{"id":60796,"date":"2017-01-05T15:56:35","date_gmt":"2017-01-05T23:56:35","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=60796"},"modified":"2017-01-06T09:20:13","modified_gmt":"2017-01-06T17:20:13","slug":"denial-of-service-attack-targets-mac-and-ios-users","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/denial-of-service-attack-targets-mac-and-ios-users\/","title":{"rendered":"Denial of Service Attack Targets Mac and iOS Users"},"content":{"rendered":"

\"Denial<\/p>\n

This week, 9to5Mac reported<\/a> on a tech support scam that caused a Denial of Service (DoS) attack on a Mac.\u00a0While this DoS was described\u00a0as an\u00a0attack caused by malware,\u00a0it appears to be a malicious script loaded by a web browser instead, in this case Safari.<\/p>\n

This DoS attack is not malware<\/a> in the traditional sense, because nothing is actually installed on the\u00a0affected system. What is\u00a0happening is that links to malicious site(s) that run this script are sent via email from email addresses dean.jones9875@gmail.com and amannn.2917@gmail.com. These email addresses are also recorded as registration info for the malicious domains. It is currently unknown if the emails contain a simple text link or an application that may change the browser\u2019s home page to the malicious site.<\/p>\n

Some of the websites that trigger the DoS are safari-get[.]com, safari-get[.]net, safari-serverhost[.]com and safari-serverhost[.]net. At the time of writing, all but the last domain\u00a0are inactive. There could, of course, be many other websites yet discovered that trigger the same behavior.<\/p>\n

With one of the known sites still active, Intego was\u00a0able to test the reported behavior, which we will detail below.<\/p>\n

Observed Behavior<\/h3>\n

The malicious site loads a script that opens the Mail application and drafts a new email with the subject \u201cWarning! Virus Detected! Immediately Call Apple Support,\u201d and a phone number that is most definitely not Apple\u2019s (it is known to be associated with similar scams). It doesn\u2019t just draft one of those emails, it drafts hundreds until your Mac runs out of memory and locks up.<\/p>\n

Attempts to quick or force quick Mail will\u00a0not work, instead, doing so causes\u00a0the browser script to open Mail\u00a0again and begin\u00a0drafting fresh emails. The browser must be closed first to stop the script, and then Mail can be closed. However, since Safari remembers the last page that was open when it was quit, the next time Safari is launched the fun starts all over again. Even if the Mail application is not configured, it keeps opening and asks to add an account.<\/p>\n

\"dos-result-apple-mail\"<\/p>\n

The behavior mentioned above was tested on OS X 10.9, 10.10, 10.11 and 10.12, and was observed on\u00a0all of them. Only macOS 10.12.1 and up (safari 10.0.1 and newer) appear to protect against this attack with Safari recognizing the attempts and warning the user.<\/p>\n

\"dos-result-10-12-1-and-up\"<\/p>\n

On the affected systems, Safari is the most vulnerable to this attack. Google Chrome loads the script and launches Mail, but once Mail is quit, Chrome does not re-open it. Chrome itself does freeze, though. Firefox briefly stalls when loading the website, and then offers to stop the malicious script.<\/p>\n

\"dos-result-firefox\"<\/p>\n

For Mac users who\u00a0are not running macOS 10.12.1 or newer, the use of Firefox is highly recommended as it is constantly updated even for older OS X versions, and it appears to protect from at least this particular attack. Upgrading to the latest macOS version\u00a0is of course preferred.<\/p>\n

The page checks for a specific version of the operating system\u00a0and loads a script accordingly. In our testing, on several versions of OS X, only the script that opened Mail was loaded\u2014but when Malwarebytes investigated<\/a>, they found another script that opened iTunes instead of Mail. We triggered this script by manually tweaking the web address. A different style webpage loads and iTunes is opened, which, in our testing on different OS X versions, crashed immediately.<\/p>\n

\"dos-result-apple-itunes\"<\/p>\n

Mitigation on a Mac<\/h3>\n

If this DoS attack has already hit you and you are currently looking at a locked up Mac, or are unable to open Safari without it hijacking your Mail again, there are some steps you can take to clear this up.<\/p>\n

