Mac Mail Contacts Hacked

[whoisthatchild]

I am trying to clean a mac which has had it's contact list hacked. I at first thought that all the contacts were receiving mail because the mail had been hacked. Upon checking email headers it appears that the sender email address (ie that of the mac owner) is spoofed and the hackers seem to "merely" have a copy of the contacts list, and every email account configured on this mac.



This contacts list isn't on any other machine, so it must have come from this mac. The only other guess I had was if some app was uploading the contacts somewhere and that company had been hacked (eg icloud), but icloud doesnt seem to be on this mac.







I have scanned with Sophos, Malwarebytes and Avast. Just about to scan with Avira - nope Avira needs newer than 10.7.5


Sophos and Avast found lots of malware. Malwarebytes took about 3 seconds and found nothing. Not impressed with MBAM as it is great on Windows machines, waste of time on the Mac.





Any suggestions?

 

[chrfr]

I am trying to clean a mac which has had it's contact list hacked.

What causes you to think the contact list was "hacked?" Provide details about what's going on; you haven't provided any information that's useful toward troubleshooting.

 

[whoisthatchild]

What causes you to think the contact list was "hacked?" Provide details about what's going on; you haven't provided any information that's useful toward troubleshooting.

The Mac has about 12 email accounts on there. They are all contacts in their own right of the various other accounts. There is persona@companya.co.uk, persona@companyb.co.uk, right through to personh@companya.co.uk and personh@companyb.co.uk.

I am also a contact of this mail user. Every contact in the contacts list is receiving emails from one or other of these mail accounts (eg personc@companya.co.uk is apparently sending emails out to everyone on the contacts list, using the first names as configured in the contacts list. So if santa claus is in the contacts with an email address of santa.claus@northpole.com and a "name" of whodjyamaflip then the santa.claus@northpole.com mail account receives an email addressed to "Whodjyamaflip" and apparently being sent from personc@companya.com. I have checked the headers and the ip addresses show that the sender isn't my customer, but some foreign outfit.


The names used are specific to this contacts list, so I am 100% certain that it is this contacts list that is being used. Also, all the mail accounts that are being spoofed as senders are on this particular Mac.

 

[barbu]

The Mac has about 12 email accounts on there. They are all contacts in their own right of the various other accounts. There is persona@companya.co.uk, persona@companyb.co.uk, right through to personh@companya.co.uk and personh@companyb.co.uk.

I am also a contact of this mail user. Every contact in the contacts list is receiving emails from one or other of these mail accounts (eg personc@companya.co.uk is apparently sending emails out to everyone on the contacts list, using the first names as configured in the contacts list. So if santa claus is in the contacts with an email address of santa.claus@northpole.com and a "name" of whodjyamaflip then the santa.claus@northpole.com mail account receives an email addressed to "Whodjyamaflip" and apparently being sent from personc@companya.com. I have checked the headers and the ip addresses show that the sender isn't my customer, but some foreign outfit.


The names used are specific to this contacts list, so I am 100% certain that it is this contacts list that is being used. Also, all the mail accounts that are being spoofed as senders are on this particular Mac.

Might just be me, but that's still pretty confusing. Where is the mail server?

 

[whoisthatchild]

Also, I left the mac switched off for 3 days and the mails kept coming. I have changed the email passwords for all mail accounts on these 2 domains, and the mails keep coming. Then I realised they weren't actually being sent via the customer's email server (due to IPs in email headers). So, now my conclusion is that the hackers somehow got hold of the contacts list (otherwise how do they know my customer calls santa claus "whodjymaflip" and they have gotten hold of every mail account and the name on that account that is configured on this mac. They then started spoofing emails to all the contacts, so I am confident that they never got the passwords for the mail accounts. They must have, however, had access to the Mac, otherwise this info would not be in their hands....unless, as I previously theorised, there is some app that is uploading all this info (eg icloud) and they then got hacked.

 

[BrianBaughn]

More likely is one or more of your contacts own computers have/has been compromised.

 

[whoisthatchild]

Might just be me, but that's still pretty confusing. Where is the mail server?

OK - I will try to make it simple. Imagine you are in my contacts list with your email address, say barbu@outlook.com. My email address is whoisthatchild@gmail.com. You are in my address book as "Friendly mac rumors Guy".
You receive an email that says "Hi Friendly, please check out this link.....regards whoisthatchild.

The email is sent from a different IP as per the headers so we can be confident they are not into our mail account. Passwords have been changed and the mac left switched off for days, emails still flowing

And of course, I am the only person on the planet who has your email in their address book with your first name being "friendly"

 

[whoisthatchild]

More likely is one or more of your contacts own computers have/has been compromised.

