Tech support scam pop-ups
Published January 6th, 2015 at 7:14 AM EDT , modified June 28th, 2017 at 7:00 AM EDT
The internet has been awash with all manner scams for a long time. The variety boggles the imagination, ranging from Nigerian princes wanting to pay strangers exorbitant sums for help moving some money, to Facebook posts asking if it’s really you in this photo, to “one weird trick” for just about anything you might want to do. Although not exactly new, one of these scams has seen an upswing in recent months: the fake tech support scam.
The typical tech support scam presents itself to the user while browsing the web, in the form of a pop-up message saying that a virus or “suspicious activity” has been detected. A phone number is provided, of course, which the user can call to get “support” with this problem.
These pop-ups are usually the result of visiting a page that is either malicious itself, or that has been hacked, or that contains advertising from an ad feed that has been hacked. In any case, the page contains malicious code that either displays a pop-up, or redirects to a malicious page that then displays the pop-up (as shown in the image at right).
It is important to understand that no website can scan your computer for malware or suspicious activity. Further, Mac OS X will never display such a message within your web browser. (If you are unsure as to whether the alert is being shown by your browser or by the system, try hiding the browser by pressing command-H. If the message hides as well, it’s being displayed by the current page.) At most, web browsers can warn you that a particular site you are trying to visit is bad, but they cannot make any determinations as to the state of your computer.
In most cases, these messages are simply the result of visiting the wrong website online. However, if you’re seeing these messages very frequently, and while visiting a wide variety of sites, they may be the result of having some kind of adware installed on your computer. In such a case, the messages will be due to a bad ad that is being injected into pages by the adware.
If you think you may have adware installed, Malwarebytes should remove it. If you have trouble dismissing the fake virus message in your web browser, see the instructions below.
How to respond to the message
In short: don’t. Do not call the phone number provided, as it is not a real tech support number. The people at that number are scammers, and they will do their best to take advantage of you in whatever way you will let them. You just need to get rid of the message, which may be more difficult than it should be.
If you called the phone number, you may need to take some additional steps. For example, if you gave the scammers your credit card number when asked, you should contact your credit card company and report that your card has been compromised. If you gave other personal information that could be used to steal your identity, see:
If the scammers requested remote access to your computer, in order to “troubleshoot” the “problem,” and if you did whatever they asked to give them that remote access, your Mac should be considered compromised. There is no telling what they may have done with that remote access, and there is no program on Earth that can determine whether or not they have installed something malicious or made some kind of malicious change to your computer’s settings. They could be recording your keystrokes, monitoring all your network traffic or watching you through your webcam, among other things. Anti-virus software cannot prevent, diagnose or cure this problem.
In such a case, in order to be sure your machine is clean, you have only one option: erase the hard drive, reinstall the system and all your applications from scratch and very selectively restore only your documents from a backup. For more information, see How to reinstall Mac OS X from scratch.
Getting rid of the message
In many cases, these messages will seem to lock up your web browser. They will reappear if they are dismissed, and they reappear even after quitting the browser and then re-opening it. This will not necessarily always happen, and may not happen for all versions of all browsers. However, if you see this behavior, the first task is getting rid of these messages so you can use your browser again.
Quit Safari. If you are unable to do that, press command-option-esc to display the Force Quit Applications window. In that window, select Safari and click the Force Quit button.
To prevent the malicious page from reloading automatically, and thus the pop-up from reappearing, hold down the shift key while launching Safari.
If that doesn’t work, quit Safari again, then navigate to the following folder:
~/Library/Saved Application State/
(If you are not sure how to find this folder, see Locating files from paths.)
Inside that folder, find the folder named com.apple.Safari.savedState. Drag that to the trash.
Next, go to the following folder:
In that folder, drag the LastSession.plist file to the trash. Now open Safari, and the message should be gone.
Move the pop-up alert window out of the way, if necessary, and click the Chrome menu icon (to the right of the address bar by default). In the menu that opens, choose Settings.
The pop-up alert window will stay in front of the Chrome window displaying your settings, but you can still change settings. Under On Startup, select the “Open the New Tab page” setting.
Press command-option-esc to display the Force Quit Applications window. In that window, select Chrome and click the Force Quit button. When you re-open Chrome, the pop-up should be gone.