Tech support scam pop-ups
Published January 6th, 2015 at 7:14 AM EST , modified June 28th, 2017 at 7:00 AM EDT
The internet has been awash with all manner scams for a long time. The variety boggles the imagination, ranging from Nigerian princes wanting to pay strangers exorbitant sums for help moving some money, to Facebook posts asking if it’s really you in this photo, to “one weird trick” for just about anything you might want to do. Although not exactly new, one of these scams has seen an upswing in recent months: the fake tech support scam.
The typical tech support scam presents itself to the user while browsing the web, in the form of a pop-up message saying that a virus or “suspicious activity” has been detected. A phone number is provided, of course, which the user can call to get “support” with this problem.
These pop-ups are usually the result of visiting a page that is either malicious itself, or that has been hacked, or that contains advertising from an ad feed that has been hacked. In any case, the page contains malicious code that either displays a pop-up, or redirects to a malicious page that then displays the pop-up (as shown in the image at right).
It is important to understand that no website can scan your computer for malware or suspicious activity. Further, Mac OS X will never display such a message within your web browser. (If you are unsure as to whether the alert is being shown by your browser or by the system, try hiding the browser by pressing command-H. If the message hides as well, it’s being displayed by the current page.) At most, web browsers can warn you that a particular site you are trying to visit is bad, but they cannot make any determinations as to the state of your computer.
In most cases, these messages are simply the result of visiting the wrong website online. However, if you’re seeing these messages very frequently, and while visiting a wide variety of sites, they may be the result of having some kind of adware installed on your computer. In such a case, the messages will be due to a bad ad that is being injected into pages by the adware.
If you think you may have adware installed, Malwarebytes should remove it. If you have trouble dismissing the fake virus message in your web browser, see the instructions below.
How to respond to the message
In short: don’t. Do not call the phone number provided, as it is not a real tech support number. The people at that number are scammers, and they will do their best to take advantage of you in whatever way you will let them. You just need to get rid of the message, which may be more difficult than it should be.
If you called the phone number, you may need to take some additional steps. For example, if you gave the scammers your credit card number when asked, you should contact your credit card company and report that your card has been compromised. If you gave other personal information that could be used to steal your identity, see:
http://www.consumer.ftc.gov/features/feature-0014-identity-theft
If the scammers requested remote access to your computer, in order to “troubleshoot” the “problem,” and if you did whatever they asked to give them that remote access, your Mac should be considered compromised. There is no telling what they may have done with that remote access, and there is no program on Earth that can determine whether or not they have installed something malicious or made some kind of malicious change to your computer’s settings. They could be recording your keystrokes, monitoring all your network traffic or watching you through your webcam, among other things. Anti-virus software cannot prevent, diagnose or cure this problem.
In such a case, in order to be sure your machine is clean, you have only one option: erase the hard drive, reinstall the system and all your applications from scratch and very selectively restore only your documents from a backup. For more information, see How to reinstall Mac OS X from scratch.
Getting rid of the message
In many cases, these messages will seem to lock up your web browser. They will reappear if they are dismissed, and they reappear even after quitting the browser and then re-opening it. This will not necessarily always happen, and may not happen for all versions of all browsers. However, if you see this behavior, the first task is getting rid of these messages so you can use your browser again.
Safari
Quit Safari. If you are unable to do that, press command-option-esc to display the Force Quit Applications window. In that window, select Safari and click the Force Quit button.
To prevent the malicious page from reloading automatically, and thus the pop-up from reappearing, hold down the shift key while launching Safari.
If that doesn’t work, quit Safari again, then navigate to the following folder:
~/Library/Saved Application State/
(If you are not sure how to find this folder, see Locating files from paths.)
Inside that folder, find the folder named com.apple.Safari.savedState. Drag that to the trash.
Next, go to the following folder:
~/Library/Safari/
In that folder, drag the LastSession.plist file to the trash. Now open Safari, and the message should be gone.
Chrome
Move the pop-up alert window out of the way, if necessary, and click the Chrome menu icon (to the right of the address bar by default). In the menu that opens, choose Settings.
The pop-up alert window will stay in front of the Chrome window displaying your settings, but you can still change settings. Under On Startup, select the “Open the New Tab page” setting.
Press command-option-esc to display the Force Quit Applications window. In that window, select Chrome and click the Force Quit button. When you re-open Chrome, the pop-up should be gone.
Firefox
In Firefox, JavaScript pop-up alerts like these do not take over the browser. Just close the window or tab and go on about your business.
123 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
Thank you for the helpful information! 🙂
Thank you sooooooo much
Thanks so much. You saved my husband from a lot of grief.
To get rid of this, so far i have tried adware medic, it found nothing, pulled safari plist 6 of them, saved state, cleared safari folder in user directory cleared caches, launch agents, daemons, and reopened safari while holding shift. Cleared browser caches and cleared website data. Still get the pop up.
What does the pop-up say? What is your browser’s home page set to? Have you checked for network problems by testing Safari while connected to a different network?