It's not my Mac - it belongs to a customer.
How would any other contacts have the full contacts list of this mac?
How would they have all the mail accounts that are on this mac, ie name (which is sometimes weird, and specific to the relationship between the mac owner and that particular contact) and emails addresses?


I'm interested as to how this may be true...

 

[whoisthatchild]

I haven't come on here for people to show me how I could be wrong - I am an IT professional (microsoft) and deal with problems like this every week on windows computers. As per my post above I really don't believe there is any other explanation, but if you can explain to me please do. Please read the entire thread first as brianbaughn didn't seem to.


So...I have 2 questions...

1. Is there any other "service" like icloud that may have uploaded all the contacts and mail accounts?
2. What are my options for scanning for infections now?


Thanks

 

[MacDawg]

You mentioned Avira needing higher than 10.7.5
Does that mean the Mac is running Snow Leopard or older?
Just trying to get all the info

I'm assuming the contacts are in the Mac Contacts app

Some obvious questions, are the Contacts synced anywhere?
Synced with iPhone? iPad? > some apps access the Contact list
Gmail account
Outlook account
Facebook
LinkedIn > not an obvious one, but can be problematic
Instagram
Messaging apps > WhatsApp, Viber, SnapChat, IM
Google Voice

Many iOS and OS X apps ask permission(?) to access Contacts
The compromise could come from them?

 

[whoisthatchild]

Might just be me, but that's still pretty confusing. Where is the mail server?

Mail server is with hostgator, not sure where geographically, assume USA

 

[ocabj]

Odds are the contact list wasn't hacked. It was just malware on a client computer that harvested email addresses from a local mailbox file.

 

[whoisthatchild]

You mentioned Avira needing higher than 10.7.5
Does that mean the Mac is running Snow Leopard or older?
Just trying to get all the info

I'm assuming the contacts are in the Mac Contacts app

Some obvious questions, are the Contacts synced anywhere?
Synced with iPhone? iPad? > some apps access the Contact list
Gmail account
Outlook account
Facebook
LinkedIn > not an obvious one, but can be problematic
Instagram
Messaging apps > WhatsApp, Viber, SnapChat, IM
Google Voice

Many iOS and OS X apps ask permission(?) to access Contacts
The compromise could come from them?

Hi, thanks for your answer. The version on this mac is 10.7.5.

Not synced with any other devices, iphone ipad etc - she doesn't own any of these.


There's no gmail account being used by this user, or outlook, nor linkedin, instagram, whatsapp, viber, snapchat, IM or Google Voice.

Facebook is being used, but with a hotmail account, not any of the business email accounts. Would be surprised if it were down to this, but am open to suggestions.

 

[mw360]

Sorry you're getting such terrible answers but I don't think many posters here have much experience with Mac malware. Me included to be honest.

Not sure what you're after though. You say scans found lots of malware. That does seem the most likely source. Do you need help removing them? Do any sound like contact list harvesters?

If it were my Mac I'd be inclined to wipe it and start over. The OS will be unsupported from next month or so anyway. Edit: the OS is already unsupported. If that's too dramatic, you could try making a Time Machine backup to a blank USB, wiping to a clean OS, then restoring the users stuff via migration assistant from the backup. Migration assistant basically just restores the users data, not any system stuff, and I think gives you the option of not restoring any apps, so the last scraps of malware should be left behind.

Now that the contacts have been stolen nothing will stop the emails, unless by some miracle they have a working unsubscribe link (it does happen sometimes). The companies involved however might want to check if they have valid SPF records on their domains which will at least make the spoofed emails more likely to fall into spam filters.

 

[BrianBaughn]

I'm with mw360...now that you've expounded a bit more...sounds like the damage is done. If the contact list is compromised you can't "undo" it, of course. The emails should dwindle with time as long as they're ignored and you turn off automatic image loading in Mail.

You didn't list what malware was found so no one can speculate as to which one, if any is the culprit.

Legitimate and not-so-legitimate applications can ask for permission to access the contacts. I have occasional clients that seem to click on everything that comes in and wouldn't be able to remember the next day that they had done it. Also, kids sometimes seem to go out of their way to pile crapware on their parents' computer.

A fresh install of the system and the individual third-party applications that are necessary sounds like the way to go, as mw360 said. Migrate the User Account and data but not applications.

Having experienced this kind of stuff in the Windows world you probably guessed that's where this was headed.

 

[whoisthatchild]

Sorry you're getting such terrible answers but I don't think many posters here have much experience with Mac malware. Me included to be honest.

Not sure what you're after though. You say scans found lots of malware. That does seem the most likely source. Do you need help removing them? Do any sound like contact list harvesters?

