User profile for user: John Galt
John Galt
User level: Level 10
(140,954 points)

Phony "tech support" / "ransomware" popups and web pages

by:  John Galt
Last modified: Jun 27, 2017 5:03 PM
10 102738 Last modified Jun 27, 2017 5:03 PM

Short answer:


These are scams just like an unsolicited phone caller harassing you to buy something you don't want. You don't need to do anything but hang up and forget about it. No other action is necessary, or justified. Your phone cannot become infected simply by an unwanted call, right? Neither can your Mac.


Read Avoid phishing emails, fake 'virus' alerts, phony support calls, and other scams - Apple Support.


Long answer:


These popular browser scams spontaneously appear as an unexpected popup or unsolicited webpage (examples below; click to enlarge) that allege the detection of "viruses" or the existence of some unsafe condition that needs to be addressed with great urgency:



User uploaded fileUser uploaded file
Scam Example 1Scam Example 2
User uploaded fileUser uploaded file
Scam Example 3Scam Example 4

User uploaded file

User uploaded file
Scam Example 5Scam Example 6


These scams can appear on any web browser running on any Mac, PC, or iOS device.


Despite what they say your Mac has not been infected with anything other than a web page that won't go away, which is easy to fix. What gets people into trouble is believing the information that appears, and then taking inappropriate actions.


These scams may appear to be authentic, because they typically include details such as your IP address and a familiar icon of the browser you're using. Some of them include voiceovers or annoying alert sounds. Some of them will spawn multiple tabs or windows by the dozens. It might seem there is no way to close the windows or otherwise dismiss the popups. You might not be able to control Safari, and you can't find a way to quit the app. Even if you were to completely shut down and restart your Mac or your iPhone, the annoying popups might just keep reappearing.


The above screenshots are mere examples. There are thousands of variations of this scam whose exact appearance and wording can take any form. There are also millions of permutations of the "toll-free" phone numbers they provide, and they can easily originate from the other side of the globe. These scams are easily created, simple to distribute, and new examples appear every day.


A variant of the same scam will cause a webpage to appear accusing you of engaging in some sordid or illegal Internet activity. The page might bear official-looking government or law enforcement seals, say your Mac is infected with some ick, and / or employ technobabble intended either to intimidate you or create an impression of authenticity.


  • Needless to say whatever text they contain should be utterly disregarded, because it's all false: Your Mac is not infected with anything and you did nothing wrong. What you're experiencing is a lame and 100% fraudulent attempt to extort money from you. No matter how legitimate the message appears to be, it did not originate with Apple, the FBI, the IRS, RCMP, Bundespolizei or any legitimate organization.
  • If you closely examine the page you might find a "disclaimer" written in very tiny text, containing what may be the only accurate information on it. The exact text extracted verbatim from one of the above scam examples follows: "The webpage and pop-up is only for advertisement use. In no way claiming to be Microsoft and claiming a definite error has occurred. The webpage does not take any personal or critical information. The webpage owners are not held liable for any actions taken on your system by third parties. Call at your own free will." Who could object to that? That's about as sincere as it gets.
  • These scams are routinely perpetrated by criminals around the world in an effort to convince you into giving them money. They cannot succeed without your active participation. Don't be a victim.


When you can't find a way around this problem — when you can't close the page or even quit the web browser you're using — it might seem that you're stuck and there is no way out. If that describes your situation, read on.


Whatever you do, never call any phone numbers that appear. They will just want payment, usually in multiple hundreds of US dollars. Worse yet, they may attempt to deceive you into granting them remote control of your Mac, conceivably enabling them to install a "backdoor" granting criminals unfettered ability to harvest any or all the information contained on your Mac, to be used for any conceivable purpose. That's a road you do not want to travel. Never allow anyone to remotely log in to and use a Mac that you own and control.


There are different solutions for Safari on the Mac and Safari on an iPhone or iPad device. Follow the applicable one below. Although the instructions specifically address Safari, they are easily adapted to other web browsers.



