FBI “Ransomware” Phishing Scam Affects Mac Users – How To Bypass

Mac FBI Phishing Scam

This is the fake FBI warning affecting some Mac users recently. Click for a larger view.

Update: This scam seems to affect Firefox, Chrome, and other browsers in addition to Safari

There have been reports in the news over the last few days describing a “malware” or “ransomware” affecting Macintosh users that attempts to trick them into paying $300 by posing as an FBI warning. While the situation is real, the details are often being mis-reported.

First, let’s be clear that if you happen to see anything like this, whether on a Mac or a Windows PC, do not pay the $300! It is not from the FBI. It is simply a scam. The FBI would not fine you electronically for copyright violations or distributing illegal content.

Second, while the scam is real, the method of “attack” on Macintosh computers is not a “malware” or “ransomware” as is being described by the media. Rather I classify it as a phishing scam. Do note that Windows computers have been targeted by variations of this scam for at least a year and on the Windows platform the methods of attack are in fact true malware infections. However, on the Mac what the scammers are doing can best be described as a user interface trick with the Safari web browser. While quite alarming and annoying, the attack is not actually infecting any Macs.

Mac FBI Phishing Scam DialogWhen a Mac user running Safari stumbles upon a web site that is hosting the fake FBI warning, the web browser is forced to load up 150 “iframes” that all require a confirmation to dismiss. This unfortunately acts to lock up the Safari browser until the user clicks “Leave Page” 150 times. The user doesn’t know they must click 150 times and the scammers hope that the user gives up and pays the $300 instead. Even if the user Force Quits the Safari browser, by default Safari will always reload any web pages that were previously open. This of course reloads the fake FBI warning web site and indeed it seems that the Safari browser is hopelessly locked.

Fortunately, there is a very simple way to bypass this phishing scam. Oddly enough this simple method is not being widely reported at this time and instead most articles claim that you must “reset” your Safari browser, which has the side-effect of clearing out your history, Top Sites, and other settings you may want to keep. If you happen to stumble upon this fake FBI warning web site, instead of resetting Safari simply follow these 3 simple steps:

  1. Click on the Apple Menu in the upper left-corner of your screen and choose “Force Quit” from the menu. The Force Quit window opens.
  2. Make sure Safari is highlighted and click the Force Quit button. This should shut down Safari. Close the Force Quit window.
  3. Hold down a Shift key on your keyboard as you relaunch the Safari browser (usually by clicking the Safari icon on the dock)

Holding down the Shift key while launching Safari forces the browser to not reload any previously open web sites, bypassing the fake FBI warning page. Again, this phishing scam is not a true infection of any Macintosh computers. Once you bypass the fake FBI warning web site, your Mac is completely safe to use. You do not need any anti-virus, firewall, or other security-type software on your Mac to clean or protect your Mac from this scam. You may choose to download and install an alternate web browser such as Chrome or Firefox if you wish to avoid this issue until Apple patches the Safari browser to prevent the method behind this scam from functioning. However, even if you do stumble upon it more than once, your Mac is not infected or compromised in any way. But as I mentioned earlier, if you are a Windows user and you run into this scam, you are infected with malware and you will need to have it professionally cleaned.

Please let me know if you have any questions or concerns about this or any other technology security issue.

  • rhrrs2

    Great read!

  • http://marcelbrown.com/ Marcel Brown

    Thanks!

  • Marcel Vachon

    Fantastic read. Thanks Marcel!

  • http://marcelbrown.com/ Marcel Brown

    Your opinion is extremely valid since we share the same name!

  • Marcel Vachon

    And the same profession!

  • http://marcelbrown.com/ Marcel Brown

    That helps too!

  • Al Varnell

    Here’s an even easier way, courtesy of magmatic.com

    To prevent the loop from running and exiting the page

    Disable Javascript. DO NOT RESET SAFARI OR FORCE QUIT.
    Hit back in Safari.
    Enable Javascript.
    Reset History and Top Sites as a precaution.

  • http://marcelbrown.com/ Marcel Brown

    Excellent tip, Al! Thanks!

  • guest

    it happened in firefox on my mac – not just a safari issue.

