10 Replies Latest reply: Sep 14, 2013 4:39 PM by Linc Davis
LeVeL5 Level 1 Level 1 (20 points)

Today, my friends warned me that they had received an email from my GMail account with a phishing link. When I logged on to GMail, I noticed my contacts were gone and when I checked the Console I noticed messages like these one:

 

9/13/13 9:30:57.042 p.m.System Preferences[5649]anitphising result 0: 66, result length: 265
9/13/13 9:30:57.043 p.m.System Preferences[5649]Init with Bank of America

*****

disabled

disabled

9/13/13 9:30:57.043 p.m.System Preferences[5649]biz= Bank of America user=***** entry=*****
9/13/13 9:30:57.043 p.m.System Preferences[5649]biz= Bank of America has many users

 

The thing that's raising red flags is that "antiphishing" is misspelled.

 

How can I verify if I'm really being phished? I've been using Rapport for months and I thought it protected me of those kind of attacks.

  • 1. Re: Am I being phished?
    greg sahli Level 7 Level 7 (23,760 points)

    I don't think phishing applies to what has happened to you, but I think hacking or hijacking your gmail account might be an appropriate term.

    You should change your gmail password to something unhackable/uncrackable immediately.

    If that doesn't stop the emails to your friends, close this email account and start a new one.

  • 2. Re: Am I being phished?
    LeVeL5 Level 1 Level 1 (20 points)

    Thanks Greg. That's the first thing I did, which really surprised me I still had access to my GMail. I also turned on 2-factor.

     

    Do you have any thoughts about the console message?

  • 3. Re: Am I being phished?
    greg sahli Level 7 Level 7 (23,760 points)

    Are those messages from Rapport?

     

    Have you gone to any "linked" sites that claim to be B of A?

     

    ( don't use any links to go to important financial sites - type in the site address instead.)

  • 4. Re: Am I being phished?
    Linc Davis Level 10 Level 10 (118,005 points)

    You retyped those log messages. Please copy and paste them without retyping.

  • 5. Re: Am I being phished?
    LeVeL5 Level 1 Level 1 (20 points)

    I copied and pasted the console messages. I just asterisked what is personal information. If you mean the weird, inconsistent table formatting, blame Apple: it did that automatticaly after I copied the text.

  • 6. Re: Am I being phished?
    LeVeL5 Level 1 Level 1 (20 points)

    These is the complete anitphising block. All messages happened in less than 1 second.

     

    9/13/13 9:30:57.036 p.m.System Preferences[5649]anitphising result 0: 66, result length: 361
    9/13/13 9:30:57.037 p.m.System Preferences[5649]Init with Banesco

     

     

    *****

    disabled

    disabled

    9/13/13 9:30:57.037 p.m.System Preferences[5649]biz= Banesco user=***** #1 entry=*****
    9/13/13 9:30:57.038 p.m.System Preferences[5649]anitphising result 0: 101, result length: 223
    9/13/13 9:30:57.038 p.m.System Preferences[5649]Init with eBay

    *****

    *****

    disabled

    disabled

    9/13/13 9:30:57.039 p.m.System Preferences[5649]biz= eBay user=***** entry=*****
    9/13/13 9:30:57.039 p.m.System Preferences[5649]anitphising result 0: 80, result length: 241
    9/13/13 9:30:57.040 p.m.System Preferences[5649]Init with PayPal

    *****

    *****

    disabled

    disabled

    9/13/13 9:30:57.040 p.m.System Preferences[5649]biz= PayPal user=***** entry=*****
    9/13/13 9:30:57.041 p.m.System Preferences[5649]anitphising result 0: 66, result length: 252
    9/13/13 9:30:57.041 p.m.System Preferences[5649]Init with Bank of America

    *****

    *****

    disabled

    disabled

    9/13/13 9:30:57.042 p.m.System Preferences[5649]biz= Bank of America user=***** entry=*****
    9/13/13 9:30:57.042 p.m.System Preferences[5649]anitphising result 0: 66, result length: 265
    9/13/13 9:30:57.043 p.m.System Preferences[5649]Init with Bank of America

    *****

    *****

    disabled

    disabled

    9/13/13 9:30:57.043 p.m.System Preferences[5649]biz= Bank of America user***** entry=*****
    9/13/13 9:30:57.043 p.m.System Preferences[5649]biz= Bank of America has many users
  • 7. Re: Am I being phished?
    LeVeL5 Level 1 Level 1 (20 points)

    No Greg. I haven't received a phishing email and I haven't followed any links claming to be BOFA.

     

    The messages are logged as "System Preferences", but I don't know if it's a phishing process trying to disguise itself...

  • 8. Re: Am I being phished?
    Linc Davis Level 10 Level 10 (118,005 points)

    Please post a screenshot of the whole Console window that shows those messages, and also which log is selected. Be careful not to include any private information.

    Start a reply to this message. Click the camera icon in the toolbar of the editing window and select the image file to upload it. You can also include text in the reply.

  • 9. Re: Am I being phished?
    LeVeL5 Level 1 Level 1 (20 points)

    As requested. The log selected is All Messages.

    Screen Shot.png

  • 10. Re: Am I being phished?
    Linc Davis Level 10 Level 10 (118,005 points)

    Please read this whole message before doing anything.
      
    I've tested these instructions only with the Safari web browser. If you use another browser, they may not work as described.
      
    This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
       
    Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

     

    These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

     

    Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

     

    Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands.

     

    Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

     

    Launch the Terminal application in any of the following ways:

     

    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

     

    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

     

    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

     

    When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

     

    Step 1

     

    Triple-click the line of text below on this page to select it:
    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
     
    Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). A TextEdit window will open with the output of the command. If the command produced no output, the window will be empty. Post the contents of the TextEdit window (not the Terminal window), if any — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.
        
    Step 2

     

    Repeat with this line:
    { sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; echo; sudo defaults read com.apple.loginwindow LoginHook; echo; sudo crontab -l; } 2> /dev/null | open -ef
     
    This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

     

    Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

     

    Step 3
    { launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)/{print $3}'; echo; crontab -l 2> /dev/null; } | open -ef
     
    Step 4
    ls -A /e*/{cr,la,mach}* {,/}Lib*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts .la* 2> /dev/null | open -ef
      
    Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

     

    Step 5
    osascript -e 'tell application "System Events" to get name of login items' | open -ef
     
    Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output.

     

    You can then quit Terminal.