Phishing Scam or cause for Concern Rdp / Keylogger

Question

Level 1

10 points

Phishing Scam or cause for Concern Rdp / Keylogger

Hi,

I received an email (which I have logged with the police etc). The email had a password of mine in the subject line and my concern is that it was the same password used to lock/unlock my MAC. I have obviously changed my passwords.

The email says that my web browser started out operating Rdp (Remote desktop Control) with a keyloggerwhich provided the hackerwith access to camera to video me and to contacts from email, messanger etc?The email is asking for Bitcoin payments.

Is this possible? Or is it purely a Phising exercise and they have managed to get hold of a password from a breached site somewhere?

If it is possible how do i check the integrity of my MAC. I Just ran EtreCheck which didn't find anything of significance.

MacBook Pro, macOS High Sierra (10.13.5), null

Posted on Jul 15, 2018 10:25 AM

Reply

Answer 1

Jul 15, 2018 10:36 AM in response to sd-notts

You might post the EtreCheck report just so that we might check it out in case you missed something.

Reply

Answer 2

Ingo2711

Level 10

80,091 points

Jul 15, 2018 10:36 AM in response to sd-notts

Did you also check our Mac, using the Anti-malware software by malwarebytes.com? It's free for private users and recommended in these forums, to check your macOS.

Reply

Answer 3

sd-notts Author

Level 1

10 points

Jul 30, 2018 10:30 AM in response to dirkkelso

Hi,

It appears to be a Phishing scam. I ignored it and nothing happened. I have had 5 similar emails since which now go to my junk.

According to police feedback It is likely that my email / Pw combo was hacked from a breach to LinkedIn or some other site and these emails are exploiting that. However I can not be 100% certain as the same pw was used for my Mac . I am making sure that passwords are unique now.

Everything seems ok tho. If I get another email like that with my new Mac pw then I will know I have a teal issue tho.

I would be interested to know if the email you got had your Mac password or a password from another site/ service that you used to login with?

Reply

Answer 4

sd-notts Author

Level 1

10 points

Jul 15, 2018 10:46 AM in response to Ingo2711

Thanks,

downloaded Malwarebytes and ran scan. Says everything is clean and No Threats Found.

Reply

Answer 5

Jul 15, 2018 10:48 AM in response to sd-notts

That is what the EtreCheck report says also.

Reply

Answer 6

sd-notts Author

Level 1

10 points

Jul 15, 2018 10:43 AM in response to Allan Eckert

Here is the report

EtreCheck version: 4.3.5 (4D039)

Report generated: 2018-07-15 18:40:23

Download EtreCheck from https://etrecheck.com

Runtime: 3:42

Performance: Good

Problem: Other problem

Description:

Phishing Email

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Upgradeable RAM - This machine has upgradeable RAM that would help its performance.

Unsigned files - There are unsigned software file installed. They appear to be legitimate but should be reviewed.

32-bit Apps - This machine has 32-bits apps that may have problems in the future.

Hardware Information:

MacBook Pro (13-inch, Mid 2012)

MacBook Pro Model: MacBookPro9,2

1 2.5 GHz Intel Core i5 (i5-3210M) CPU: 2-core

4 GB RAM - Upgradeable

BANK 0/DIMM0 - 2 GB DDR3 1600 ok

BANK 1/DIMM0 - 2 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 273

Video Information:

Intel HD Graphics 4000 - VRAM: 1536 MB

Color LCD 1280 x 800

Drives:

disk0 - Samsung SSD 850 EVO 500GB 500.11 GB (Solid State - TRIM: No)

Internal SATA 6 Gigabit Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 499.90 GB

disk1s1 - Macintosh HD (APFS) 499.90 GB (345.65 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 499.90 GB (22 MB used)

disk1s3 - Recovery (APFS) [Recovery] 499.90 GB (518 MB used)

disk1s4 - VM (APFS) [APFS VM] 499.90 GB (2.15 GB used)

disk2 - Seagate Backup+ BK 1.00 TB

External USB 5 Gbit/s

disk2s1 [EFI] 210 MB

disk2s2 - T*******************p (Journaled HFS+) 999.86 GB

Mounted Volumes:

disk1s1 - Macintosh HD 499.90 GB (151.40 GB free)

