FBI “Ransomware” Phishing Scam Affects Mac Users – How To Bypass

Mac FBI Phishing Scam

This is the fake FBI warning affecting some Mac users recently. Click for a larger view.

Update: This scam seems to affect Firefox, Chrome, and other browsers in addition to Safari

There have been reports in the news over the last few days describing a “malware” or “ransomware” affecting Macintosh users that attempts to trick them into paying $300 by posing as an FBI warning. While the situation is real, the details are often being mis-reported.

First, let’s be clear that if you happen to see anything like this, whether on a Mac or a Windows PC, do not pay the $300! It is not from the FBI. It is simply a scam. The FBI would not fine you electronically for copyright violations or distributing illegal content.

Second, while the scam is real, the method of “attack” on Macintosh computers is not a “malware” or “ransomware” as is being described by the media. Rather I classify it as a phishing scam. Do note that Windows computers have been targeted by variations of this scam for at least a year and on the Windows platform the methods of attack are in fact true malware infections. However, on the Mac what the scammers are doing can best be described as a user interface trick with the Safari web browser. While quite alarming and annoying, the attack is not actually infecting any Macs.

Mac FBI Phishing Scam DialogWhen a Mac user running Safari stumbles upon a web site that is hosting the fake FBI warning, the web browser is forced to load up 150 “iframes” that all require a confirmation to dismiss. This unfortunately acts to lock up the Safari browser until the user clicks “Leave Page” 150 times. The user doesn’t know they must click 150 times and the scammers hope that the user gives up and pays the $300 instead. Even if the user Force Quits the Safari browser, by default Safari will always reload any web pages that were previously open. This of course reloads the fake FBI warning web site and indeed it seems that the Safari browser is hopelessly locked.

Fortunately, there is a very simple way to bypass this phishing scam. Oddly enough this simple method is not being widely reported at this time and instead most articles claim that you must “reset” your Safari browser, which has the side-effect of clearing out your history, Top Sites, and other settings you may want to keep. If you happen to stumble upon this fake FBI warning web site, instead of resetting Safari simply follow these 3 simple steps:

  1. Click on the Apple Menu in the upper left-corner of your screen and choose “Force Quit” from the menu. The Force Quit window opens.
  2. Make sure Safari is highlighted and click the Force Quit button. This should shut down Safari. Close the Force Quit window.
  3. Hold down a Shift key on your keyboard as you relaunch the Safari browser (usually by clicking the Safari icon on the dock)

Holding down the Shift key while launching Safari forces the browser to not reload any previously open web sites, bypassing the fake FBI warning page. Again, this phishing scam is not a true infection of any Macintosh computers. Once you bypass the fake FBI warning web site, your Mac is completely safe to use. You do not need any anti-virus, firewall, or other security-type software on your Mac to clean or protect your Mac from this scam. You may choose to download and install an alternate web browser such as Chrome or Firefox if you wish to avoid this issue until Apple patches the Safari browser to prevent the method behind this scam from functioning. However, even if you do stumble upon it more than once, your Mac is not infected or compromised in any way. But as I mentioned earlier, if you are a Windows user and you run into this scam, you are infected with malware and you will need to have it professionally cleaned.

Please let me know if you have any questions or concerns about this or any other technology security issue.

  • rhrrs2

    Great read!

  • http://marcelbrown.com/ Marcel Brown

    Thanks!

  • Marcel Vachon

    Fantastic read. Thanks Marcel!

  • http://marcelbrown.com/ Marcel Brown

    Your opinion is extremely valid since we share the same name!

  • Marcel Vachon

    And the same profession!

  • http://marcelbrown.com/ Marcel Brown

    That helps too!

  • Al Varnell

    Here’s an even easier way, courtesy of magmatic.com

    To prevent the loop from running and exiting the page

    Disable Javascript. DO NOT RESET SAFARI OR FORCE QUIT.
    Hit back in Safari.
    Enable Javascript.
    Reset History and Top Sites as a precaution.

