Trou­bleshoot­ing some nasty Sa­fari mal­ware

Ja­son Snell’s sis­ter ran into a pop-up ask­ing her to call an 0800 num­ber. In­stead, she called the fam­ily sup­port

Macworld - - Contents -

Ineed Ap­ple ad­vice,” my sis­ter texted me re­cently. “I got a mes­sage that my com­puter is blocked due to an un­ex­pected er­ror. It gives me a num­ber to call to fix it. Does that sound le­git?”

No. It did not sound le­git. What’s worse, the er­ror mes­sage gave her an 0800 num­ber to call, which she did, and the per­son on the other end of the

line of­fered to share her screen and tried to sell her £200 in se­cu­rity soft­ware.

That was the point at which her in­stincts kicked in and she got off the call and asked me for help. The cul­prit in all this was a pop-up mes­sage in Sa­fari, which read in part: “Your Ap­ple Com­puter has been blocked. Mac iOS alert! Sys­tem might be in­fected due to un­ex­pected er­ror! Your Browser might be hi­jacked or hacked.”

Iron­i­cally, this ‘warn­ing’ mes­sage is a com­mon form of mal­ware it­self. The prob­lem is that the popup ap­peared ev­ery time my sis­ter opened Sa­fari, and it proved im­pos­si­ble to dis­miss the pop-up and then ac­cess Sa­fari set­tings be­fore the pop-up reap­peared. Her ques­tion was sim­ple: how do I get ac­cess to Sa­fari back and make sure this doesn’t hap­pen again? It took a cou­ple hours of try­ing to get the an­swer. If you or a fam­ily mem­ber of yours gets in­fected by this same ap­proach, maybe I can save you some time and heartache.

The sure-fire so­lu­tions

The cause of the ‘in­fec­tion’ seemed ob­vi­ous to me right away: Sa­fari was load­ing a web page that con­tained a JavaScript script that spawned the pop-up mes­sage. Be­cause it loaded im­me­di­ately, I had to as­sume that it had been set as Sa­fari’s home page, so it loaded im­me­di­ately on launch.

I did a whole lot of web search­ing to come up with pos­si­ble ways of fix­ing this. It seems im­pos­si­ble, but there’s no way to re­set Sa­fari’s set­tings from out­side the web browser. I sug­gested we delete a bunch of its pref­er­ence files, but that had no ap­pre­cia­ble ef­fect.

We did try a few things that, af­ter the fact, I was told are the most stan­dard ways to work around a ma­li­cious web page in Sa­fari.

First: Try to launch Sa­fari with the shift key held down. This should pre­vent Sa­fari from open­ing the pages that were open the last time Sa­fari was run­ning. Un­for­tu­nately, it doesn’t pre­vent Sa­fari from load­ing its home page.

Sec­ond: Load Sa­fari, then Con­trol-click on its icon in the Dock and choose Force Quit. Try this a cou­ple of times and Sa­fari may get the mes­sage that there’s some­thing se­verely wrong on startup and in­stead start with­out load­ing any­thing. We tried to Force Quit nu­mer­ous times and it had no ap­par­ent ef­fect.

Third: Down­load Mal­ware­bytes Anti-Mal­ware for Mac ( I had this rec­om­mended to me by nu­mer­ous peo­ple, in­clud­ing some Ap­ple

techs, and though my sis­ter couldn’t down­load any­thing be­cause Sa­fari was the only web browser she had in­stalled, I was able to down­load the app and trans­fer it to her via Mes­sages. She in­stalled and ran it, but no luck.

Fourth: Up­date to El Cap­i­tan or Sierra if you haven’t. This prob­a­bly would’ve solved my sis­ter’s prob­lem, and was ac­tu­ally the next step I was go­ing to try when I found what proved to be the so­lu­tion. Ap­ple added a lot more mal­ware pro­tec­tion in the move from Yosemite to El Cap­i­tan, in­clud­ing fixes that stop many browser-based hi­jack meth­ods. My sis­ter was run­ning Yosemite, un­for­tu­nately.

De­pend­ing on your par­tic­u­lar in­fes­ta­tion, any of these ap­proaches may solve the prob­lem. Un­for­tu­nately, they didn’t solve mine.


It wasn’t fun try­ing to trou­bleshoot my sis­ter’s com­puter prob­lems via Mes­sages. What I wanted to do was con­trol her screen and see if I could fig­ure it out on my own. But for what­ever rea­son, I couldn’t find any way to share screens di­rectly within Mes­sages. No com­bi­na­tion of iMes­sage or AIM or Google Talk al­lowed me to get ac­cess to Mes­sage’s screen-shar­ing fea­tures.

What ended up sav­ing my ba­con was TeamViewer ( It’s free, and I was able to send the light­weight Quick­Sup­port app to my sis­ter via Mes­sages. She opened the app, gave me the ID code and pass­word, and I was able to con­trol her screen.

If you find your­self in a jam and need to con­trol some­one’s screen re­motely, def­i­nitely check out

TeamViewer. I was im­pressed with how quickly we got it set up and work­ing, and it’s free for per­sonal use. (Busi­nesses pay a sub­scrip­tion fee to use the tool.)

In the end, com­mon sense wins

De­spite all of my at­tempts, a cou­ple hours had passed and noth­ing had worked. Fi­nally, I turned to a sug­ges­tion I’d seen in a cou­ple of mes­sage threads about browser mal­ware, one that I had dis­missed as a last re­sort be­cause it was some­thing I couldn’t do my­self, but would need to step my sis­ter through via text mes­sage.

It was this: dis­con­nect the com­puter from the In­ter­net en­tirely. Un­less you’ve got a hard­wired Eth­er­net con­nec­tion, this gen­er­ally means turn­ing off Wi-Fi. That’s it. If there’s no mal­ware hosted lo­cally, that pop-up can only be gen­er­ated by load­ing a re­mote web page that’s set as the Sa­fari home page. If you’re not on the in­ter­net, the web

TeamViewer was a big help, and easy to set up

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.