Using “scareware” messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.
The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money.
The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn’t need to shell out money to regain access to their browsers.
Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.
Discuss this article in our forums