User profile for user: mooch91
mooch91 Author
User level: Level 1
0 points

Recovery steps after a remote access scam (new iMac computer)

Short version:


Family member was scammed by someone who had remote access to their new iMac for a period of time (approximately 15 minutes). Looking to ensure I provide all the necessary steps to recover following the access.


Long version:


Disclaimer - I'm a PC person, not a strong Mac user, but I have a decent tech understanding.


Family member was in the process of setting up their new iMac, having trouble setting up a cabled printer. They Googled for a solution, landed on a website which they thought was HP, proceeded to start a chat, was offered a call and remote support, and took it. The call didn't resolve the printer issues, but instead, the scammer proceeded to demonstrate how 'unprotected' their computer was, and how it was being accessed by multiple IPs, and similar nonsense; which they could fix for $199. No money or credit card information was exchanged, only a phone number from what I can tell.


From what I can piece together, remote support was initially attempted using "Log Me In Rescue" and then "Alpemix". Alpemix was the program which was ultimately used. I can't completely understand why, but the family member's iPhone was needed at some point, possibly to install the software or complete two-factor authorization.


I was able to remote access in using TeamViewer soon after the event. With the Mac being so new, I used timestamps as well as "recently accessed" to try to piece together what might have been done.


Within the browser history, I was able to find the website accessed - which upon review by me - was a complete sham. Inconsistencies in company purpose, contact info, and poor grammar throughout. But an HP logo on one of the pages to give the appearance of a genuine website. I can't recall the rest of the browser history, but I believe some web page was accessed to reveal the computer's IP address (not completely sure).


Within the files, specifically Downloads, there was evidence of the remote access programs. I deleted all. There was no evidence of any newly installed programs on the iMac. So my suspicion is the programs were one-time runs or deleted after use. Or my family member deleted them already.


There were three recently accessed applications on the control bar at the bottom of the screen: Terminal, Text Edit, and Activity Monitor.


I accessed Terminal first and pulled up a history, both through the "history" command and a command to pull the history log file. Three items within:

  • top
  • ping 4.2.2.2
  • netstat

All of the commands appear benign, and I think they were part of the demonstration by the scammer to show a compromised PC. I do realize that the Terminal history could have been deleted and other commands run prior to that time.


No files were present in Text Edit, but I did find and recover a deleted "untitled.rtf" file from iCloud, created/deleted around the time of the remote access. It contained one line:

  • Setup (FREE)interPrinter

Similar to the above, nothing that necessarily concerned me, but my family member could not explain what was being done with Text Edit. I also realize that this content may have been the last saved content in the file, and something else might have been within the file prior to being saved.


I went through all files and settings multiple times. The only ones of concern were that the remote access program used (Alpemix) had the necessary remote access and screen capture enabled, which I proceeded to disable.


The only other anomaly I could not understand was the presence of a generically-named PC in the "Network". I could not match this up with any device which we would have known to have access to the local network. It persisted after I turned wifi off (left ethernet cable in) on the Mac. I accessed the router itself to see 1 hard-wired and 14 wifi clients, none of which possessed the same name.


The best-case situation is that the scammer tried to demonstrate a compromised computer, family member didn't bite, and they ended the call.


Worst-case is that the scammer accessed some personal information while remotely connected and/or installed/did something which could transmit personal information in the future (keylogger, spyware).


Looking for recommendations of steps to take. The following are what I am going to propose:

  • Disconnect new iMac from the network and power down completely.
  • Revert to using older PC for the time being.
  • Change the router password immediately from the older PC.
  • Change all other passwords from the older PC, including Apple/iCloud.
  • Factory reset the new iMac while still disconnected from the network.
  • Proceed to set iMac back up as done previously.


Looking to hear what steps I might be missing, or which may not be necessary.


Thanks!

iMac (M4)

Posted on Dec 3, 2024 5:00 AM

Reply
Question marked as Top-ranking reply
User profile for user: Servant of Cats
Servant of Cats
User level: Level 8
39,311 points

Posted on Dec 3, 2024 7:06 AM

varjak paw wrote:

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS. And definitely changing the passwords to any Apple Account used on that system as well as passwords to any financial or other sensitive accounts and email accounts, just as a precaution. It may not be necessary, but it's the only way you can be reasonably certain that you've done what you can. Then the family member needs to closely monitor his/her accounts for any suspicious transactions.