  • http://marcelbrown.com/ Marcel Brown

    Excellent tip, Al! Thanks!

  • guest

    it happened in firefox on my mac – not just a safari issue.

  • Trey

    happened in chrome as well

  • joji

    This just happened to me so I forced quit and forced quit a few times and luckily SeaMonkey 2.19 asked me if I wanted to restore session which I hit “no.” I’m using that browser to add this message now.

  • William Willingston

    chrome users?????

  • Esha harmony

    This was very useful this happen to me just a few moments ago on my iPad. I was browsing the web I hadn’t notice right away because of so many sites opening in other browsers on safari. I was damn near scared to death when I read it I had no idea. Although it said my PC was locked I was able to exit out of the browser with ease. The only thing I am really worried is if I have a virus or if the information on my iPad is now more vulnerable to hackers or exposed. Thank you.

  • http://marcelbrown.com/ Marcel Brown

    Apparently Chrome users are affected as well. But again, this isn’t really a “malware” so there’s not much to be worried about if you do get hit by it.

  • http://marcelbrown.com/ Marcel Brown

    Since the iPad (and iPhone) operate differently than a Mac, you may have been hit by the scam, but it couldn’t lock out your browser in the same way. Since this was not a real “malware”, you have nothing to worry about. Your iPad is still a secure as ever. Just close out that window and no more problem (not that there ever was).

  • Jake David

    Thanks for the information. Do you suggest getting any anti-virus or malware software on Mac OS X computers? I understand it is not needed for this but just as a precaution for future use?

  • http://marcelbrown.com/ Marcel Brown

    I use the analogy of a bullet-proof vest. If you live in a war-torn country, where bullets are flying around in everyday life, a bullet-proof vest is probably a very wise investment. If you live in peaceful neighborhood, sure a bullet-proof vest might save your life in the highly unlikely occurrence that someone shot at you. But otherwise it would be a heavy and uncomfortable inconvenience 99.9% of the time.

    Anti-virus programs by nature are very intrusive programs, mucking around deep inside the operating system in their mission to root out malware. However, this behavior increases the chances that something will go wrong and the anti-virus program itself will cause a problem.

    The likelihood of a Mac getting a true malware is so tiny, the odds are greater that an anti-virus program will cause you more trouble than a malware ever would. For this reason I don’t use anti-virus software on my or my family’s Macs. I don’t actively recommend other Mac users do either. But if someone feels that they should use anti-virus software on a Mac, I’m not going to argue much with them. If they feel the risk of using an anti-virus software is worth the tiny possibility of stopping a malware, that’s their prerogative.

    And just to answer the possible follow-up question, there is virtually NO risk of getting a malware on an iPhone or iPad, so don’t even bother worrying about it. As long as Apple controls the App Store and doesn’t allow third-party code to execute, this situation is not likely to change.

  • Tommy Chong

    Thanks! When I first encountered this problem, I used force quit instinctively. I knew the FBI would not demand payment of fines online. Some recommend deactivating Java, going a step back in the history and activating Java again. Both methods are equally simple and efficient. One more tip: If you can’t force quit just hold the power button and restart as you would in a system crash. A little drastic, but it works, and it won’t damage your computer either.

  • Al Varnell

    Just a couple of corrections. I believe you meant to say JavaScript, not Java, which is a totally unrelated technology to JS and not involved with this particular issue.

    And I’m sorry, but shutting down with the power button can most certainly damage the data on your computer in some cases. It should only be used as a last resort and you should thoroughly check things out after restarting. I speak from experience on this.

  • http://marcelbrown.com/ Marcel Brown

    Al is correct about shutting down with the power button. Computers don’t like having the power cut on them, because if the hard drive is in the middle of a read/write operation, the power getting cut can cause data or directory corruption. It should only be used as a last resort if the computer (Mac or PC) is locked up to the point that it can’t be shut down any other way.