    \n
  1. Force quit Safari first, then force quit Mail<\/strong>
    \nIf possible, force quit the applications in that order. Quitting Mail first will simply cause Safari to open it again.<\/li>\n
  2. Restart your Mac<\/strong>
    \nYour Mac is either very slow, as Mail used up most of its memory, or it’s frozen completely. A restart will free the memory and give you a smooth running Mac to work with. If the Mac is frozen, holding down the power button until it shuts off is your only option. If your Mac automatically starts Safari or you have it set to remember which applications were open before the restart, you may immediately be thrown back into the same behavior.
    \nAt this point your Mac still has enough free memory to function, so immediately pull up the Force Quit window by pressing the following keys:
    \n'Option-Command-Escape'<\/code>
    \nThen select Safari and force quit it, followed by Mail.<\/li>\n
  3. Reset Safari<\/strong>
    \nThe malicious site has to be cleared from Safari, but this can’t be done from inside Safari. Luckily, this can be easily done without losing your bookmarks or saved passwords. You’ll need to locate the folder that saves the last state Safari was in when it quit. This can be found in your user home folder<\/strong> > Library<\/strong> > Saved Application State<\/strong>. In that folder, delete the folder named “com.apple.Safari.savedState<\/strong>.” You can now start Safari and it should open with your default home page. The malicious link will be saved in Safari’s history, so make sure to erase it there as well.<\/li>\n
  4. Clear Mail<\/strong>
    \nThere’s a good chance that Mail was kind enough to save all those drafts for you, and they will pop up again when you start the app. To clear all those drafts out you’ll have to manually delete them from your hard drive. (This is also a good time to make sure your backup is current!) Go to your user home folder<\/strong> > Library<\/strong> > Mail<\/strong> > V2<\/strong> (V3 or V4 depending on your version of OS X). In that folder you will see several folders that are named after your email accounts, starting with “IMAP” or “POP.” Check each of those folders to see if they contain a “Drafts.mbox<\/strong>” folder. Open the drafts folder and inside will be another folder with a long name, such as “A1344DBE-5B24-4398-8320-E78F80208689<\/strong>,” or something similar. Inside that folder is Data<\/strong> > Messages<\/strong>.
    \nThe messages are numbered, so using     QuickLook<\/a> (don’t double-click them as this will open the Mail app) you’ll have to check them all to see if it’s one of the virus warning drafts or a draft you had saved yourself. If you’re lucky, there are a few dozen or less. If you’re not so lucky, there may be hundreds. Of course, if you know there were no drafts you saved, you can just clear out the entire “Messages<\/strong>” folder and empty the Trash. Ironically, the drafts are still there, they just no longer have a sender, subject or content. To prevent the actual draft windows from opening, there is one more file that needs to be deleted. This can be found in the same V2<\/strong> (V3 or V4) folder > MailData<\/strong>. Delete the file named “Envelope Index<\/strong>.”
    \nNow when you start Mail, you’ll be greeted with a “Mail Message Import” window. Scary as it sounds, all your email is still there, Mail just has no idea because\u00a0you’ve just deleted the index file. Mail will import all the mail, rebuild the index file and you are back in business.<\/li>\n<\/ol>\n

    Mitigation on iOS<\/h3>\n

    On iOS 8, 9 and the current 10, loading the malicious website also results in a new Mail message being drafted\u2014but only one draft is created.<\/p>\n

    \"dos-result-apple-ipad-ios-9\"<\/p>\n

    This single draft can be cancelled and deleted, but a new one will pop up straight away. Therefore, you will need to clear Safari history and website data. To clear Safari on the iOS device, it has to be reset, which can be done by going to Settings<\/strong> > Safari<\/strong> > Clear History and Website Data<\/strong>.<\/p>\n

    Loading the script that calls iTunes on the Mac has no effect on iOS, instead it\u00a0just shows the webpage without opening any other app.<\/p>\n

    \"dos-result-apple-ipad-ios-9-1\"<\/p>\n

    While not malware in the traditional sense, this DoS\u00a0shows there are multiple ways to attack a Mac or iOS user. In this case, not a lot of effort was put into the scripting that triggered Mail or iTunes. The authors could have made the emails actually send to various different addresses, acting as a spammer on their behalf, for example. Still there are many, many users who\u00a0may actually contact the phone number presented on their screen and pay the scammers for “support.” This\u00a0makes\u00a0these scams so successful they are likely not going anywhere anytime soon.<\/p>\n

    Be vigilant when you receive email from someone you don’t know, especially when an email contains links or buttons. On the Mac, hover your cursor over the link to see what site it will really send you to. On iOS devices, just press and hold on a link to see a pop-up with the real URL in it.\u00a0And remember: If you don’t trust it, delete it.<\/p>\n","protected":false},"excerpt":{"rendered":"

    This week, 9to5Mac reported on a tech support scam that caused a Denial of Service (DoS) attack on a Mac.\u00a0While this DoS was described\u00a0as an\u00a0attack caused by malware,\u00a0it appears to be a malicious script loaded by a web browser instead, in this case Safari. This DoS attack is not malware in the traditional sense, because […]<\/p>\n","protected":false},"author":79,"featured_media":60898,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,5],"tags":[2746,69,174,115],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n