If it were my Mac I'd be inclined to wipe it and start over. The OS will be unsupported from next month or so anyway. Edit: the OS is already unsupported. If that's too dramatic, you could try making a Time Machine backup to a blank USB, wiping to a clean OS, then restoring the users stuff via migration assistant from the backup. Migration assistant basically just restores the users data, not any system stuff, and I think gives you the option of not restoring any apps, so the last scraps of malware should be left behind.

Now that the contacts have been stolen nothing will stop the emails, unless by some miracle they have a working unsubscribe link (it does happen sometimes). The companies involved however might want to check if they have valid SPF records on their domains which will at least make the spoofed emails more likely to fall into spam filters.

The idea of reinstalling everything form fresh did cross my mind and I have confirmed with the client that it would be a nightmare, due to the all the extra software they have on it - they are a printing company and use a lot of expensive software that would be time consuming, and maybe not even possible to install again, due to lack of media, email receipts etc.

I would really like to know of any other scanning software I could use to detect different types of malware, as I am not convinced it is clean, and would like to avoid reinstalling everything fresh. If I cannot give it back, confident it is clean, then I will have to advise the client that we format and start again...
In similar instances with Windows machines I can inform the client how it happened and be confident the threat is removed, but the scanners for the Mac are few and far between, and don't seem that great when they do work.

I checked for updates from Apple but it says there are none, so I've got to assume that any OS exploits are patched (or never gonna be).

From what you guys are saying it looks like there isn't going to be much more in the way of scanners available to me.
It's a shame it can't be attributed to some app that got hacked, then it would make sense that the hackers got the contacts and all the email accounts that are configured in the apple mail app, and not access to the email account itself, ie they do't seem to have the password.

There's no way the apple mail app syncs anything back to apple is there? I already checked icloud, so it can't be that as it isn't in use

 

[whoisthatchild]

I'm with mw360...now that you've expounded a bit more...sounds like the damage is done. If the contact list is compromised you can't "undo" it, of course. The emails should dwindle with time as long as they're ignored and you turn off automatic image loading in Mail.

You didn't list what malware was found so no one can speculate as to which one, if any is the culprit.

Legitimate and not-so-legitimate applications can ask for permission to access the contacts. I have occasional clients that seem to click on everything that comes in and wouldn't be able to remember the next day that they had done it. Also, kids sometimes seem to go out of their way to pile crapware on their parents' computer.

A fresh install of the system and the individual third-party applications that are necessary sounds like the way to go, as mw360 said. Migrate the User Account and data but not applications.

Having experienced this kind of stuff in the Windows world you probably guessed that's where this was headed.

I appreciate that the contact list is now public property, but I am keen to confidently tell the client where the problem occured (not which website the download or whatever came from, but whether it was malware, some sever got hacked, or whatever). That way they can learn from the experience and try to avoid again.
The mails only contain a link, so no images to be seen.

The client assures me they didn't download anything or open any attachments on dodgy emails, but as always I take that with a pinch of salt.

Ballache to do a fresh install, but yep -looks like that if we wanna b sure. As for Windows I don't need to reinstall unless the registry is knackered or some other damage to the OS that cant be repaired by normal means. Malware is always removed, and I never reinstall simply to remove malware. There are so many good tools for windows you can be confident it is clean when several of them give you a clean bill of health.

 

[barbu]

As for Windows I don't need to reinstall unless the registry is knackered or some other damage to the OS that cant be repaired by normal means. Malware is always removed, and I never reinstall simply to remove malware. There are so many good tools for windows you can be confident it is clean when several of them give you a clean bill of health.

As a security professional, i really have to question the above assertion. Malware/virus scanners will only find that for which they have a signature. 0day/APT will not be found by (rather pathetic) off the shelf tools. When a Windows box or a Mac is known to have been infiltrated, the nuclear option of wipe/reinstall is not only advised, it is the only responsible option. /imho
If you don't know how to help your client reinstall their applications from media or from backup (they have a backup, right?), you should at least help them find someone who can.

 

[mw360]

The idea of reinstalling everything form fresh did cross my mind and I have confirmed with the client that it would be a nightmare, due to the all the extra software they have on it - they are a printing company and use a lot of expensive software that would be time consuming, and maybe not even possible to install again, due to lack of media, email receipts etc.

I would really like to know of any other scanning software I could use to detect different types of malware, as I am not convinced it is clean, and would like to avoid reinstalling everything fresh. If I cannot give it back, confident it is clean, then I will have to advise the client that we format and start again...
In similar instances with Windows machines I can inform the client how it happened and be confident the threat is removed, but the scanners for the Mac are few and far between, and don't seem that great when they do work.

I checked for updates from Apple but it says there are none, so I've got to assume that any OS exploits are patched (or never gonna be).