  • Ben

    well if look closely to the address, the address is not FBI, it has a “-” sighn and another address… don’t give a fuck about this sign , it’s fake ;)

  • Joe Crespo

    Thank you for all of the helpful information. I actually got hit with this over the weekend and actually paid the ransom. Afterwards, I was able to return to use to find out this is a scam. Any suggestions on getting my money back or is it gone? Thanks.

  • http://marcelbrown.com/ Marcel Brown

    Wow, sorry to hear that. I would contact your lawyer and/or the police. Good luck. Let us know if you get your money back.

  • Gage Bubba Cordova

    that would have been awesome to know about 30 minutes ago just saying.

  • hverso

    Thanks for posting this! I just had this scam on my mac, I didn’t pay the fine and managed to get around it with the resetting but I was worried if my mac was infected..but thanks for clearing up that it wouldn’t be and for the other tip too!

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome! Just curious, how did you find this article?

  • bee

    I stumbled upon this over the weekend also, my dumbass x’ed out of the page before reading the entire thing, I was so freaked out. I was worried that since I was using wifi on my iphone, my iphone information and everything could be compromised and hacked. I’ve lost sleep and haven’t eaten, I’m so scared. Particularly I had the idea that they could hack my facebook or icloud, take my information, and distribute disgusting illegal material to people I know, saying its from me, ect.
    This shit scared me.

  • Nono Ono

    Thanks a lot for this, Marcel. Just happened to me on the MBPr. I force quit Firefox, cleared the cache, “forgot” the site via the history. Found your article by Googling “supposed warning from FBI your computer is locked effect on Mac?”

  • http://marcelbrown.com/ Marcel Brown

    Yes, it is scary, but fear is their weapon. Be assured you are fine, especially your iPhone.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome! It’s interesting to know that this is still happening even 3 months later!

  • Marlin

    Marcel, have you encountered a situation where after a forced quit the computer will not turn back on? I have this problem currently and there is little information on the topic after the forced quit solution.

  • Al Varnell

    This would seem to be a bit off topic since the article only suggests to force quit Safari, not the computer (which is almost never a good idea). At any rate, I would guess that doing so damaged your OS X and it will need to be reinstalled. Procedures on how to do this vary, depending on what version of OS X you are using, so I recommend you go to the Apple Support Community Forums https://discussions.apple.com/index.jspa for any additional help with this.

  • Marlin

    Thank you for the prompt reply. So long to worry free Mac wold but it was nice while it lasted. I appreciate the forum. Thank all of you for posting.

  • http://marcelbrown.com/ Marcel Brown

    If you did what Al thinks you did (force shut off the Mac), then it is very possible there is some hard drive corruption. The good news is that this is usually fairly simple to resolve with the right resources.

    The first question is what exactly did you do when you “forced quit”? Was it just force quitting Safari or did you shut off the computer by holding the power key down for 5 or more seconds?

    The second question is what is the Mac doing or not doing? Does it chime at startup? Do you see the gray Apple logo? Do you see a spinning logo under the Apple? Does it boot to a graphical screen? Does it crash? Does it light up when you turn it on? Does the Caps Lock key light up when you press it?

    Based on the answers to those questions I might have a better idea of what is going on.

    Once you resolve the core issue, then you will likely go back to a worry free Mac, so don’t despair!

  • Guest2

    Thank you! Just googled to find an answer and your article came up to save the day! I knew it was a scam but glad it’s not harming My mac, and yes this is still happening today, months later. Hope safari fixes this bug.

  • Al Varnell

    This isn’t really a Safari bug at all. If anything, it’s a bug in the infected web page that you visited. The same thing will happen with Firefox, Chrome or any other browser unless you install some sort of javascript blocking mechanism. I haven’t heard of any attempts by browser developers to prevent it, yet.