Solution (Mac):


Some of these scam popup messages are very easy to dismiss:


  1. If a checkbox appears with the text "Don't show more alerts from this webpage", select it, then click the Leave Page or OK button.
  2. If that option does not appear, try repeatedly and quickly clicking the Leave Page or OK button while also pressing the key combination ⌘ W.

    If the Leave Page or OK button is not visible because the dialog box extends beyond your display's lower limit, the Return or Enter key should perform the equivalent action.


Either option may result in interrupting the script preventing you from closing the page normally. If it does, you're finished. If not, or you grow tired of that method, continue below.


  1. Quit Safari. If necessary, force Safari to close by following these instructions: Force an app to close on your Mac - Apple Support.
    • Summary: choose (Apple menu) > Force Quit...
    • Or, using three fingers press the three-key chord (the Command key, next to the space bar) Option (the key next to it) Escape (the key at the upper left of your keyboard or Touch Bar).
    • A dialog box with the title Force Quit Applications will open.
    • Choose Safari, click the Force Quit button, and confirm the dialog with Force Quit again.
    • Close the dialog box.
  2. Press and hold a Shift key and keep it depressed while launching Safari again.
    • When Safari opens, release the Shift key.
    • This action prevents Safari's previously loaded pages from loading again upon launch.


If that does not immediately fix the problem:


  1. Force Safari to quit again.
  2. Disconnect from the Internet by selecting Wi-Fi "off" in the Mac's menu bar, or disconnecting its Ethernet cable if you're not using wireless. See pictures below.


User uploaded fileUser uploaded fileUser uploaded file
Turn Wi-Fi "off"Disconnect Ethernet cable (MacBook Pro)Disconnect Ethernet cable (iMac)


  1. Launch Safari again by pressing and holding a Shift key while launching Safari.

    No pages will be able to load since you're not connected to the Internet.

  2. Select the Safari menu > Preferences > General, and review your home page selection.
  3. Select the Privacy pane > Remove All Website Data... > Remove Now.

    After you reconnect to the Internet, you will need to sign in again with all websites that require authentication (such as this one).

  4. Close the Preferences window.
  5. (optional) Select the History menu > Clear History...

    Choose an appropriate period to clear from the dropdown menu. That action will ensure you don't inadvertently navigate back to the same problematic web page.

  6. Turn Wi-Fi back on again or reconnect your Ethernet cable.


You'll be back in business.


In an abundance of caution, consider the following additional actions. They are not required to eliminate the scam webpage but you should review them to determine certain Safari settings have not been unexpectedly altered.


  1. Open Safari's Preferences... again and select Extensions. Uninstall any Extensions that you are not certain you require by clicking the Uninstall button.

    If you are not sure what to uninstall, uninstall all of them. None are required for normal operation.

  2. Select the Privacy pane. Verify "Cookies and website data" is configured the way you expect. If you are not certain what choice is appropriate, choose "Allow from websites I visit".

    For OS X versions prior to Yosemite the equivalent preference is "Block cookies and other website data" > From third parties and advertisers.



Solution (iOS):


Force Safari to quit by quickly double-clicking the Home button. On that screen, swipe left or right until you find Safari with a preview of the problematic web page. Swipe that image up and away to terminate it:



User uploaded file
Force Close (iOS 9 and 10)


The unresponsive Safari page will be gone, but if you were to launch Safari again it might just reappear. To prevent that from occurring, go to Settings and scroll down a bit until you see Safari. Tap Safari, then tap Clear History and Website Data. Confirm the dialog that appears next, and you'll be back in business. The effect of clearing website data will require you to "sign in" again to websites that require authentication (such as this one).



References and other resources:


FBI statement: http://www.fbi.gov/news/stories/2012/august/new-internet-scam

FTC statement: https://www.consumer.ftc.gov/articles/0076-phone-scams

IRS statement: https://www.irs.gov/uac/irs-urges-public-to-stay-alert-for-scam-phone-calls

Microsoft: http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

Moneypak: https://www.moneypak.com/ProtectYourMoney.aspx#

Related articles: How to install adware

Comments

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up