop Safari browser.

Credit: Racorn/ShutterstockCredit: Racorn/Shutterstock

A family of relatively new scam websites has surfaced that could cause your Mac's memory to be overloaded and your Mac to freeze, according to Jérôme Segura, a researcher at security firm Malwarebytes. Segura says that if you head over to a malicious site — called safari-get or safari-serverhost, with either .com or .net suffixes — then code embedded in the sites will force either your Mail application or iTunes to run amok on your machine.

The sites will analyze which version of macOS you're running, push the relevant denial-of-service attack to you, then try to get you to call a fake Apple tech-support number. Don't call it! These are scams, and a forced restart should take care of the problem. (UPDATE: It isn't that easy. See below.)

MORE: How to Protect Yourself From Tech Support Scams

If you're running OS X 10.10 Yosemite or earlier, the site will use legitimate prompt commands to gain access to your Mail application and try to compose an endless number of new Mail messages without ever sending them.

Before long, your Mac's memory will be flooded with Mail requests and you'll be left with nothing but a computer that has frozen and needs to be reset. Then a message will pop up stating that "Your Apple Device May Have Adware/Spyware Virus," telling you to call a fake Apple tech-support number.

If you're running macOS Sierra 10.12.2, then iTunes will open up and a similar message appears: "Warning!! Virus Detected!! Transferring Your Personal Data and Pictures." A different phony Apple tech-support number is listed. Neither system freeze should cause any permanent damage, as no real malware is infecting the machine.

Screen grab by Paul Wagenseil/Tom's Guide.Screen grab by Paul Wagenseil/Tom's Guide.

It's not clear which variant of the attack affects OS X 10.11 El Capitan, or older versions of Sierra. Segura clarified that the Mail exploit did work on OS X 10.8 Mountain Lion.

Luckily, avoiding the flaw is as simple as not going to these sites (or not using Safari as your default browser). However, unsuspecting victims might fall victim to the threat by clicking on a link they think is legitimate, only to be redirected to the malicious page. Good Mac antivirus software should block access to the malicious sites.

Email messages luring victims to the pages were said to be coming from the email addresses "dean.jones9875@gmail.com" and "amannn.2917@gmail.com." Remaining vigilant, then, and adhere to basic security principles is critical.

In a blog post, Malwarebytes said that a trend has developed in recent months of tech-support scammers using denial-of-service attacks to freeze your computers. This is just the latest in a long line. It's unclear at this point whether Apple might address the flaws and offer fixes in a future software update.

UPDATE: In a blog posting yesterday, Apple-centric security firm Intego revealed that it had tested the sites using Safari on different versions of OS X/macOs.

Intego found that the Mail exploit worked on OS X 10.9 Mavericks, 10.10 Yosemite, 10.11 El Capitan and earlier versions of macOS 10.12 Sierra.

Only macOS 10.12.1 Sierra and later were immune to the Mail exploit, in which case a message popped up stating that "This website has been blocked from automatically composing an email." Tweaking the web address in the browser address field brought up the iTunes exploit, which crashed iTunes instantly.

Intego found that Chrome froze when loading the malicious page, but that even though Mail was launched, the computer did not freeze. Firefox hiccuped a bit, then offered to stop the malicious script.

Getting out of the Mail rabbit hole isn't as easy as force-restarting your computer, however. You may have to manually clean out your Safari saved state and your Mail drafts. Intego has detailed instructions.

Tom's Guide tested one of the malicious sites in Chrome for Windows on Windows 7, and saw a few Microsoft Outlook compose-mail windows appear, then a flurry of half a dozen at once. The site also temporarily froze Chrome, but we were eventually able to close the active tab. Firefox on Windows 7 froze for a second, spawned a few Compose Mail windows, then offered to stop the script. We also noticed a couple of dozen pop-under dialogue boxes offering to open a link in iTunes.

Create a new thread in the MacBooks forum about this subject
3 comments
    Your comment
  • szpinner
    If SNOPES is to be believed, this MAC SAFARI screen freezes scam is not true. SNOPES does not list it at all. Your author may want to verify his information in case it's an example of ALT RIGHT truth.
    0
  • BadAsAl
    I have seen plenty of Mac's getting "frozen" and directing you to call XYZ for support. It's just a script that runs when you hit an infected website. 9/10 times a reboot fixes it. Or you can get out of it with a force quit on the browser. Always makes me smile when it is the Microsoft one.

    Never, ever, ever, call a number that pops up on your computer, no matter if you are on a Mac, PC, etc.
    0
  • donmega187
    haha, first of all snopes is NEVER to be believed. they're biased liberals. anyway perhaps you're joking, but in all seriousness there's a whole lot of stuff missing from snopes, and their inability to tackle something doesn't make it any truer or not.
    0