  • RabbleRabbleRabbleMe

    Not true that if you get it on a Windows machine you ARE infected. It just happened to me. I immediately disabled my internet connection. Shut down my computer and rebooted. When the browser (firefox) re-opened, the page could not connect to the internet so it failed to load. Cleared my history, checked the settings in Firefox to make sure no page had been set as a new homepage, scanned my PC with Hijack This, MS Security Essentials and Malware Bytes. No positives were returned from any of the scans. Restarted the PC again, enabled the internet connection and all is well. So just because you run across this, doesn’t mean you DEFINITELY ARE infected with malware.

  • http://marcelbrown.com/ Marcel Brown

    Good call. Although Windows users should still assume they are infected and scan their computer like you did to be certain.

  • filippo

    Hey Marcel,
    Do you happen to know if this could be happening in other countries under their respective local police?
    thanks

  • Al Varnell

    Yes, I’ve seen this exact thing being used in other countries, usually citing a national police force (e.g. Scotland Yard).

  • http://marcelbrown.com/ Marcel Brown

    I personally don’t know, but I wouldn’t be surprised if scammers are using the same technique in other countries.

  • Al Varnell

    From what I have read on the subject, it’s the same spammer using tailored pages for targeted countries. These are PC samples of ‘police-themed’ ransomware from various countries http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware#aboutpolicethemedransomware

  • Guest

    Thank you so much! This just happened on chrome on my mac! It’s all sorted now thank goodness.

  • nazzx3sm

    i need help! my safari was affected by the virus and now it wont open completely! it says “it may be damaged or incomplete”

  • Al Varnell

    You should probably ask in a more appropriate place, such as the Apple Support Communities forums https://discussions.apple.com/index.jspa and describe your Mac, your OS X & Safari version along with the exact name of the malware you believe you’ve been infected by and describe what “it won’t open completely” means.

  • sportsguy

    This happened to me yesterday on my mac laptop through Chrome. I forced quit the computer, and restarted it. When google prompted me to restore tabs I said no and clicked the x. I then cleared the history and hit reset browser settings. Everything is working fine now on my laptop. Do I need to be concerned about the virus being still on my laptop. Also do these hijackers still have access to my webcam??? Appreciate your reply and help.

  • Al Varnell

    There was never any virus or other malware. It’s just a scam javascript and would not have involved your webcam.

  • sportsguy
  • http://marcelbrown.com/ Marcel Brown

    I think you have issues with your system, possibly drive corruption or something along those lines. It was not likely that your Safari was corrupted by a virus. It is possible if you shut down incorrectly that this caused a disk issue. Regardless, you should probably have your Mac looked at and given some TLC.

  • http://marcelbrown.com/ Marcel Brown

    Al is correct, there was never any virus or malware. The article you reference is almost certainly talking about a malware that affects Windows PCs, not Macs. I am not aware of any malware that can hijack a Mac’s webcam.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome!

  • sportsguy

    Thanks for you help. I appreciate the insight.

  • 115028

    my computer didn’t lock or anything but this fbi thing appeared did appear on my screen. It was saying a lot of scary things like child porn, stealing files and music and than it wouldn’t let me leave the page.I was terrified because I was just trying to watch a movie that I didn’t want to pay netflix for. I turned off my computer and rebooted it or set it to a certain time. The next day,I cleaned out the computer, it says normal now but I am still a little worried since I am only an average user and I am not great with computers. It didn’t lock me out when I turned it back on but I read horror stories about these scams. should I be worried and go more steps?

  • Al Varnell

    No, if it’s back to normal then you should be good to go. None of those horror stories you’ve read were written about Macintosh computers or the problem Marcel has described.

  • http://marcelbrown.com/ Marcel Brown

    If you’re using a Mac, you’re almost certainly fine.

    If you are using a Windows computer, make sure your anti-virus software is functioning properly. It may not hurt to run an update and run a manual full scan on your system as a precaution. Obviously, if you see more signs of odd behavior, have it cleaned by a trustworthy professional.

  • Hunter

    This just happened to me in google chrome on my Mac and if considerably freaked me out but I only had to click leave page once and it closed. Thanks for the article about it bieng fake, I just wanted to be sure.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome!

