PDA

View Full Version : Someone used Safari remote login to access my computer. What did he have access to?




zephonic
Jul 25, 2013, 04:45 PM
The title pretty much says it all, but to clarify:

I wanted to help my mother restore access to her Yahoo! account. I couldn't find the answer in the faq, so I googled yahoo support and called this number:
1-800-921-8892

I did not know this, but it is not yahoo support, but a non-affiliated company called ites247. I got an Indian-sounding fellow on the phone, and he asked me to open Safari and allow remote login. Thinking this was the official Yahoo! I was talking to, I frowned at but nonetheless complied with this request.

I was furious and indignant to see he opened the terminal and dug up all activity. He claimed this was necessary and that my computer was infested with malware. I knew he was BS-ing when he claimed all inactive threads were manifestations of malware, and my CPU's 97% inactivity a clear sign that my computer had been taken hostage. He suggested I need an anti-hacker network specialist and if I'd give him my zipcode he'd find the right guy.

I hung up the call and terminated the remote session, googled the phone number and learned this was ites247.

Aside from filing a complaint with the BBB and warn others about this fraudulent company, I really want to know what exactly he had access to, and whether or not he could have left anything on my machine. Also, could he have accessed anything else on the network? Like the router or other devices?

If the answer to any of these questions is positive, what can I do to clean up?

Thanks.



zephonic
Jul 25, 2013, 05:01 PM
Correction:

He asked me to go to a website and enter a six digit code to allow remote login.

zephonic
Jul 25, 2013, 09:52 PM
I had Apple support call me back today, and they addressed my primary concerns:

- even though they were in the terminal, they only looked for "netstats" and "top". Apple had me check terminal's command history by pressing the up key, and no malicious commands were executed.
- the CPU's inactivity and inactive threads would indicate that nothing else occurred
- unless you give out the admin password, nothing can be added or changed in the system
- keyloggers require system level access, which requires admin password

I have reported ites247 to the BBB, and it seems they are in the tech support scam business.

http://www.bbb.org/delaware/business-rev...ton-de-32004062

That sounds right, as the guy highlighted inactive threads in my activity monitor to suggest that those were malware, as well as a number of open internet connections (which Apple explained were normal as there is always some iCloud activitity going on) which were supposedly phishing for my data. They tried to get me to call a (and I quote) "anti-hacker network specialist" to root out this problem.

The BBB has an article on this sort of practice:
http://www.bbb.org/delaware/industry-tips/read/tip/tech-support-scams-from-ftc-website-1032

Please alert others about this ites247.

I should have been more diligent, and double-check the site/phone# before granting anybody remote access, but in a way it is good it happened. I always thought I was way too savvy to fall for that stuff. That'll teach me...


edit:
their site: http://www.ites247.com/