  • Trey

    happened in chrome as well

  • joji

    This just happened to me so I forced quit and forced quit a few times and luckily SeaMonkey 2.19 asked me if I wanted to restore session which I hit “no.” I’m using that browser to add this message now.

  • William Willingston

    chrome users?????

  • Esha harmony

    This was very useful this happen to me just a few moments ago on my iPad. I was browsing the web I hadn’t notice right away because of so many sites opening in other browsers on safari. I was damn near scared to death when I read it I had no idea. Although it said my PC was locked I was able to exit out of the browser with ease. The only thing I am really worried is if I have a virus or if the information on my iPad is now more vulnerable to hackers or exposed. Thank you.

  • http://marcelbrown.com/ Marcel Brown

    Apparently Chrome users are affected as well. But again, this isn’t really a “malware” so there’s not much to be worried about if you do get hit by it.

  • http://marcelbrown.com/ Marcel Brown

    Since the iPad (and iPhone) operate differently than a Mac, you may have been hit by the scam, but it couldn’t lock out your browser in the same way. Since this was not a real “malware”, you have nothing to worry about. Your iPad is still a secure as ever. Just close out that window and no more problem (not that there ever was).

  • Jake David

    Thanks for the information. Do you suggest getting any anti-virus or malware software on Mac OS X computers? I understand it is not needed for this but just as a precaution for future use?

  • http://marcelbrown.com/ Marcel Brown

    I use the analogy of a bullet-proof vest. If you live in a war-torn country, where bullets are flying around in everyday life, a bullet-proof vest is probably a very wise investment. If you live in peaceful neighborhood, sure a bullet-proof vest might save your life in the highly unlikely occurrence that someone shot at you. But otherwise it would be a heavy and uncomfortable inconvenience 99.9% of the time.

    Anti-virus programs by nature are very intrusive programs, mucking around deep inside the operating system in their mission to root out malware. However, this behavior increases the chances that something will go wrong and the anti-virus program itself will cause a problem.

    The likelihood of a Mac getting a true malware is so tiny, the odds are greater that an anti-virus program will cause you more trouble than a malware ever would. For this reason I don’t use anti-virus software on my or my family’s Macs. I don’t actively recommend other Mac users do either. But if someone feels that they should use anti-virus software on a Mac, I’m not going to argue much with them. If they feel the risk of using an anti-virus software is worth the tiny possibility of stopping a malware, that’s their prerogative.

    And just to answer the possible follow-up question, there is virtually NO risk of getting a malware on an iPhone or iPad, so don’t even bother worrying about it. As long as Apple controls the App Store and doesn’t allow third-party code to execute, this situation is not likely to change.

  • Tommy Chong

    Thanks! When I first encountered this problem, I used force quit instinctively. I knew the FBI would not demand payment of fines online. Some recommend deactivating Java, going a step back in the history and activating Java again. Both methods are equally simple and efficient. One more tip: If you can’t force quit just hold the power button and restart as you would in a system crash. A little drastic, but it works, and it won’t damage your computer either.

  • Al Varnell

    Just a couple of corrections. I believe you meant to say JavaScript, not Java, which is a totally unrelated technology to JS and not involved with this particular issue.

    And I’m sorry, but shutting down with the power button can most certainly damage the data on your computer in some cases. It should only be used as a last resort and you should thoroughly check things out after restarting. I speak from experience on this.

  • http://marcelbrown.com/ Marcel Brown

    Al is correct about shutting down with the power button. Computers don’t like having the power cut on them, because if the hard drive is in the middle of a read/write operation, the power getting cut can cause data or directory corruption. It should only be used as a last resort if the computer (Mac or PC) is locked up to the point that it can’t be shut down any other way.

  • Ben

    well if look closely to the address, the address is not FBI, it has a “-” sighn and another address… don’t give a fuck about this sign , it’s fake ;)

  • Joe Crespo

    Thank you for all of the helpful information. I actually got hit with this over the weekend and actually paid the ransom. Afterwards, I was able to return to use to find out this is a scam. Any suggestions on getting my money back or is it gone? Thanks.

  • http://marcelbrown.com/ Marcel Brown

    Wow, sorry to hear that. I would contact your lawyer and/or the police. Good luck. Let us know if you get your money back.

  • Gage Bubba Cordova

    that would have been awesome to know about 30 minutes ago just saying.