Try this.. apple logo menu> system preferences> general> select “close windows when quitting an app”> open safari then immediately make sure to quit Safari using the menu option or command+Q. once you relaunch safari the problem should be resolved. worked for me. (this might not work if you can’t get safari to “quit”……. “force quit” is not the same)
this worked for me after 3 days of trying to find a solution–thank you soooooooo much
Or you could mess around with them. http://www.youtube.com/watch?v=tGGpgieEewI
What I have done, and seems to work, is Reset Safari. I am not sure about the others but hope it helps those using that native browser.
Set to http://www.google.com, i cant give you exact message currently cause i am at work. And no to diff network. Havent tried safeboot or test user either yet. Will do that later and get back to you. Thanks for the heads up though.
mac-onlinesupport[dot]com, you have a security issue on your computer please call……
Hi,
Unfortunately I did all the above on giving the tech support control of my computer. He could see my screen from his end. I filled in the information of paying with a check but never pressed send. I do not know if they can copy that info. I called tech support apple and they let me know it was a scam. I deleted my personal info from the pay by check. Should I delete the hard drive? The instructions you gave on how to delete my computer seem difficult. Can I take the whole computer to apple for them to help me delete the hard drive? Should I not pay any bills from my computer? I feel so stupid? Help please. Thanks
Liz
Yes, you will need to erase the hard drive. Apple could help you with the easy part (erasing and reinstalling the system), but the hard part – selectively restoring the data – is probably not something they’ll be able to do for you. It never hurts to ask them, of course.
Your iPad is safe.
Hi Thomas, Thanks for your helpful information. The man I spoke with today, who I also, sadly, allowed to log into my Mac Mini, said that these viruses could infect my “entire network”. Is there any truth to this? I have a couple of PC’s and an iPad and iPhone as well. Do I need to worry that these devices have been compromised as well? I appreciate your assistance. Mary-Lynne
No, that was just a scare tactic. There is no virus involved here, so there is nothing to spread to anything else.
Hi again Thomas,
I just read this whole blog and think I got the info I needed from your answers to other people. Thank you. I won’t worry about my other devices and will take the Mac Mini in to have the HD restored. Thanks again.
[some text removed by moderator]
Here is ONE rule – a SIMPLE rule EVERYONE should follow.
Ready?
NEVER – EVER give ANY information away – NOT EVEN YOUR NAME (!) to ANYONE who CONTACTS YOU from ANYWHERE.
Example; If ANYONE contacts YOU, let’s say, someone rings you, and says they’re from you’re bank, and want info,’ the automatic thing you say/do; ‘let me ring YOU back.’ Ask them for their number – check the number against what you know is a REAL contact number. If in doubt, contact (almost every big business has a toll free help number), and talk with them instead.
The minute you tell them you’ll ring them back, most of these scammers will either hang up (on you), or give you a fake number.
This holds true also on line.
Someone pops up on your screen?
If you get a msg like the one pictured above, ring Apple 1st.
Remember; people DO stupid things – ALL of us. But, the GOOD thing is we LEARN from our mistakes – and we NEVER EVER let it happen AGAIN.
Also, I have a IPAD Air which I have been scared to turn back on. Is my iPad compromised as well?
I deleted MacKeeper more than once and it keeps coming back.
I called their number 1-888-893-2451 because the computer kept crashing and we thought that it was through Apple. They wanted to log on to my computer to help me and I said “No I can fix it myself, you just walk me through the steps” They said it can’t be done that way only we can do it. I said it is not rocket science I can handle it if you tell me how to uninstall the malware I can do it from my end without you echoing on to my screen. He was foreign and I could not understand him but he was mad, then he said OK I will walk you through it. Type http://www.logmein123.com in my address bar. I was like “How stupid do you think I am?” I said you give people from India a bad name, get a different job.
That’s definitely a scam phone number. It’s good that you didn’t give them access to your computer!
As for the MacKeeper problem, if you’re having a lot of MacKeeper pop-ups, you may have adware installed. See my Adware Removal Guide.
I made the TERRIBLE mistake of allowing remote access, but refused to give any personal info, banking info, etc. What do I do now?
Please read the article, the answer to that question has already been answered within the article.
You have Adware in /framework plugin in your ~/Library folder and root libraries.
No need to erase. Head to apple support website for detailed instructions on how to remove.. See belo
http://support.apple.com/en-us/HT203987
That Apple page is pretty incomplete. There’s a lot not mentioned there, and some of what is mentioned is already outdated. A better resource is my Adware Removal Guide.
there is no file by the name ~/Library/Saved Application State/, though there are many other com.apple. files–even though I do still have the Safari icon on my desktop. Scared–this sorta thing has never happened–horrified that i let my mac get infected.
oops– i meant to say no file by the name com.apple.Safari.savedState, so no file to drag to trash
Thomas, could you please verify whether “www.mac-tech-alerts.com” and “www.safari-support.com” are still working or this sites have been already deleted? I tried to visit them in several ways, but I only get a message “Error 403. Forbidden”.
I’m not sure… they may still be working, but these scam sites usually make sure their main page doesn’t work. You usually have to have a specific URL within the site to see the scam. For those two sites, I don’t actually know of any of the scam URLs that have been used, but those may have been changed already anyway.
