Troubleshooting some nasty Safari malware

Jason Snell's sister ran into a persnickety pop-up asking her to call an 800 number. Instead she called family tech support!

scamware cropped

“I need Apple advice,” My sister texted me last week. “I got a message that my computer is blocked due to an unexpected error. It gives me a number to call to fix it. Does that sound legit?”

No. It did not sound legit. What’s worse, the error message gave her an 800 number to call, which she did, and the person on the other end of the line offered to share her screen and tried to sell her $200 in security software.

That was the point at which her instincts kicked in and she got off the call and asked me for help. The culprit in all this was a pop-up message in Safari, which read in part: “Your Apple Computer has been blocked. Mac iOS alert! System might be infected due to unexpected error! Your Browser might be hijacked or hacked.”

Ironically, this “warning” message is a common form of malware itself. The problem is that the pop-up appeared every time my sister opened Safari, and it proved impossible to dismiss the pop-up and then access Safari settings before the pop-up reappeared. Her question for me was simple: How do I get access to Safari back and make sure this doesn’t happen again?

It took a couple hours of trying to get the answer. If you or a family member of yours gets infected by this same approach, maybe I can save you some time and heartache.

The sure-fire solutions

The cause of the “infection” seemed obvious to me right away: Safari was loading a web page that contained a JavaScript script that spawned the pop-up message. Because it loaded immediately, I had to assume that it had been set as Safari’s home page, so it loaded immediately on launch.

I did a whole lot of web searching to come up with possible ways of fixing this. It seems impossible, but there’s no way to reset Safari’s settings from outside Safari. I suggested we delete a bunch of Safari’s preference files, but that had no appreciable effect.

We did try a few things that, after the fact, I was told are the most standard ways to work around a malicious webpage in Safari.

First: Try to launch Safari with the shift key held down. This should prevent Safari from opening the pages that were open the last time Safari was running. Unfortunately, it doesn’t prevent Safari from loading its home page.

Second: Load Safari, then Control-click on its icon in the Dock and choose Force Quit. Try this a couple of times and Safari may get the message that there’s something severely wrong on startup and instead start without loading anything. We tried to Force Quit numerous times and it had no apparent effect.

malwarebytes mac

Malwarebytes is free and trustworthy. 

Third: Download Malwarebytes Antimalware for Mac. I had this recommended to me by numerous people, including some Apple techs, and though my sister couldn’t download anything because Safari was the only web browser she had installed, I was able to download the app and transfer it to her via Messages. She installed and ran it–but no luck.

Fourth: Update to El Capitan or Sierra if you haven’t. This probably would’ve solved my sister’s problem, and was actually the next step I was going to try when I found what proved to be the solution. Apple added a lot more malware protection in the move from Yosemite to El Capitan, including fixes that stop many browser-based hijack methods. My sister was running Yosemite, unfortunately.

Depending on your particular infestation, any of these approaches may solve the problem. Unfortunately, they didn’t solve mine.

Screen-sharing: A hail mary

It wasn’t fun trying to troubleshoot my sister’s computer problems via Messages. What I wanted to do was control her screen and see if I could figure it out on my own. But for whatever reason–perhaps because her Mac was running Yosemite?–I couldn’t find any way to share screens directly within Messages. No combination of iMessage or AIM or Google Talk allowed me to get access to Message’s screen-sharing features.

What ended up saving my bacon was TeamViewer, one of Macworld’s picks for great ways to control a Mac remotely. It’s free, and I was able to send the lightweight QuickSupport app to my sister via Messages. She opened the app, gave me the ID code and password, and I was able to control her screen.

teamviewer full version

TeamViewer was a big help, and easy to set up.

If you find yourself in a jam and need to control someone’s screen remotely, definitely check out TeamViewer. I was impressed with how quickly we got it set up and working, and it’s free for personal use. (Businesses pay a subscription fee to use the tool.)

In the end, common sense wins

Despite all of my attempts, a couple hours had passed and nothing had worked. Finally I turned to a suggestion I’d seen in a couple of message threads about browser malware, one that I had dismissed as a last resort because it was something I couldn’t do myself, but would need to step my sister through via text message.

It was this: Disconnect the computer from the Internet entirely. Unless you’ve got a hardwired Ethernet connection, this generally means turning off Wi-Fi. That’s it. If there’s no malware hosted locally, that pop-up can only be generated by loading a remote webpage that’s set as the Safari home page. If you’re not on the Internet, the webpage can’t load. Which means the JavaScript script never runs, which means the infernally blocking pop-up message never appears.

So I disconnected from TeamViewer and instructed my sister to turn off her Wi-Fi and open up Safari. Sure enough, this simple solution is what broke through the logjam. When she opened her Safari preferences, sure enough, her home page had been set to a weird “free deals and coupons” domain. Once she deleted that URL from her Safari settings, she was able to turn her Wi-Fi back on and the problem was over.

Or at least, all over but the important aftermath: I told her to update to Sierra immediately, consider getting some simple malware protection software, and not click on suspicious links. Also, downloading a second web browser’s never a bad idea, in case something terrible happens to your first choice.

And under no circumstances should you call a phone number that appears in a pop-up on your Mac, or allow an unknown party to control your Mac. Even doing a Google search for the words in a particular fake alert box may not help you–because the creators of the scam may have built whole websites with those keywords in order to lure you in and get your money or access to your computer. If your Mac seems disabled, take it to an Apple Store, a local Apple tech in your community, or call Apple support directly.

With any luck, My sister will never have a problem like this again. And if someone you know ever gets caught in this particular loop, I hope my two hours of troubleshooting will allow you to get to the solution faster than I did.

To comment on this article and other Macworld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.