APFS

Mount point: /

Encrypted

disk1s4 - VM [APFS VM] 499.90 GB (151.40 GB free)

APFS

Mount point: /private/var/vm

disk2s2 - T*******************p 999.86 GB (997.86 GB free)

Journaled HFS+

Mount point: /Volumes/T*******************p

Network:

Interface en0: Ethernet

Interface fw0: FireWire

Interface en1: Wi-Fi

802.11 a/b/g/n

One IPv4 address

Interface en4: iPhone

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Status: 3 pending files

System Software:

macOS High Sierra 10.13.5 (17F77)

Time since boot: About an hour

System Load: 1.83 (1 min ago) 1.71 (5 min ago) 1.82 (15 min ago)

Security:

System	Status
Gatekeeper	Mac App Store and identified developers
System Integrity Protection	Enabled

Unsigned Files:

Launchd: /Library/LaunchAgents/com.oracle.java.Java-Updater.plist

Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

Executable: /Library/PrivilegedHelperTools/com.microsoft.office.licensing.helper

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.microsoft.LaunchAgent.SyncServicesAgent.plist

Executable: /Applications/Microsoft Office 2011/Office/SyncServicesAgent.app/Contents/MacOS/SyncServicesAgent

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

35 32-bit apps

System Launch Agents:

[Not Loaded]	8 Apple tasks
[Loaded]	172 Apple tasks
[Running]	113 Apple tasks
[Other]	One Apple task

System Launch Daemons:

[Not Loaded]	35 Apple tasks
[Loaded]	186 Apple tasks
[Running]	115 Apple tasks

Launch Agents:

[Loaded]	com.microsoft.update.agent.plist (Microsoft Corporation - installed 2018-07-13)
[Not Loaded]	com.adobe.AAM.Updater-1.0.plist (? ffb65062 - installed 2017-09-02)
[Loaded]	com.google.keystone.agent.plist (Google, Inc. - installed 2018-02-04)
[Loaded]	com.oracle.java.Java-Updater.plist (? 7be22bea - installed 2014-03-18)
[Other]	com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2018-02-15)

Launch Daemons:

[Loaded]	com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2018-02-15)
[Loaded]	com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2018-07-13)
[Loaded]	com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2018-06-25)
[Loaded]	com.microsoft.office.licensing.helper.plist (? 6d8cb30e - installed 2013-08-12)
[Loaded]	com.oracle.java.Helper-Tool.plist (? e3fefdd2 - installed 2014-03-18)
[Loaded]	com.oracle.java.JavaUpdateHelper.plist (? 3298096d - installed 2014-02-19)
[Running]	com.fitbit.galileod.plist (? 7ad1c5c - installed 2014-10-29)
[Loaded]	com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2018-02-15)
[Loaded]	com.google.keystone.daemon.plist (Google, Inc. - installed 2018-03-06)
[Loaded]	com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-04-11)

User Launch Agents:

[Loaded]	com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2018-04-15)
[Running]	com.microsoft.LaunchAgent.SyncServicesAgent.plist (? 0 - installed 2018-03-16)
[Loaded]	com.adobe.AAM.Updater-1.0.plist (? 0 - installed 2017-09-02)

User Login Items:

iTunesHelper Application (Apple - installed 2018-07-10)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application (Dropbox, Inc. - installed 2018-07-15)

(/Applications/Dropbox.app)

Internet Plug-ins:

FlashPlayer-10.6: (installed 2018-07-10)

QuickTime Plugin: (installed 2018-06-18)

AdobePDFViewerNPAPI: (installed 2018-07-13)

AdobePDFViewer: (installed 2018-07-13)

o1dbrowserplugin: (installed 2015-12-17)

Flash Player: (installed 2018-07-10)

SharePointBrowserPlugin: (installed 2017-09-13)

googletalkbrowserplugin: (installed 2015-12-11)

MeetingJoinPlugin: (installed 2013-09-02)

JavaAppletPlugin: (installed 2014-04-16)

User Internet Plug-ins:

CitrixOnlineWebDeploymentPlugin: (installed 2013-04-26)