I block these and other pop-up windows by entering 127.0.0.1 and then tab and then their domain into my hosts file to block them. You can use either gas mask or hosts version 0.13 system prefs panel, both free.
That’s not a very good strategy. These scams change hosts like you change underwear, so you’re constantly blocking abandoned domains that are known, but won’t have the current domains blocked. Besides, modifying the hosts file isn’t something for the faint of heart, and can cause a loss of all internet connectivity if done improperly. (Or, worse, loss of connectivity on just a few sites, leading to much confusion and frustration.)
Ummmm…… interesting metaphor there, Thomas……
Use of the hosts file to block ads.
David Charlap MacInTouch Jul 7. 2014
1: It blocks servers, not URLs. This means if a single server is hosting ads and legitimate content that you want to see, you have to take both or block both.
2: There is no wildcarding or domain-scoping, so you need to know all of the hostnames that may be used by an advertiser. Since it is pretty easy for them to rename their servers and change the ad-serving scripts, you’re forever playing catch-up. You’ll need to keep on adding new hosts to the list (I assume the tool you installed would do this for you.)
3: It blocks all protocols, not just web traffic. So if you want to access that server through other means (maybe ping/traceroute it to figure out who is providing connectivity, you can’t.)
4: It blocks servers by redirecting traffic at the null-address (0.0.0.0). This address was historically used as a “don’t care” address and many systems, when sending packets to it, will send them as a subnet-broadcast (equivalent to 255.255.255.255). This may put unnecessary traffic on your LAN and might even put a load on your own servers if you have your own local web servers running.
If you decide to stick with the host-file approach (meaning problems 1-3 will remain), I suggest you pick a different IP address than 0.0.0.0 for the blocked hosts. One approach is to pick 127.0.0.1 (localhost), which will result in immediate failures of all requests, if you’re not running a local web server. Another would be to pick an unused IP address on your LAN and use that.
But there’s another issue. Some web sites load ads via scripts, and those scripts sometimes cause the page to hang for several minutes (network timeouts), if there is no reply from the ad server. A solution to this is to use the IP address of a host on your LAN that is running a web server (possibly even your own computer). Every request will return a 404 error page, which should keep most of the scripts from hanging, since they are getting an actual reply.
If you would like to do this only for web pages and not for all network access, you can set up the same list of hosts using a proxy-auto-config (PAC) file. I wrote an article about this 10 years ago: “Ad blocking on the cheap.”
Finally, you might find that some ad-loading scripts hang and timeout even if they get 404 errors. To satisfy them, it should be possible to configure a local web server to serve an actual page (not an error) for every failed URL it receives. It doesn’t have to be fancy – it can be a simple HTML page with one line of text. This way, the scripts get no error, the page doesn’t hang, and you don’t see the ad.
I used to use this approach a long time ago, but I stopped when I realized that tools like AdBlock Plus (running within Firefox and Safari) work even better. They block based on URL filters, not just hostnames, and they are capable of removing advertising scripts from pages, so there isn’t even an attempt to load ads.
Curious;
Never heard of those.
Are they like free versions of Little Snitch?
Hello Everyone,
I was wondering if MacKeeper by Zeobit has always been a complete scam or are they just victims. Has their site been cloned and used by criminals to scam the unsuspecting. I seem to recall that at one time they were a legit company offering similar services as Norton. Never used either because I always thought macs were basically virus/worm free assuming you didn’t do something to allow the “bad guys” in. Recently I did get hit by some adware that did several things:
1. It changed my preferences in Safari to a new home page. I think it was “Look Search” or something similar
2. It created pop up windows stating there was an issue with my computer and opened a new tab for MacKeeper (the pop ups could not be closed without force quit and changing preferred home page)
3. It created a Google “like” homepage which launched instead of Google. It didn’t actually say Google but imitated their design
4. While browsing in Safari an ad banner appeared across the top of the window. It would offer items for sale seemingly directed to my preferences. this banner could be closed.
5. I think closing the upper banner seemed to launch the previously mentioned MacKeeper page.
5. An additional, larger ad banner would appear across the bottom of the window and this one could not be closed.
I used a different program to remove emails that had been trashed but not deleted that contained some sort of phishing bug.
I guess all this is to remind people to DELETE their trashed emails. Trashed is not really gone unless you set up your mail preferences to do so.
Thank you
The problem you describe was not caused by phishing e-mails, and deleting trashed e-mail is not a solution. You probably had some kind of adware installed, or a network compromise of some kind was affecting you. See my Adware Removal Guide.
AppleCare employee here,
I am a Senior Advisor with the CPU group in AppleCare. I would say these are the majority of our calls now. Some sites will still display the message in Safari even after moving ~/Library/SavedApplicationState/ “com.apple.Safari.savedState” to the trash. Sometimes you need to go to ~/Library/Safari/ and remove “LastSession.plist” Hope that helps for anyone still experiencing the “ransomeware”
Thanks for the info, I’ll update the instructions.
I don’t have that file. In safari folder I have 2 folders Bookmarks and History. Am I supposed to trash one of those?
