While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:
iPad / Mac Pop-ups
This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!
As I explored this version, I found that the current domain was hosted on the IP address 188.8.131.52. This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity. Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.
- mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
- apple-alert-online.com -- https://discussions.apple.com/thread/6850245
- safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
- mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
- online-window-security.com -- (Windows - see below)
- window-system-error.com -- suspended (why only this one??)
- mac-pc-alerts.com -
- instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
- techcarelive.com -- https://discussions.apple.com/thread/6527487
A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal. See Jerome's blog here: https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/.
By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:
Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:
The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers? Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?
Back to Passive DNS to try to find out.
According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 184.108.40.206 beginning on August 8, 2014.
That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (220.127.116.11) and the March 2015 IP (18.104.22.168).
Imitating Microsoft Security Essentials
Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.