Help with possible keylogger on Imac

Discussion in 'iMac' started by ImacT, Sep 11, 2011.

  1. ImacT macrumors newbie

    Sep 11, 2011
    Sorry if this is in the wrong section, but i need some advice off somebody that knows what they are talking about.

    I'v tried searching and all i can find about key logger's on macs is people saying you can't get them via a virus, it has to have been done directly to your computer.

    About 2 weeks ago i checked an email account i haven't opened in a while and had an email from an online game, i opened it and it looked genuine so i clicked the link that was on it not really thinking, it then opened another webpage which I immediately shut down. ( The dumb thing is that email isn't even what i used with the game account so i don't know why i went through it).

    I read up about phising and came to the understanding that is what it was and that your details can only be taken if it comes up with a fake page where you enter your user and pass. Just in case i found a free mac virus scan and found nothing on the scan. So i thought that was the end of it...

    Well i logged in to the game yesterday to find somebody has changed my password. I don't know much at all about this stuff, but it must of been a keylogger? I can't see any other way.

    Also i downloaded "Little Snitch" to see if i could see anything out of the ordinary going on ( Even though i don't have a clue what I'm looking for). Something along the lines of baymsg(numbers) keeps popping up, is that something official with hotmail or something else?

    I have now completely formatted the harddrive and re-installed, and that baymsg thing still popped up when i went on hotmail.

    I'm sorry for the essay, but i need answers. :(
  2. munkery, Sep 11, 2011
    Last edited: Sep 11, 2011

    munkery macrumors 68020


    Dec 18, 2006
    Don't reuse passwords.

    Make sure to use a secure password.

    Secure passwords contain at least 8 characters with at least one character from upper case alphabet, lower case alphabet, numbers, and symbols.

    For example, go@Wow76

    Make sure to use a secure password for the email account that can be used to reset other account passwords.

    Never log into accounts from links contained in emails, email attachments, instant messages, & etc even if the certificate appears to be legitimate.

    Never log into accounts that don't use encrypted logins while using public wireless networks.

    It is also possible that the web app related to the online account for the game contained a vulnerability that allowed the web app to be compromised without clients' machines being involved. If this is the case, then there is nothing the client (online account holder) can do to prevent the account from being compromised.

    This type of account hacking is rarely due to keyloggers regardless of the OS being used by the victim.

    EDIT: haha, forgot to use upper case in secure password example.
  3. ImacT thread starter macrumors newbie

    Sep 11, 2011
    Okay thanks.

    Zeroing the complete hard drive will wipe anything potentially there though won't it?
  4. munkery macrumors 68020


    Dec 18, 2006
    Sure it would, but I don't think the issue was a keylogger so that is overkill.

    Wiping the hard drive will not prevent any of the more likely reasons for the account being compromised.
  5. Peace macrumors Core


    Apr 1, 2005
    Space--The ONLY Frontier
    baymsg(numbers) is more than likely part of hotmail since its Microsoft stuff.

    Windows Live messenger is also an integrated part of the Hotmail web front-end.
  6. ImacT thread starter macrumors newbie

    Sep 11, 2011
    I have already done that, i don't have much on the computer and i couldn't figure out how to delete my windows bootcamp partition, so it solved that problem as well.

    It has to have been that link though that resulted in me being hacked:confused:
  7. Ubuntu macrumors 68000


    Jul 3, 2005
    May I ask which game it was?
  8. ImacT thread starter macrumors newbie

    Sep 11, 2011

    I barely go on it now really and it was a good job i did, because i would have never noticed something was up. :(

    I was waiting for my hired driver in Forza 3 to win my race!

    I have trawled the internet and found only 1 other case of a similar thing happening to somebody with an Imac. Can;t seem to find a definite answer :S

    Edit: Also i reverse IP traced from the hacked log in, it comes up with Lishui China - I know this can be faked though. But now from my log in it isn't even showing an IP, it is just 3 letters.
  9. munkery macrumors 68020


    Dec 18, 2006
    Did you enter the account credentials into the linked webpage?

    If you didn't enter the account credentials into the linked webpage, then it was not from that webpage.

    Do you use any bot software to help you progress through the game faster?

    There have been cases where the bot software requires the user's account credentials to function but the real goal of the bot software is to trick users into giving up their account credentials for the game.
  10. ImacT thread starter macrumors newbie

    Sep 11, 2011
    Nope, it was like a white page with other things on it, i closed it within about 2 seconds of clicking the link because i knew what i had done.

    And no i have never downloaded anything, and i was playing through the official client.

    I used to play the game alot years ago and this is the first time i have ever been hacked or had trouble with it, and this is in like 5-6 years. I have never put the details anywhere.

    It is too strange for me to have clicked this link and to be hacked though, i guess I'm never going to get an answer to it. :(
  11. munkery macrumors 68020


    Dec 18, 2006
    If you didn't enter the account credentials into the linked webpage, then it was not from that webpage.

    It is possible the Runescape login has a vulnerability that is being compromised without any involvement of your system. If no other rational explanation arises, then this is most likely the cause.

    How did you acquire the information to do the reverse?
  12. ImacT thread starter macrumors newbie

    Sep 11, 2011
    Theres alot of sites you can reverse trace IP's, i just typed it in one of them.
  13. munkery macrumors 68020


    Dec 18, 2006
    Sorry, not paying attention while I type:

    How did you acquire the IP address of the individual that logged into your account to do the reverse?

    Or, does that IP relate to the phishing email?


    Was anything modified in your account?

    Any gear or coin missing?

    If nothing has changed, then it is possible that Runescape locked the account and required the password to be reset because of too many failed login attempts as hackers tried to compromise the account.

    There may be no connection between the phishing email and the password needing to be reset.
  14. cactus33 macrumors member

    Apr 1, 2011

    The same thing happened to my friend. He JUST payed for membership for a month, and within a few days someone had hacked his account. Now that you say it's runescape, I believe there is no chance that you have a key logger or any malicious software. The game is just easy to hack I to, it happens habitually, and is a known problem.
  15. ImacT thread starter macrumors newbie

    Sep 11, 2011
    When you log into the game it says at the top of your screen how long ago you last logged in and from what IP. I wrote down the IP it said from there.

    Somebody definitely logged in my account with the use of my password.

    When i managed to reset my password through email i got back on to see that IP address and also in the game your bank which contains all your items and gold also has a Pin code on it. You can reset it to gain access if you don't know the code and they had reset it. I didn't lose anything though because it had another 4 days before it reset.

    They hadnt accessed it through my email or through my set of recovery questions, only by directly logging in with my password. :(
  16. munkery macrumors 68020


    Dec 18, 2006
    Or, the Runescape login has a vulnerability that allows accounts to be compromised without the involvement of the victim's computer.

    Another poster suggested that Runescape is known for such weaknesses.

Share This Page