I just got one of these pop up scam boxes in safari on my iPad. Now I can’t get on the internet because that damn box keeps popping up. I hit ok, but it won’t go away. How do I get rid of this on my iPad?????
See the section titled “Clear information from your device” at the end of the following document:
http://support.apple.com/en-us/HT201265
I had the same scam box pop up on my macbook pro, i never called the number that was on the pop up but i did call the 1800MYAPPLE and they walked me through the process of getting rid of it, am i at risk of information being stolen from my computer now? I’m kinda scared to do anything on here now, I’ve changed my apple ID just in case.
1-800-MY-APPLE is a legit Apple phone number. If that’s the number you called, you’re fine. It’s only if you call the number provided in the scam pop-up that you might have trouble.
Thank you for that, i just had the same pop up when i downloaded a song from youtube. could it be something happening off you tube?
Hi I’m George… i got deluged with pop-ups and malware including many versions of MacKeeper. I installed it today before i boarded a plan and i think the problem is solved… I say think because i know there are scams that pretend to be the good guys… but it has been 3 hours with Adware medic and they have all run for the hills. I even brought it to a friend at the AppleStore he tried but 5 minutes and they were back. I will not only make a donation and if i get home and we are still good tell everyone i know… i know a lot of people.
thank you
George.
I followed your instructions and the “shift while opening safari” worked for me. The popup is not longer showing up. I want to be sure that my laptop is still safe, and that I don’t need to do anything else to secure it. Since the pop-up isn’t showing up anymore, am I safe now?
Thanks,
AM
Yes. There was never any danger to your laptop, unless you called that number and did what they told you to do.
Thank you so much for this article… I was near tears trying to get Safari rebooted cleanly. I did do this, using your “Shift” suggestion – but not after I pressed the “OK” button on the pop-up because I couldn’t do anything else… Do you still think there is no danger to my laptop (I didn’t call the number) even if I pressed “OK” on the pop-up? (It did nothing — just came right back…) THANK YOU
There is no danger. Clicking OK can’t hurt you.
Thank you so much for putting my mind at ease. Have a good week!
Thank you so much!
I was on chat then the phone with apple tech support. Went through files looking for 3 or 4 malware, reloaded OS X, shift for starting safari, started in safe mode. While on hold to a senior tech, I tried this from above:
To prevent the malicious page from reloading automatically, and thus the pop-up from reappearing, hold down the shift key while launching Safari.
If that doesn’t work, quit Safari again, then navigate to the following folder:
~/Library/Saved Application State/
(If you are not sure how to find this folder, see Locating files from paths.)
Inside that folder, find the folder named com.apple.Safari.savedState. Drag that to the trash.
Next, go to the following folder:
~/Library/Safari/
In that folder, drag the LastSession.plist file to the trash. Now open Safari, and the message should be gone.
And that got the pop-up and the lock-out of Safari gone. I did have a page added to my top sites opening page of Safari that I think was the hijacked webpage. I x’d that one out.
It did the trick! So far, not every at Apple knows how to handle this – I did it by myself.
The biggest problem with this, is that people are actually falling for it. People are paying between $100 up to $1,600 (why, i’ll never know) because when they call this number, the guy on the other line tells them “oh my god! you’re being hacked by 57 people in Argentina! We can stop them if you pay us!” People are too gullible. Its getting ridiculous.
i removed EWSMac-GC.framework folder from my library was this wrong to do? . its in my trash but i haven’t emptied my trash yet
That is a part of eSellerate, used by some apps to handle purchasing and licensing. Removing it may cause problems for those apps.
Note that you really shouldn’t go through and delete stuff if you don’t know what it is. If you’re trying to remove adware, only remove files that are specifically identified as being part of some adware by a removal guide, such as my own Adware Removal Guide.
My son was trying to download a movie a few weeks ago, Interstellar I think. This exact pop-up came up. Im on midnight shift at work and he woke me up in a panic. I was unable to close out the windows, etc. Junior said he never called “Harry” and I just powered it off and eventually took it to Apple store.
They unofficially recommended this site. Thanks for posting this stuff and keep up the good work.
Hi so i just bought a macbook air and i was looking a website to watch online movies and i accidentally click something and it downloaded on my computer. And then it says to call the number since i just bought the macbook i thought it was from apple. So i called the number and i talked to guy his name was harry. He asked me to go to the website i forgot what website it was and i was talking to him like 30mins and he told me that someone is hijacking my accounts. He was the manipulating my computer. And he told me to buy a firewall and since i dont have credit or debit card i gave my friends account and it was debit card. Then he told me that i just ordered online the firewall and then he told me that it will take long for him to figured out who was trying to hijack my account. So i gave my phone number and then when told mg friend about it she told me that it was a scammer. So what i did i turn off my computer and then he kept on calling i didnt answered the phone and he left a message telling me that i should turn on my computer cuz hes not done yet
Hi, my friend has been up to the installation of the software to allow access to his mac and the guy control his mac for a few minutes. He could see on the screen what the guy was doing, but who knows… He was at some point in the terminal, so he could have changed some setup.
I will guide him tonight to erase the HD and install from the internet recovery but I am concerned that the Recovery HD might be hacked also.
