Previous 1 2 Next 16 Replies Latest reply: Jun 2, 2012 9:59 PM by kelbc2007
kelbc2007 Level 1 Level 1 (0 points)

I just discovered 15 email messages in my Sent mailbox that I didn't send. Each message is addressed to 3 different contacts from my Address Book, and each is a spammy 'make money online' type of message with a link. Each one is different but they were all sent on the same date (May 18). I have an iMac with Mac OS X Lion 10.7.4 (11E53), and am using an username@me.com email address with an iCloud mailbox that syncs to my iPhone 4S. There haven't been anymore mystery messages since May 18th. 

 

Does this sound like a worm or is it more likely that my me.com email account has been hacked?

 

Any advice on what I can do to prevent this from happening again?

 

I appreciate any advice/suggestions you can share.


iMac, Mac OS X (10.7.4)
  • BDAqua Level 10 Level 10 (119,355 points)

    Hello, tough to tell, they may even be spoofed, even the Date, in Mail view the long Headers, look for IPs, like Received :from & Recieved: by...

     

    Still, to be safe change your MobileMe password.

  • kelbc2007 Level 1 Level 1 (0 points)

    The Headers indicate the messages were sent at Apple-Webmail (which I've never used) from an IP address located in the Netherlands.  Since I'm in Canada, I think its safe to say I've been hacked.

     

    Thanks for pointing me in the right direction.

  • BDAqua Level 10 Level 10 (119,355 points)

    Good work, did you change your Password yet?

     

    Have you checked for Malware yet?

     

    ClamXAV, free Virus scanner...

    http://www.clamxav.com/

     

    Free Sophos...

     

    http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/

     

    Little Snitch, stops/alerts outgoing stuff...

    http://www.obdev.at/products/littlesnitch/index.html

  • kelbc2007 Level 1 Level 1 (0 points)

    I've downloaded ClamXAV and just finishing scanning my hard drive. ClamXAV detected three infections:

     

    14650.partial.emlx - Heuristics.Phishing.Email.SpoofedDomain

    14587.emlx - HTML.Nimda

    14649.emlx - HTML.Nimda

     

    Engine version: 0.97.4

    Scanned directories: 97922

    Scanned files: 381234

    Infected files: 3

    Total errors: 347

    Data scanned: 25799.14 MB

    Data read: 32270.41 MB (ratio 0.80:1)

    Time: 2605.539 sec (43 m 25 s)

     

     

    I've quarantined the files and have also changed my MobileMe password (and chose one that is strong this time!).

     

    I hope I'm clean and clear now

     

    Thank you very much for all your help!

  • BDAqua Level 10 Level 10 (119,355 points)

    Great work, be sure to Rebuild Mail's index...

     

    https://discussions.apple.com/thread/3916707?start=0&tstart=0

  • kelbc2007 Level 1 Level 1 (0 points)

    I took a look at the infected files and all 3 were phishing schemes notifyiing me that my PayPal account was about to be closed. I didn't act on any of them and had deleted them as soon as I received them, so they must have been in my Trash. Would they somehow be related to the 15 messages I found in my Sent box that I didn't send, or is this an unrelated type of malware?

     

    Do you recommend that I download and run Sophos in addition to ClamXAV, or would that just be redundant?

     

    Thanks again!

  • kelbc2007 Level 1 Level 1 (0 points)

    Oh No! I shouldn't have let it quarantine the files. Hopefully I can figure out how to rebuild Mail's index.

  • BDAqua Level 10 Level 10 (119,355 points)

    To Rebuild just use Mail's Menu>Mailbox>Rebuild at the bottom.

     

    I don't think you need Sophos at all, & I do think that is where/why those 15 messages went out, haven't found out how it works yet butperhaps this could prevent it, not sure though...

     

    Little Snitch, stops/alerts outgoing stuff...

    http://www.obdev.at/products/littlesnitch/index.html

  • kelbc2007 Level 1 Level 1 (0 points)

    Well that couldn't have been any easier

     

    Thanks again! You are the best!

  • MadMacs0 Level 5 Level 5 (4,470 points)

    BDAqua wrote:

     

    I do think that is where/why those 15 messages went out, haven't found out how it works yet...

    Just curious on what your theory is on this?  There was a flurry of iCloud related hacks with identical MO's about a week ago, but they seem to have stopped. I am not understanding how those phishing attempts that were not acted on could have resulted in a hacked e-mail account.

     

    I've got Little Snitch and I'm fairly certain it would not have helpped with something like this, although I do highly recommend it for other issues.

  • BDAqua Level 10 Level 10 (119,355 points)

    Great news, thanks!

  • BDAqua Level 10 Level 10 (119,355 points)

    Hi, I have a vague theory of how it might work, but I'm wondering with the small number of instances, I wonder if it wasn't a single attack, (or very few), somewhere else along the line first that got them into the WebMail site, it'd be interesting to find out the passwords that were broken to see if maybe it was just a dictionary attack possibly, or how many of these attacked people used Windows or MS SW, especially Outlook or Word, how many had unsuspected popups that Mail needed a password, & such things, what sites were being visited, (though they could change any of that fast enough).

     

    I hesitate to post plausible attack vectors/methods on a public site... don't want to give the bad guys any new ideas incase they hadn't thought of them yet.

  • MadMacs0 Level 5 Level 5 (4,470 points)

    Have you been following the Icloud account just got hacked discussion? Several theories were thrown out at the time, but the only one that seemed to have any traction was use of an iPhone.

  • kelbc2007 Level 1 Level 1 (0 points)

    I am now since the issue described on that thread is the same one that I encountered.  Thanks again.

Previous 1 2 Next