  • hverso

    Thanks for posting this! I just had this scam on my mac, I didn’t pay the fine and managed to get around it with the resetting but I was worried if my mac was infected..but thanks for clearing up that it wouldn’t be and for the other tip too!

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome! Just curious, how did you find this article?

  • bee

    I stumbled upon this over the weekend also, my dumbass x’ed out of the page before reading the entire thing, I was so freaked out. I was worried that since I was using wifi on my iphone, my iphone information and everything could be compromised and hacked. I’ve lost sleep and haven’t eaten, I’m so scared. Particularly I had the idea that they could hack my facebook or icloud, take my information, and distribute disgusting illegal material to people I know, saying its from me, ect.
    This shit scared me.

  • Nono Ono

    Thanks a lot for this, Marcel. Just happened to me on the MBPr. I force quit Firefox, cleared the cache, “forgot” the site via the history. Found your article by Googling “supposed warning from FBI your computer is locked effect on Mac?”

  • http://marcelbrown.com/ Marcel Brown

    Yes, it is scary, but fear is their weapon. Be assured you are fine, especially your iPhone.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome! It’s interesting to know that this is still happening even 3 months later!

  • Marlin

    Marcel, have you encountered a situation where after a forced quit the computer will not turn back on? I have this problem currently and there is little information on the topic after the forced quit solution.

  • Al Varnell

    This would seem to be a bit off topic since the article only suggests to force quit Safari, not the computer (which is almost never a good idea). At any rate, I would guess that doing so damaged your OS X and it will need to be reinstalled. Procedures on how to do this vary, depending on what version of OS X you are using, so I recommend you go to the Apple Support Community Forums https://discussions.apple.com/index.jspa for any additional help with this.

  • Marlin

    Thank you for the prompt reply. So long to worry free Mac wold but it was nice while it lasted. I appreciate the forum. Thank all of you for posting.

  • http://marcelbrown.com/ Marcel Brown

    If you did what Al thinks you did (force shut off the Mac), then it is very possible there is some hard drive corruption. The good news is that this is usually fairly simple to resolve with the right resources.

    The first question is what exactly did you do when you “forced quit”? Was it just force quitting Safari or did you shut off the computer by holding the power key down for 5 or more seconds?

    The second question is what is the Mac doing or not doing? Does it chime at startup? Do you see the gray Apple logo? Do you see a spinning logo under the Apple? Does it boot to a graphical screen? Does it crash? Does it light up when you turn it on? Does the Caps Lock key light up when you press it?

    Based on the answers to those questions I might have a better idea of what is going on.

    Once you resolve the core issue, then you will likely go back to a worry free Mac, so don’t despair!

  • Guest2

    Thank you! Just googled to find an answer and your article came up to save the day! I knew it was a scam but glad it’s not harming My mac, and yes this is still happening today, months later. Hope safari fixes this bug.

  • Al Varnell

    This isn’t really a Safari bug at all. If anything, it’s a bug in the infected web page that you visited. The same thing will happen with Firefox, Chrome or any other browser unless you install some sort of javascript blocking mechanism. I haven’t heard of any attempts by browser developers to prevent it, yet.

  • RabbleRabbleRabbleMe

    Not true that if you get it on a Windows machine you ARE infected. It just happened to me. I immediately disabled my internet connection. Shut down my computer and rebooted. When the browser (firefox) re-opened, the page could not connect to the internet so it failed to load. Cleared my history, checked the settings in Firefox to make sure no page had been set as a new homepage, scanned my PC with Hijack This, MS Security Essentials and Malware Bytes. No positives were returned from any of the scans. Restarted the PC again, enabled the internet connection and all is well. So just because you run across this, doesn’t mean you DEFINITELY ARE infected with malware.

  • http://marcelbrown.com/ Marcel Brown

    Good call. Although Windows users should still assume they are infected and scan their computer like you did to be certain.

  • filippo

    Hey Marcel,
    Do you happen to know if this could be happening in other countries under their respective local police?
    thanks

  • Al Varnell

    Yes, I’ve seen this exact thing being used in other countries, usually citing a national police force (e.g. Scotland Yard).

  • http://marcelbrown.com/ Marcel Brown

    I personally don’t know, but I wouldn’t be surprised if scammers are using the same technique in other countries.

