landyandy

Q: Re-Install or attempt surgery?

Hi

 

My Dad got scammed yesterday, but fell short of actually handing over money, but let someone access and do whatever to his iMac. He's not local so as he's down for Xmas bringing it to me for a look.

I did setup Time Machine from scratch so should have something to fall back to, just not sure how upto date, he's analogue in a digital age so does not do much on it so not many files get created or changed.
I have never done any recovery or fiddling with a Mac so under these circumstances where I have no idea whats been installed\change what would you do?

My thoughts are to install from scratch and recover from Time Machine.

 

Can I plug the time machine drive into my mac to see what's the latest backup?

 

 

Regards

 

Andy

iMac

Posted on Dec 22, 2015 4:21 AM

Close

Q: Re-Install or attempt surgery?

  • All replies
  • Helpful answers

  • by OGELTHORPE,

    OGELTHORPE OGELTHORPE Dec 22, 2015 7:46 AM in response to landyandy
    Level 9 (52,374 points)
    Mac OS X
    Dec 22, 2015 7:46 AM in response to landyandy

    By letting some to have access to your Mac leaves you in an unknown and precarious position.

     

    If you have a Time Machine backup PRIOR to the date of allowing the scammer accessing your Mac, run that and it will restore the Mac and eliminate any possible malware that the scammer may have installed.

     

    If not, you should erase the HDD, reinstall the OSX and selectively install your personal data.

     

    In either case, change all passwords and if you bank online, contact your financial institution.

     

    Ciao.

  • by MrHoffman,

    MrHoffman MrHoffman Dec 22, 2015 8:09 AM in response to landyandy
    Level 6 (15,627 points)
    Mac OS X
    Dec 22, 2015 8:09 AM in response to landyandy

    As OGELTHORPE correctly states, nobody knows what gets installed or backdoored.   That's the nature of these messes.

     

    The following in addition to the (correct) suggestions to reinstall the box from a pre-breach backup, or reinstall from known-good distros, and to change all passwords for financial information, credit cards, all of the mail server logins, everything...

     

    It would not surprise me that some of these folks may or will eventually start targeting backups (some have), and some will encrypt and hold hostage the data (ransomware is already becoming common).

     

    If this case is likely to arise again, then...

     

    ...Get your Dad over onto Parental Controls and lock down the Mac, or (minimally) remove any administrative access that your Dad has.   Or migrate your Dad over to an iPad with a keyboard cover or other such — this depends on what your Dad is doing with the Mac, obviously.

     

    ...Implement a decent-grade external firewall for the network, and block any and all inbound remote access for anything involving the screen sharing ports.   I'd also DNS- and/or firewall-block all access to the common screen-sharing-capable web services, including the WebEx, TeamViewer, and LogMeIn servers — I need to get a better list of these services that folks are using, but here's a start.   Block inbound and outbound.   If the firewall has a triggering capability or some sort of scripting, I'd look to lock down all access to the entire Internet for probably eight hours, if any of these sites are hit even once.   (This stuff is far from a panacea, but it'll make things a little harder for the next bunch of scammers.)