  • Guest

    When it popped up on Chrome I just turned off my computer and when it came back on nothing really happened…should I be worried?

  • http://marcelbrown.com/ Marcel Brown

    Assuming you’re using a Mac, you don’t really have anything to worry about.

  • Ralph Harding

    I have seen this scam site on my Chromebook. When it first started popping up, I could just ignore it until I was ready to stop browsing. Lately, it has been tweaked to jump in front of any other window I happen to be browsing in. I have to close out the browser and then come back in.

  • alex

    this happened to me, but i only had to click leave page once and that was it. i was so surprised that it was that simple, which is why i went here. i closed out of safari several times and it was normal every time i opened it back up. so i restarted my computer to see if i really just bunny hopped over the FBI scam, and lo-and-behold i did. Thanks for clearing it up for me and my fellow mac-users.

  • http://marcelbrown.com/ Marcel Brown

    I believe updates to the various browsers by this point have rendered some of these scams inoperable. Of course many people still have older browsers that are vulnerable so they keep the scams going. You’re welcome!

  • Jimy459

    Hello – i got the FBI joke and it wasnt funny. Turned off my MacBook Pro and tried to reboot now the computer will not start -i cant boot into Safe Mode either. The progress bar appears and nothing happens until it turns off after 2minutes or so. It seems relatively easy to remove the FBI ‘virus’ but i cant even get to that point?! Any ideas? Just took the computer in and really dont want to pay more money. Thanks!

  • http://marcelbrown.com/ Marcel Brown

    How did you turn off your MacBook Pro? Did you shut it down normally, or did you hold down the power button to force it off?

    Not being able to boot has nothing to do with the FBI scam. It is not a virus nor can it affect the Mac in any way other than jamming up Safari for a while. However, if you forced off your Mac, that can cause directory corruption and possible boot issues.

  • Emily

    I just got this FBI scam on ipad, i just exited and I have no problems accessing anything now but is there something else I should do?

  • http://marcelbrown.com/ Marcel Brown

    No. There are no known malicious softwares that affect the iPhone or iPad so you almost certainly safe.

  • Jay

    Hey marcel thanks I was really worried about this but by reading this article I just found out that it’s a fake. I got a different message from the one above but I basically said the same thing. The second smaller window appeared and I tried to quit many times. I then panicked and hit force quit. Seems like it worked and this article reassured that it was indeed a fake thanks soo much!! *wipes sweat off of forehead*

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome, Jay!

  • John Carpenter

    If you have (if not, you should) sysinternals process explorer, just go to the browser in the list and kill the last entry page. That kills the ransomware thing and gives your browser back to you. Attempts to locate the thing with WHOIS have been unsuccessful, at least by me, that is.:)

  • http://marcelbrown.com/ Marcel Brown

    Sysinternals is a Windows utility, so it won’t do any good for a Mac. The rough equivalent on a Mac would be Activity Monitor, or just force quitting as is described in the article. However, this is a good tip for a Windows user in similar situations.

  • John Carpenter

    In the early days I was a Mac disciple. I got over it, mainly because of the lack of software. Windows may suck — according to Mac users — and it may provide really good targets for the bad guys, but at least readily available and adequate solutions exist to mitigate the bad stuff.
    Cheers, Brother.

  • John Carpenter
  • John Carpenter

    Can you folks still start Mac with extensions turned off? Equivalent to Safe Mode for Windows. If so, you can then go about ridding yourselves of the crapware and reboot.

  • Al Varnell

    Vulnerabilities do not equal malicious soft are. Marcel is currently correct that there are no software threats that use these vulnerabilities to exploit an iOS device.

  • Al Varnell

    OS X does allow a safe mode restart that only loads absolutely essential software, but in general it does not make malware removal any easier. Most malware is installed at the user level, rather than rooting the OS. The Safari browser also allows the disabling of all extensions with a single button which does aid in troubleshooting, especially adware these days.

