Troubleshooting some nasty Safari malware
Jason Snell’s sister ran into a pop-up asking her to call an 0800 number. Instead, she called the family support
Ineed Apple advice,” my sister texted me recently. “I got a message that my computer is blocked due to an unexpected error. It gives me a number to call to fix it. Does that sound legit?”
No. It did not sound legit. What’s worse, the error message gave her an 0800 number to call, which she did, and the person on the other end of the
line offered to share her screen and tried to sell her £200 in security software.
That was the point at which her instincts kicked in and she got off the call and asked me for help. The culprit in all this was a pop-up message in Safari, which read in part: “Your Apple Computer has been blocked. Mac iOS alert! System might be infected due to unexpected error! Your Browser might be hijacked or hacked.”
Ironically, this ‘warning’ message is a common form of malware itself. The problem is that the popup appeared every time my sister opened Safari, and it proved impossible to dismiss the pop-up and then access Safari settings before the pop-up reappeared. Her question was simple: how do I get access to Safari back and make sure this doesn’t happen again? It took a couple hours of trying to get the answer. If you or a family member of yours gets infected by this same approach, maybe I can save you some time and heartache.
The sure-fire solutions
I did a whole lot of web searching to come up with possible ways of fixing this. It seems impossible, but there’s no way to reset Safari’s settings from outside the web browser. I suggested we delete a bunch of its preference files, but that had no appreciable effect.
We did try a few things that, after the fact, I was told are the most standard ways to work around a malicious web page in Safari.
First: Try to launch Safari with the shift key held down. This should prevent Safari from opening the pages that were open the last time Safari was running. Unfortunately, it doesn’t prevent Safari from loading its home page.
Second: Load Safari, then Control-click on its icon in the Dock and choose Force Quit. Try this a couple of times and Safari may get the message that there’s something severely wrong on startup and instead start without loading anything. We tried to Force Quit numerous times and it had no apparent effect.
Third: Download Malwarebytes Anti-Malware for Mac (tinyurl.com/jf29qxx). I had this recommended to me by numerous people, including some Apple
techs, and though my sister couldn’t download anything because Safari was the only web browser she had installed, I was able to download the app and transfer it to her via Messages. She installed and ran it, but no luck.
Fourth: Update to El Capitan or Sierra if you haven’t. This probably would’ve solved my sister’s problem, and was actually the next step I was going to try when I found what proved to be the solution. Apple added a lot more malware protection in the move from Yosemite to El Capitan, including fixes that stop many browser-based hijack methods. My sister was running Yosemite, unfortunately.
Depending on your particular infestation, any of these approaches may solve the problem. Unfortunately, they didn’t solve mine.
It wasn’t fun trying to troubleshoot my sister’s computer problems via Messages. What I wanted to do was control her screen and see if I could figure it out on my own. But for whatever reason, I couldn’t find any way to share screens directly within Messages. No combination of iMessage or AIM or Google Talk allowed me to get access to Message’s screen-sharing features.
What ended up saving my bacon was TeamViewer (tinyurl.com/zya9oz5). It’s free, and I was able to send the lightweight QuickSupport app to my sister via Messages. She opened the app, gave me the ID code and password, and I was able to control her screen.
If you find yourself in a jam and need to control someone’s screen remotely, definitely check out
TeamViewer. I was impressed with how quickly we got it set up and working, and it’s free for personal use. (Businesses pay a subscription fee to use the tool.)
In the end, common sense wins
Despite all of my attempts, a couple hours had passed and nothing had worked. Finally, I turned to a suggestion I’d seen in a couple of message threads about browser malware, one that I had dismissed as a last resort because it was something I couldn’t do myself, but would need to step my sister through via text message.
It was this: disconnect the computer from the Internet entirely. Unless you’ve got a hardwired Ethernet connection, this generally means turning off Wi-Fi. That’s it. If there’s no malware hosted locally, that pop-up can only be generated by loading a remote web page that’s set as the Safari home page. If you’re not on the internet, the web
TeamViewer was a big help, and easy to set up