User profile for user: barakuder
barakuder Author
User level: Level 1
0 points

Remote Support Scam

This evening my wife fell victim to a phishing scam. While browsing recipes on pinterest, she received a pop-up that said their was a trojan on her macbook air (Yosemite) and gave her a support phone number which she called. The person who answered the phone pretended to be an Apple Support representative who had my wife install the Maxthon web browser and a GoToAssist agent so that he could remotely access her computer. He then made up a bunch of things that were wrong with her macbook and typed them out in notepad on my wife's macbook while she watched. Thankfully she stopped when he started pushing expensive warranty plans on her and never gave him her credit card information.


When I got a hold of the macbook, I started it in safe mode and disabled the wifi while I followed the steps in the article below and removed Maxthon and the GoToAssist client:

Stop pop-up ads and adware in Safari - Apple Support


So far the macbook appears to be running normally and I haven't seen anything suspicious pop up.


My question is:

A) How can I tell what information was stolen so I know how paranoid to be, and...

B) What is the best way to tell if my wife's macbook is now part of a bot farm or if anyone still has remote access to it?


I appreciate the sympathy and suggestions.


Thanks,


David

MacBook Air, OS X Yosemite (10.10.5)

Posted on Sep 14, 2015 6:45 PM

Reply
1 reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Sep 14, 2015 6:48 PM in response to barakuder

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the state it was in before the attack. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be practical, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which could be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

The above being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remote Support Scam

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up