  • http://marcelbrown.com/ Marcel Brown

    You may want to look again, because Apple’s resurgence has certainly helped the Mac platform. That being said, with virtualization or multi-boot configurations, Macs can run all Windows software if necessary. So there is no disadvantage in software for a Mac anymore.

  • http://marcelbrown.com/ Marcel Brown

    Wow. Extensions off. That’s old school from Mac OS 9 and earlier! Good times.

  • John Carpenter

    Marcel, I made the transition back in 1991 or ’92. Quite happy with my choice. I do have students who have Macs, who use Windows emulators (Bootcamp, VirtualBox) because I hooked them up with it, also because of the software availability.
    Pretty much none of my friends in computer security use Mac. None of us are impressed by the “pretty factor,” and none of us are in the movie industry.

  • John Carpenter

    BTW, I love Sysinternals Suite. What a bunch of well documented and really useful tools.

  • http://marcelbrown.com/ Marcel Brown

    Given the history of the technology industry, which you appear to be involved in, I’m not surprised that you and your colleagues don’t use Macs. But don’t be so dismissive of Apple products as merely being “pretty”. They are extremely capable technology devices, especially considering how far they’ve come in the last 10 years or so, let alone since the 90′s.

  • John Carpenter

    Nobody’s “dissing” Mac, just not into ‘em anymore. (My best friend owns a fair share of stock in the company; he considers it his duty to also own MacBook.)

    Plenty of Macs in our Computer Science and IT Depts., purchased for them mostly by somebody else (young students’ parents pony up the money without much resistance); school (U of Hawaii) purchases them for many of the professional staff, (they are, after all, status items). Most of the guys in the trenches prefer Windows boxes of whatever make. They’re adequate to our task, and very affordable. We train Nat’l Guard Cyber — lots of those service people prefer Alienware boxes with tons of Ram, Lenovo ThinkPad, Dell, Asus, and hp. All of them provide more than adequate bang for the bucks they cost.

    Art Dept., Creative Media, Architecture Dept., those are where one finds the heaviest concentration of Mac machines on campus.

  • Felix Seici Jr.

    it just happen to me yesterday is nice to know is fake

  • http://marcelbrown.com/ Marcel Brown

    Wow, it’s amazing it’s still going on!

  • Rufio

    Happened to my friend today, It’s not stopping any time soon!

  • John Paulson

    I had this happen on Safari and found out how to clear it using Chrome. I have 4 browers on my Mac. And in this case having more than one paid off as I was able to go to another one that was not hit and learn how to get out of this situation.

  • NightCore4Lifeee

    thxs a lot Marcel Brown u really helped me cuz this happen to me yesterday and i was freaking out and im using a mac thxs for telling me that this is fake i though my life was over thxs a lot man

  • Yeronic

    I just got this today but im still questioning if its fake or not, because its similar to the one you show in the picture but with very small differences in color and where your pin is. Is there a way i can be 100% sure its fake, like if i were to shut down my windows 8, would it load back up or not if it were real and one major fact that it makes me think its fake is that i can still access stuff like chrome after shutting down my laptop and turning it back on

  • Yeronic

    And also would i cant decide if its fake or not because it has my exact ip address but only says what country i live in and not what state or city

  • Yeronic

    Never mind i just re-read it again and it states “Illegal access has been initiated from your PC with ought your knowledge or consent, your PC may be infected by malware, ” Thank god to the incorrect spelling and comma where there should be a period or i would be staying up all night

  • Al Varnell

    > im still questioning if its fake or not

    If it were not fake then it would be something nobody else has seen and you would be the first Mac user to have actually had their hard drive encrypted. There is currently no known actual ransomware that can impact OS X.

  • Yeronic

    Im not using mac though im using a windows 8 hp computer

  • Al Varnell

    Then you are in the wrong place. Note from the title this article is for Mac users, so may or may not apply to you.