  • Al Varnell

    From what I have read on the subject, it’s the same spammer using tailored pages for targeted countries. These are PC samples of ‘police-themed’ ransomware from various countries http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware#aboutpolicethemedransomware

  • Guest

    Thank you so much! This just happened on chrome on my mac! It’s all sorted now thank goodness.

  • nazzx3sm

    i need help! my safari was affected by the virus and now it wont open completely! it says “it may be damaged or incomplete”

  • Al Varnell

    You should probably ask in a more appropriate place, such as the Apple Support Communities forums https://discussions.apple.com/index.jspa and describe your Mac, your OS X & Safari version along with the exact name of the malware you believe you’ve been infected by and describe what “it won’t open completely” means.

  • sportsguy

    This happened to me yesterday on my mac laptop through Chrome. I forced quit the computer, and restarted it. When google prompted me to restore tabs I said no and clicked the x. I then cleared the history and hit reset browser settings. Everything is working fine now on my laptop. Do I need to be concerned about the virus being still on my laptop. Also do these hijackers still have access to my webcam??? Appreciate your reply and help.

  • Al Varnell

    There was never any virus or other malware. It’s just a scam javascript and would not have involved your webcam.

  • sportsguy
  • http://marcelbrown.com/ Marcel Brown

    I think you have issues with your system, possibly drive corruption or something along those lines. It was not likely that your Safari was corrupted by a virus. It is possible if you shut down incorrectly that this caused a disk issue. Regardless, you should probably have your Mac looked at and given some TLC.

  • http://marcelbrown.com/ Marcel Brown

    Al is correct, there was never any virus or malware. The article you reference is almost certainly talking about a malware that affects Windows PCs, not Macs. I am not aware of any malware that can hijack a Mac’s webcam.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome!

  • sportsguy

    Thanks for you help. I appreciate the insight.

  • 115028

    my computer didn’t lock or anything but this fbi thing appeared did appear on my screen. It was saying a lot of scary things like child porn, stealing files and music and than it wouldn’t let me leave the page.I was terrified because I was just trying to watch a movie that I didn’t want to pay netflix for. I turned off my computer and rebooted it or set it to a certain time. The next day,I cleaned out the computer, it says normal now but I am still a little worried since I am only an average user and I am not great with computers. It didn’t lock me out when I turned it back on but I read horror stories about these scams. should I be worried and go more steps?

  • Al Varnell

    No, if it’s back to normal then you should be good to go. None of those horror stories you’ve read were written about Macintosh computers or the problem Marcel has described.

  • http://marcelbrown.com/ Marcel Brown

    If you’re using a Mac, you’re almost certainly fine.

    If you are using a Windows computer, make sure your anti-virus software is functioning properly. It may not hurt to run an update and run a manual full scan on your system as a precaution. Obviously, if you see more signs of odd behavior, have it cleaned by a trustworthy professional.

  • Hunter

    This just happened to me in google chrome on my Mac and if considerably freaked me out but I only had to click leave page once and it closed. Thanks for the article about it bieng fake, I just wanted to be sure.

  • http://marcelbrown.com/ Marcel Brown

    You’re welcome!

  • Guest

    When it popped up on Chrome I just turned off my computer and when it came back on nothing really happened…should I be worried?

  • http://marcelbrown.com/ Marcel Brown

    Assuming you’re using a Mac, you don’t really have anything to worry about.

  • Ralph Harding

    I have seen this scam site on my Chromebook. When it first started popping up, I could just ignore it until I was ready to stop browsing. Lately, it has been tweaked to jump in front of any other window I happen to be browsing in. I have to close out the browser and then come back in.

  • alex

    this happened to me, but i only had to click leave page once and that was it. i was so surprised that it was that simple, which is why i went here. i closed out of safari several times and it was normal every time i opened it back up. so i restarted my computer to see if i really just bunny hopped over the FBI scam, and lo-and-behold i did. Thanks for clearing it up for me and my fellow mac-users.

  • http://marcelbrown.com/ Marcel Brown

    I believe updates to the various browsers by this point have rendered some of these scams inoperable. Of course many people still have older browsers that are vulnerable so they keep the scams going. You’re welcome!