When we install from scratch, is the Recovery HD also created?
Is it necessary also to erase the Recovery HD and then recreate it?
A couple ago I play with the Recovery HD while creating on my Mac mini a Fusion Drive, but I do not remember exactly how I did it. The only thing I remember was that it was not that easy!
Thanks for your help. I discover your website today and it looks really nice!
I do not believe that they would be able to modify the recovery partition without breaking it, but if that’s a concern to you, you should be able to hold command-option-R at startup (instead of command-R) to boot from a known clean system on Apple’s servers via internet recovery.
Thanks Thomas, indeed we booted with command-option-R to get a system from internet.
During this process, has the recovery HD partition be updated?
I honestly don’t know, but I’ve never seen or heard of a case of a recovery partition being modified. It’s very unlikely that this would happen.
My name is Jennifer and I’m def not a computer wiz. I was trying to get to my schools website and this came up. I have an older Mac so I called the number when the popup showed and went to support.me.com and typed in the 6 digit code and opened wutever he downloaded but he kept saying it wasn’t working cuz the “hackers” have it blocked where he can’t get access. He made me restart it and we did it 2 more times and he said it still wasn’t working and wanted me to check my modemto disconnect and reconnect it or just give him the money so techs can fix if for me. At that point I said no and got customer service number from him and told him I’d call back. Was he able to get access to my computer? What should I do? I am so gullible! Help!
I’m not sure what was going on, but he could very well have been just telling you it wasn’t working while he was doing something to your system behind your back. Whenever these scammers get any kind of access to your system, you can’t trust that system any longer. Erase it.
Interesting … A client of mine just got this last week and called and paid and allowed remote access (yeah, before he contacted me).
They didn’t appear to leave anything malicious behind but they did leave him with a folder of what appear to be legitimate copies of Bitdefender’s Adware Removal Tool, CCleaner, and your own AdwareMedic (version 2.2.1).
I still erased his hard disk and restored from a Time Machine backup from before the “incident”. And left my client with a printed copy of this blog post.
Thanks Thomas!
Hi Geoff,
Same here, it does not look like any malicious action has been taken. It seems that they only want to get some bucks for selling software and helping cleaning this adware.
Better anyway to erase the HD, this is what we did also.
Hi my name is Mia and this just happened to me today.I had been having a lot of pop ups recently and today one popped up that wouldn’t go away!then the popup with the imagine above came up.Im not very tech smart so I figured it was real and it was apple trying to help me out.I called the number the guy asked to help me and take over my comp, I also had to input the 6 digit code and from there he was accessing my comp “fixing” the problem.He told me what needed to be done and said it would be $250,i very stupidly gave him my name,number and credit card so we could fix the problem.After the matter i had a bad feeling,i googled it and came across this page.ASAP i took my laptop to apple and the guy said he didn’t see any malicious software install, that it seemed the guys were just trying to make some money.I cleaned out my lap top and called my credit card company and claimed fraud.I went ahead and canceled my card getting a new one.My only concern is if they were able to access my stored info like password or my social security?and since its apple i use the same passwords on my phone can they access my phone too?
Any unencrypted data on your computer is potentially compromised, and anything you have typed on the computer since they had access could have been recorded. I’ll stress here that this is unlikely, but because it is possible whenever someone untrustworthy has had access to your computer, you need to take precautions. Change passwords that you have entered on the compromised machine, and if you store your social security number in unencrypted form on your hard drive, you may want to consider hiring a credit monitoring service.
They can’t access your phone.
Howdy Thomas – and all
I have used P.U.K a rude PopUp/Under Killer(prev: killjasmin) :: Add-ons for Firefox for several years (since it WAS KillJasmin). It is VERY effective at killing pop-unders/pop-overs. Very easy to add URLs (it uses the first 30 characters in a comma delimited list) and just enough trouble to keep one from doing something stupid. It kills MacKeeper with prejudice! haven’t seen it in years!
best regards
ÇhitlinsÇÇ
This exact scenario played out for my wife today on our new Macbook Air and unfortunately she called the number and gave access. I am planning to erase and reinstall as you suggest. My question is – did they have access to my desktop iMac as well on the same wireless network at the time??
No, they only had access to whatever computer your wife gave them access to.
ok, so this scam happened to me just now. I was able to close the window. I did not call the number or click on anythig else… so am i ok? or do i need to do something to my computer?
Hi Nicole,
It just happened to me too but didn’t call or give any information.
Turn on and off Safari several times trying to figure out how to restore it and just did it. But I also don’t know if my computer is compromised or they couldn’t get into my info or anything if I didn’t call them.
If somebody can reply I would be soooo grateful, right now I need my computer for work and cannot delete and restart until tonight.
Thanks!
Happened to my wife as well… she called the number and allowed the scammers access. The computer is now off and awaiting a HD wipe/reinstall. Our home wifi network runs off of an Apple Time Capsule that does backups as well. From what I’ve read on this thread, since my wife only allowed the scammers access to her iMac, the network/Time Capsule ad our iOS devices should be fine. With that in mind, is if we do a complete wipe of the disk, and then reach back a couple of days into the Time Capsule backups and do a restore, are we likely to be OK? Thanks in advance.