+1


To the OP, see: If you think your Apple Account has been compromised - Apple Support


and just in case: USA.gov – Identity theft , which has contact information for the three major credit reporting agencies, if you and your family member think it wise to put fraud alerts and a credit freeze on their accounts.

View in context

Similar questions

8 replies
Question marked as Top-ranking reply
User profile for user: Servant of Cats
Servant of Cats
User level: Level 8
39,311 points

Dec 3, 2024 7:06 AM in response to varjak paw

varjak paw wrote:

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS. And definitely changing the passwords to any Apple Account used on that system as well as passwords to any financial or other sensitive accounts and email accounts, just as a precaution. It may not be necessary, but it's the only way you can be reasonably certain that you've done what you can. Then the family member needs to closely monitor his/her accounts for any suspicious transactions.


+1


To the OP, see: If you think your Apple Account has been compromised - Apple Support


and just in case: USA.gov – Identity theft , which has contact information for the three major credit reporting agencies, if you and your family member think it wise to put fraud alerts and a credit freeze on their accounts.

Reply
User profile for user: varjak paw
varjak paw
User level: Level 10
182,692 points

Dec 3, 2024 6:14 AM in response to mooch91

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS. And definitely changing the passwords to any Apple Account used on that system as well as passwords to any financial or other sensitive accounts and email accounts, just as a precaution. It may not be necessary, but it's the only way you can be reasonably certain that you've done what you can. Then the family member needs to closely monitor his/her accounts for any suspicious transactions.


Also, if they have a cellphone, it might be wise for them to contact their cell provider and if possible put a lock on their number so someone can't contact that provider and do a SIM swap. He/she might also want to contact their bank's security department and alert them to the potential for account scams and get the institution's advice. There's no way of knowing for certain what personal information the scammers might have obtained.


Regards.

Reply
User profile for user: mooch91
mooch91 Author
User level: Level 1
0 points

Dec 3, 2024 9:37 AM in response to varjak paw

varjak paw wrote:

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS. And definitely changing the passwords to any Apple Account used on that system as well as passwords to any financial or other sensitive accounts and email accounts, just as a precaution. It may not be necessary, but it's the only way you can be reasonably certain that you've done what you can. Then the family member needs to closely monitor his/her accounts for any suspicious transactions.

Also, if they have a cellphone, it might be wise for them to contact their cell provider and if possible put a lock on their number so someone can't contact that provider and do a SIM swap. He/she might also want to contact their bank's security department and alert them to the potential for account scams and get the institution's advice. There's no way of knowing for certain what personal information the scammers might have obtained.

Regards.

Thanks for your response. I feel pretty comfortable about the measures to recover the computer. I'm less comfortable about the local network - I guess I understand networking even less and am not quite sure what a hacker could do to the router that might need to be addressed.

Reply
User profile for user: varjak paw
varjak paw
User level: Level 10
182,692 points

Dec 3, 2024 3:31 PM in response to mooch91

mooch91 wrote:


varjak paw wrote:

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS.

Thanks. Follow up question: Is there a difference between what you suggested and using the "Erase all content and settings" option in Settings?


Yes, there is. Using "Erase all content and settings" leaves macOS largely intact. Since you have no way of knowing with certainly that nothing might have been installed at a lower level - unlikely but not impossible - erasing the drive and starting from scratch is the only way you can be reasonably sure that any potential malware or other invasion would be eliminated.


Regards.

Reply
User profile for user: mooch91
mooch91 Author
User level: Level 1
0 points

Dec 3, 2024 7:10 PM in response to varjak paw

varjak paw wrote:


mooch91 wrote:


varjak paw wrote:

I would strongly recommend all of the steps you proposed, making sure that you erase the drive when you go to reinstall macOS.

Thanks. Follow up question: Is there a difference between what you suggested and using the "Erase all content and settings" option in Settings?

Yes, there is. Using "Erase all content and settings" leaves macOS largely intact. Since you have no way of knowing with certainly that nothing might have been installed at a lower level - unlikely but not impossible - erasing the drive and starting from scratch is the only way you can be reasonably sure that any potential malware or other invasion would be eliminated.

Regards.

Thanks. Having trouble finding instructions for how to accomplish this. Any additional help would be appreciated.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Recovery steps after a remote access scam (new iMac computer)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up