Safari Extensions:

Translate.safariextz - SideTree.com - Apps for Mac - http://SideTree.com/extensions.html#Translate (installed 2017-09-01)

3rd Party Preference Panes:

Flash Player (installed 2018-06-25)

Java (installed 2014-04-16)

Time Machine:

Skip System Files: No

Mobile backups: Yes

Auto backup: Yes

Volumes being backed up:

Macintosh HD: Disk size: 499.90 GB - Disk used: 348.50 GB

Destinations:

T*******************p [Local] (Last used)

Total size: 999.86 GB

Total number of backups: 59

Oldest backup: 2017-09-01 23:20:28

Last backup: 2018-07-12 08:16:44

Top Processes by CPU:

Process (count)	Source	% of CPU	Location
backupd-helper	Apple	12
MailCacheDelete	Apple	10
CacheDeleteExtension	Apple	9
iTunesCacheExtension	Apple	9
QuickLookUIHelper	Apple	8

Top Processes by Memory:

Process (count)	Source	RAM usage	Location
kernel_task	Apple	666 MB
com.apple.WebKit.WebContent (2)	Apple	236 MB
Safari	Apple	114 MB
Dropbox (3)	Dropbox, Inc.	103 MB
mdworker (7)	Apple	86 MB

Top Processes by Network Use:

Process	Source	Input	Output	Location
Dropbox	Dropbox, Inc.	107 KB	1 MB
com.apple.WebKit.Networking	Apple	907 KB	16 KB
mDNSResponder	Apple	92 KB	38 KB
cloudphotosd	Apple	31 KB	43 KB
?	49 KB	12 KB

Top Processes by Energy Use:

Process (count)	Source	Energy (0-100)	Location
kextcache	Apple	14
syspolicyd	Apple	10
trustd (4)	Apple	7
WindowServer	Apple	4
com.apple.WebKit.WebContent (2)	Apple	2

Virtual Memory Information:

Available RAM	1.11 GB
Free RAM	20 MB
Used RAM	2.89 GB
Cached files	1.10 GB
Swap Used	70 MB

Software Installs (past 30 days):

Name	Version	Install Date
Microsoft PowerPoint for Mac	16.14.18061302	2018-06-18
Microsoft Excel for Mac	16.14.18061302	2018-06-18
Microsoft OneNote for Mac	16.14.18061302	2018-06-18
Microsoft Word for Mac	16.14.18061302	2018-06-18
Microsoft Outlook for Mac	16.14.18061302	2018-06-18
Numbers	5.0	2018-06-18
Pages	7.0	2018-06-18
Keynote	8.0	2018-06-18
MRTConfigData	1.35	2018-06-21
Virtual City Playground	1.21.101	2018-06-22
OneDrive	18.0**.0506	2018-06-30
Pixen	4.1.1	2018-07-05
Adobe Flash Player	30.0.0.134	2018-07-10
Gatekeeper Configuration Data	147	2018-07-10
iTunes	12.8	2018-07-10
Microsoft AutoUpdate	4.1.18070503	2018-07-13
Adobe Acrobat Reader DC (18.011.20055)	18.011.20055	2018-07-13

Diagnostics Information (past 7 days):

2018-07-15 17:19:33 bluetoothd Crash

/usr/sbin/bluetoothd

objc_msgSend() selector name: setDelegate:

2018-07-13 09:21:59 Microsoft Outlook.app Hang

/Applications/Microsoft Outlook.app

2018-07-09 16:07:19 com.apple.WebKit.WebContent CPU

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.Web Kit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

End of report

Reply

Answer 7

sd-notts Author

Level 1

10 points

Jul 15, 2018 10:51 AM in response to Allan Eckert

I can be confident that everythings ok then (as far as MAC is concerned) ?

Reply

Answer 8

Jul 30, 2018 9:53 AM in response to sd-notts

Hello, I had the same experience today. A "Greg Montagu" sent me an email with an old password accompanied by threats to expose "your secret." I ran EtreCheck and didn't find anything notable; how did this turn out for you?

Reply

Phishing Scam or cause for Concern Rdp / Keylogger

Similar questions