You’ll be fine. Just make sure the backup you’re restoring from is before the scammers and before the pop-up.
Thanks for what you do, Tommy.
I only called them and said I was from America and that I had a mac, then they hung up or the call dropped. What can they do with my phone number?
Thank you so much!! After 2 hours I stumbled onto your site. Force Quit and reopen Safari while holding down the shift key eliminated the PHISH web site.
Hi,
Please help — all suggestions welcome
I’m getting scared b/c I accessed a website and the 404 security error window came up and the webpage said “Phishing website ahead”
Each had a different “helpline” number, but I didn’t call either one. I tried all the instructions for quitting out of the window (including turning off wifi, and ‘reset safari’ which was grayed out. I was able to use chrome for a little while, but eventually Chrome came up saying my browsing wasn’t private and wouldn’t let me search anymore.
Is it possible that the hackers can see my information even though I haven’t given them any information or remote access?
Also what should I do to escape the webpage and any potential hacking?
Currently I am not using my laptop, waiting for the battery to lose all juice so maybe it will reset?
Thanks!
There is no hacking involved, just a scam website. The hackers can’t see any of your information, and letting the battery run out on your laptop is not ever a proper troubleshooting step, because it will not reset anything.
As for what you should do to escape the web page, please read the article. The instructions are there.
Wow! Thought I was a goner so THANK YOU! Here’s my story—clicked on a photo of “The Bachelor” from 2009 (super bored today what can I say), and BAM I had like (no kidding) 20 immediate pop-ups warning me of problems, and I could not access anything on Safari; my cursor wouldn’t even work on anything except clicking “ok” but then it just kept coming back again and again!! It’s a very intimidating, SCARY looking process happening on my MacAIr, and I thought WOW I MUST HAVE DONE SOMETHING REALLY BAD. Each popup had the Safari logo. And of course the phone number….which I thought about calling. For about 60 seconds. But I knew if I did, my Tekkie IT brother would KILL ME. “YOU SHOULD HAVE JUST CALLED ME DUMMY”, I can hear it now. I tried turning the computer off a few times and of course it just kept coming back, unless I opened Chrome, which was working fine. After about 15 minutes I opted to search the Internet (using Chrome of course because Safari was unusable), but I was actually a little afraid of getting sucked into a site that claimed to be able to fix problems…and that clicking on something could cause me more problems! But I found your site, it looked RIGHT AND the instructions seemed fairly innocuous…..so I tried the first suggestion of holding SHIFT while opening Safari. And voilà!! It worked in a nano-second. I simply cannot thank you enough; I wish Apple could give you the official endorsement, but in any case I hope you are raking in the bucks at a great IT job—because you deserve it!! I have NO comprehension of computer technology, because frankly it all seems like magic to me!! So people like you are VERY SPECIAL indeed!! THANK YOU!
I got the phishing pop-up on my Macbook while I was browsing for ski helmets. I clicked on ok and the pop-up would not go away. I shut down and restarted and the pop-up was still there so I stupidly called the number 1-877-899-1824 and reached someone name Harry in India. At times, when I told him that I couldn’t understand him, he would type in a chat. He directed me to logmein and I let him gain access to my computer by typing a 6 digit code. He verified information about myself and then he said OMG someone in New York and DC and someone foreign has turned off your firewall and has accessed your computer and he showed me by drawing a red circle around the encryption and went to my security settings and showed me the firewall off setting and drew a red circle around it. He said any devices that were connected to my computer, such as my iPhone was also compromised. During this time, I was put on hold and passed around to supervisors, at least 2 or 3 times, but it seemed like the same guy. He told me not to do any banking or online shopping on my computer anymore, because I was being monitored. I said oh no, what can I do? And he went to Apple Support on my screen and circled in red and wanted me to pay $695 to fix the problem. I said no I am not going to pay anything, I will have an expert look at my computer. He said okay, I will end the session now, so he ended the session. The whole conversation lasted about 51 minutes on the phone. I immediately called my daughter and had her change my bank passwords. She also, signed me up for LifeLock. I then took my Macbook to the Geek Squad at Best Buy and he looked at the logmein download and parts of the chat that was still on my screen and said that I had been scammed. He told me to change my passwords before I went back on the internet and he deleted the logmein download. I used a computer at work to change my passwords and now I am back on my Macbook. Do I still have to erase the hard drive? Do you think they are monitoring my keystrokes right now?
“Do I still have to erase the hard drive?”
Yes. It may be unnecessary, but there’s no way to know for sure that he didn’t do something malicious to your computer while he had control of it.
Ok, thank you. I just had an advertisement come up on my screen to the right of my email about transferring money to foreign bank accounts. Now I am scared. I am going to check my bank accounts from another computer.
My wife and I are seniors with very limited computer knowledge and skills. Recently we were victims of a computer scamming operation during which the scammers had full remote access to each of our two MacBook Pros for about 30 minutes. Thereafter we continued to use the computers for several days before we became aware that we had been scammed. Then we shut down both of the computers. At present we are using only our iPads and iPhone to access the internet. We have four questions for you.
