Apparent keylogger gained access

Question

Level 1

11 points

Apparent keylogger gained access

Would appreciate some help from the community here. I’ve apparently had some form of keylogging software added to my machine (well, I have a couple, so trying to work out which one could be fun) and do not have great technical knowledge in how to identify.

I wouldn’t normally trust this, but said hacker has shared one of my legitimate passwords that I have used (and no, I do not share this with anyone), making this seem like a valid breach.

Appreciate any help folks here could offer. I’ll share ETRE reports and process lists from my main two machines in question. Anything that stands out, please kindly let me know.

Many thanks.

MACBOOK PRO

MAIN IMAC

iMac 27" 5K, macOS 10.15

Posted on Apr 13, 2020 6:52 AM

Reply

Answer 1

Kurt Lang

Level 9

68,418 points

Apr 13, 2020 7:20 AM in response to babychaos

The iMac also has LogMeIn installed. Never, ever have remote access software installed without having a very good reason for its existence.

Reply

Answer 2

macjack

Level 10

111,242 points

Apr 13, 2020 7:05 AM in response to babychaos

What makes you think you have a key logger? The only way that could have been installed is if someone had physical access to your Mac. I don't see any sign of a key logger. Where are you key loggers and why do you have them?

They could have gotten the password from an insecure site. Change your password.

Uninstall McAfee and Cisco Video Guard. No Anti-Virus software or so-called “cleaning” apps are needed or recommended for Mac OS. They can conflict with Mac's own built-in security. At best they will slow your Mac by using unnecessary resources and at worst will bork your entire system. Your Mac has all the built-in protection you need.

https://www.apple.com/macos/security/

Reply

Answer 3

Barney-15E

Level 10

122,036 points

Apr 13, 2020 7:05 AM in response to babychaos

The only malware I see installed is McAfee.

What makes you think you installed a key logger or spyware?

What do you see in those reports?

You have Go To Meeting and Citrix installed, which, if your password is compromised might potentially be a problem.

Do you use the same username and password on multiple, independent online services?

Reply

Answer 4

Kurt Lang

Level 9

68,418 points

Apr 13, 2020 7:49 AM in response to babychaos

Did this email happen to say you were caught doing naughty things and demanding a large Bitcoin ransom to keep them from releasing the video? If so, it's nothing but a scam. They have nothing.

What makes these scams seem more real is they're using the billions of user information stolen from the many data breaches you've read about. That usually gives them an email address and a password associated with it, but not the web site it's for (or they'd go into that account immediately).

If the password happens to be correct for a site you're still using, change that one right away as a precaution.

Reply

Answer 5

Kurt Lang

Level 9

68,418 points

Apr 13, 2020 8:18 AM in response to babychaos

Given the lack of any severe malware on your Macs, I would think all you need to do is what you already have been changing a few passwords.

Otherwise, an email is just an email and almost never proof of anything. They're about as believable as the sheriff calling to say you missed jury duty, and unless you make a very non-professional type of payment over the phone RIGHT NOW, you'll be arrested.

Reply

Answer 6

babychaos Author

Level 1

11 points

Apr 13, 2020 7:39 AM in response to Barney-15E

Thanks - I've really struggled to remove all remain of McAfee - I've removed and uninstalled everything I can - the location of the files referenced in the report are not visible to me for some reason.

I may remove Citrix and GoToMeeting - Citrix I used to use for work, but we now have other software. The other I think was a one off.

As for passwords, most of mine are unique and randomly generated via 1Password.

Reply

Answer 7

babychaos Author

Level 1

11 points

Apr 13, 2020 7:42 AM in response to macjack

Threat raised via email, which I am trying to ignore, but the presence of a genuine password made me sit up a bit. Apparently accessed machine via java backdoor on a genuine website. Aside from the threat, I have no real evidence, but wanted to validate, as would not be able to recognise if I did have it or not.

Any help welcome.

Reply

Answer 8

babychaos Author

Level 1

11 points

Apr 13, 2020 8:06 AM in response to Kurt Lang

I was mostly confident that this would be a scam, and applied usual caution of clearly not clicking on any links - no attachments were present.

It was the reference of a valid password that out doubt in my mind that I just had to be sure of. Am pretty happy with my password protection setup, and only a couple of sites would now have this one in place. One ironically happened to be my Apple ID login! Has already been swiftly changed.

Reply