1. If the scammers installed some malware on my computer, could they possibly have seen my bank account data while I was doing online banking?
2. If the scammers installed some malware on my computer, can they possibly view my incoming emails or do anything else on the computer while it is shut down?
3. If the scammers know my email address and password, can they install my email address on their computer and thus receive my incoming emails (or duplicates thereof) on their computer?
4. In addition to dealing with the two possibly infected computers, do we need to replace or somehow disinfect our two iPads, iPhone, AT&T network modem or HP printer? (I do not recall if the printer was turned on during the scamming operation, but is has been used since that time. The printer has web capability, but it has never been used; we use the printer only for copying, printing and occasional scanning.)
Thank you for your outstanding assistance to Apple owners in distress!
1 & 3: Anything like this is possible once someone malicious has had access to your computer.
2: When the computer is shut down, nobody can access it remotely.
4: Only the device they were given remote access to would be a problem.
Hi,
I gave them access to my computer so that they were controlling it. After that I realized what I did and did not give them anything else and did not give them my card number when they don’t me that they could fix the problem. Right when I got off the phone I deleted many things on my computer that were new, canceled my credit card number even though I did not give it to them and then went right to the apple store. They told me that I need to turn off my wifi and purchase a hard drive to download everything on my computer onto. Then restore my whole computer and re download everything back on. I will be doing that tomorrow. After I complete this with the apple store, is there anything I need to worry about? I am worried that something will happen to me that I am unaware of. Is there anything at all that I should be worried about? Thank you for your help.
Thank you. Truly. Thank you!!! Even I fixed the problem followin your instructions!
THANK YOU! ! !
If you call the number and give them your name but then hang up after you realize the scam is there still a possibility of them getting access?
No. You would have to take deliberate action to give them access, they cannot gain it just from talking to them on the phone.
Hi….I stupidly downloaded software a couple of days ago that got a hacker into my mac that made safari pop ups. I called then number but knew that it was a hacker so I hung up. My question is whether my computer is in need of a full wipe and restore because of having put my password in for the software download (I have since changed the computer and other passwords) or if I do not need to restore the whole thing but look for specific installs that I can erase instead. The hacker did not get control of my computer, unless the password via the original install counts. Please advise. If I do not have to do a total wipe and reinstall that would be amazing. Thank yo….
It sounds like you just installed adware. See my Adware Removal Guide for help dealing with that.
Wonderful! Thank you Thomas. You are amazing. I will definitely be making a donation. Truly touched that you are doing this work for all of us!
So just to clarify, I ran AdwareMedic and it found a few files which I completely deleted. The second run through nothing came up. I have not had any pop ups at all on Safari. My question is whether it is possible that they could have gotten deeper (no remote access given only original password for installation, which has now been changed)…I also use a VPN so am I most likely safe to continue to use my computer as I did before including online banking etc? Is there something else I can do to double check?
Again, endless thanks for everything. You are a rockstar!!
No need to do full restore, you can remove that particular program and reset saferi.
Not true. If scammers have been given remote access, you don’t know what else they might have done while they had remote access. Deleting the program you installed to give them remote access does not guarantee you a clean system.
That is right User don’t know what programms Scammers installed while they have remote access but user know what programms they have before giveing remote.
So need to be care full if you are allowing any one for computer online.
I have more than 8 years exp and for Windows and Mac so you can ask any question any time.
I have my email through my local cable company and I got a pop up on my macbook saying that someone was accessing my email. Is this a scam?
I try typing Adwaremedic on my ipad, but the message” suspicious activity might have been detected major security issue ” which prevents me from finishing typing anything, how can I proceed if this keeps occurring
Thanks
AdwareMedic won’t help. That’s a tech support scam, as described in the article above. To get rid of the pop-up on an iPad, follow the instructions to clear information from your device, at the end of the page, here:
https://support.apple.com/en-us/HT201265
Hi Thomas,
I called the number and entered my password on the screen, which gave them access to my iMac.
I have one question– does this mean he was able to copy all of the documents saved on my computer? I don’t mind deleting the hard drive, but it was a lot of sensitive information– just wondering if they could have made copies of these docs or my stored passwords?
Thanks
Anything is possible. If you had documents on the hard drive containing things like passwords or financial information, and those documents were not encrypted, they may have been compromised. You’d be wise to change all passwords, and if financial information (such as social security numbers, credit card numbers or bank account numbers) was involved, you may wish to enroll in some kind of credit monitoring service.
Hi, Did anyone get the ‘http://google.com.au WARNING!! Your Flash Player may be out of date please update to continue’ adware popup? I’ve followed all instructions and managed to remove it from Firefox and Chrome but can’t get rid of it on Safari. Main reason being that I can’t get into preferences to remove all history.
Ok, I was scared to click the OK button but I did and then I could clear ‘all history’ and popup seems to be gone…
I did click on the OK button on the original message,that brings up another popup with their phone number. That doesn’t give them acesss to your computter, does it.
Hi,
I stupidly called the number in a panic. He told me to go onto ‘terminal’ and type in ‘close [http://]ncwebhelp.net’ and push enter to access their web help team. I did but safari blocked the page, much to the man’s annoyance. He asked me to check my downloads to see if something called ‘teamviva’ was being downloadded. I told him it wasn’t and he got more furstrated. At this point I realised it was a scam. He passed the phone to someone elses and they started with the scare tatics and quoting me the cost of them installing internet protection on my computer. I hung up.
Do I still need to erase my hard drive?
Thanks
[Edited – added brackets to prevent URL from becoming a link.]
That command shouldn’t actually do anything at all… it should just result in an error. Also, that particular website appears not to exist. Are you certain that’s the correct command? You can scroll back through the history of commands entered in the Terminal by pressing the up arrow in the Terminal.
I was looking at celebrity photos when this scam popped up. Once this pop up came up I immediately knew that it was a scam and I did NOT call the number. However I did slightly panic because every time I quit safari, it would pop right back up and I stupidly clicked the “OK” button, thinking that it would make it go away. Its all gone now but are you totally positive that my laptop is still safe even though I clicked OK, like twice?? I have since deleted my saved passwords and browsing history just incase. Please put my mind at ease! 🙂 I know you already answered this question, but I just need more reassurance that by pressing OK, i didn’t cause any danger to my laptop.
This happened to me today- came on my safari on my iPad Air. I called the number and followed their requests by downloading the programming and giving my name and birthday. Also let them control my computer. They kept asking me to connect my iPad to the computer and it obviously already was so I thought something wasn’t quite right as Apple technicians usually know what they are doing. I realised it was a scam and hung up and uninstalled the program, am I still at risk? Kinda worried now
The only thing I’ve done on this computer is possibly shop online a few months ago.. No documents with password on it
this happened to my daughter today. she called the number and allowed remote access for 20 minutes. she called me for my credit card info and I immediately asked her what the phone number was that she called. I inputted the phone number into my browser here at work and this website popped up as an option. after reading the opening info at the top of this page, I asked her to force shut down her computer immediately and hang up with the person who was remotely accessing her laptop. we then initiated customer support through the apple care plan we had purchased last year (its good through 2017) and they systematically erased whatever was downloaded. They are now erasing, reinstalling and selectively restoring documents…she also needs to go to our ISP and change out the modem for another one so our IP address is different. so innocent, gullible, and naïve…she is 18,m but sounds like a little girl on the other end of the line as I spoke with her today. this decision to call the malicious criminal was made without my knowledge…and if she had her own card information who knows if she ever would have told me. I changed passwords to all my email and other accounts…it is so much work to deal with this now!
There’s really no need to change your IP address or your modem because of this issue.
Even if it was important to change your IP address, be aware that replacing your modem may not affect your IP address in any way, and is not necessary to change your IP address. (Changing your IP address may simply require restarting your modem, or it may require intervention on the part of your ISP, depending on your service plan.)
I am using chrome on my iphone6. The pop up I have says:
ios-mobile-alert.com Warning! Virus detected on your Apple iPhone. Press ‘OK’ to scan
Then there is the ok button and no other option. I have not pressed it, but cannot do anything else with chrome to get out of it.
How do I get out of this? ie shut this page down and move on?
Thank you
Follow the instructions to clear information from your device, at the end of the page, here:
https://support.apple.com/en-us/HT201265
Hello Thomas,
Thanks you, but that seems to be for safari, unless I missed. The pop up issue I am having is with a chrome browser window on my iphone.
I don’t know anything about how to prevent Chrome on an iPhone from continuing to try to load the last page opened.
ok thank you.
Hi Thomas,
Having same problem but can’t find the folders you’ve said to remove. Is it possible they’re not on my laptop?
Also I did follow pop up instructions to update flash player. Could this have caused problem? Is my computer compromised from that update? Thanks SO much for your help.
Hilary
You may be using an older version of Mac OS X that does not have those things. Do not delete any other files or folders besides the ones mentioned.
The Flash update is suspicious… if you were prompted by a website that your Flash needed to be updated, that was probably a fake. If you downloaded it from that site and installed it, you probably installed adware, and that may be causing your problem. See my Adware Removal Guide for help with that.
Thank you so much, it worked!!!
My Solution for Chrome…
Since I did not click on the ‘OK” button on the pop up. I just uninstalled Chrome, turned off my phone, turned it back on and re-installed.
I made sure not to sync tabs when setting up just in case.
Worked great.
Thomas, this article and your responses to questions here were SO HELPFUL at solving a adware problem I was having, THANK YOU, SO MUCH!!!!!!
Thomas, thanks so much for your help with this. My sister and brother-in-law got taken in by this, and I have reset their Safari, instructed them to reset their passwords from my computer, and our wifi is off. I have recommended that they wipe the computer, but they have never backed it up and have lots of photos, documents, and iTunes music on it. Can we do a TimeMachine backup and then selectively restore? I’m just concerned that saving anything from the machine now will result in also saving any trojan horse installed. Awesome website, such great information!
Time Machine is not ideal for this purpose, because you won’t want to use Migration Assistant or any other automated tool to restore data from the backup. See the instructions here:
http://www.thesafemac.com/how-to-reinstall-mac-os-x-from-scratch/