From what you guys are saying it looks like there isn't going to be much more in the way of scanners available to me.
It's a shame it can't be attributed to some app that got hacked, then it would make sense that the hackers got the contacts and all the email accounts that are configured in the apple mail app, and not access to the email account itself, ie they do't seem to have the password.

There's no way the apple mail app syncs anything back to apple is there? I already checked icloud, so it can't be that as it isn't in use

That OS is dead to Apple, that's why there aren't any updates. It will be full of serious security holes by now. They need to be on 10.9 at least, and even that will be unsupported in a year's time.

If you found malware, odds are that its Trojans they installed themselves (just based on the ratio of Trojans to true viruses on OSX). If they did that, then who knows what other services they tinkered with and forgotten about. iCloud does sync address books to Apple, and when the Mac was purchased it might have been back when iCloud was called MobileMe. If your clients have a .me.com or .mac.com or .icloud.com email address then they have at least dabbled with those services in the past, even if they have since turned them off. None of them is known to have been breached though.

Have a look into whatever billing software they use. Most of the ones I've seen will import the user's address book. If that has some sketchy cloud component to it...

It's probably occurred to you already, but for reassurance you could seed their contact list with a few honeypot email addresses. At least you'll know if the leak hasn't been plugged.

 

[pastrychef]

Lots of malware may have been found but were they Mac malware or Windows malware?

 

[whoisthatchild]

That OS is dead to Apple, that's why there aren't any updates. It will be full of serious security holes by now. They need to be on 10.9 at least, and even that will be unsupported in a year's time.

If you found malware, odds are that its Trojans they installed themselves (just based on the ratio of Trojans to true viruses on OSX). If they did that, then who knows what other services they tinkered with and forgotten about. iCloud does sync address books to Apple, and when the Mac was purchased it might have been back when iCloud was called MobileMe. If your clients have a .me.com or .mac.com or .icloud.com email address then they have at least dabbled with those services in the past, even if they have since turned them off. None of them is known to have been breached though.

Have a look into whatever billing software they use. Most of the ones I've seen will import the user's address book. If that has some sketchy cloud component to it...

It's probably occurred to you already, but for reassurance you could seed their contact list with a few honeypot email addresses. At least you'll know if the leak hasn't been plugged.

I was planning on adding some honeypot addresses exactly as you have described, so that I will know if anything happens afterwards.

They don't use any billing software, just email out invoices created manually.

Thanks for the tip about mobileme - that's handy to know.

If apple doesn't support this OS any more then shame on apple. People moaning about xp support ending after about 13 years. 10.7.5 hasn't even been out for 5 years, AFAIK.

The serious lack of support for mac os, both by apple themselves, other software companies, and engineers, is not encouraging. I've never had a scanner tell me it can't scan this version of windows because it's too old.

 

[whoisthatchild]

As a security professional, i really have to question the above assertion. Malware/virus scanners will only find that for which they have a signature. 0day/APT will not be found by (rather pathetic) off the shelf tools. When a Windows box or a Mac is known to have been infiltrated, the nuclear option of wipe/reinstall is not only advised, it is the only responsible option. /imho
If you don't know how to help your client reinstall their applications from media or from backup (they have a backup, right?), you should at least help them find someone who can.

Hi, maybe I should put them on to the guy who thinks virus scanners need a signature to detect something. I believe hueristic analysis is employed by the best scanners, which doesn't look at the signature. In fact, if mac scanners only look at signatures then that would explain why some of these scans are so damn quick - it's the heuristics that take the time when a product employs this tactic.

It's not that I don't know how to install their software, it's that some of it will have been downloaded, using an email account they won't remember, or maybe not even use/own anymore. Some will have been from disc, and the disc will be lost, and the vendor won't have copies of the old one and their os version will be "unsupported" with the new one...etc...etc.

No,they don't have a backup, but what use is the backup in this situation if we can't be confident that the backup is clean? You can wipe it and backup/reinstall but you might be putting some malware back. How do you know if you just hit it with a sledgehammer approach?

The "nuclear option" is for amateurs and paranoids. Of course, you still can't be sure that the computer wasn't shipped with a virus (if you use the recovery partition) or that your install media is clean if you go down that route.

So, in summary, I believe your HO is flawed due to the above. Also, if you just format and reinstall and it works you never learn anything new about the threats and how they work. You never get any better at your job and you let your customers down with treatments that I expect from PC world staff

 

[whoisthatchild]

Lots of malware may have been found but were they Mac malware or Windows malware?

Some of each. Mainly windows, mainly by email attachment. Haven't found anything yet, that says to me "hey it was me"

Not confident it is clean yet....

 

[whoisthatchild]

More likely is one or more of your contacts own computers have/has been compromised.

If the contacts computer got compromised then please explain how the contact had all my contacts to give away to the hackers?

 

[barbu]

Hi, maybe I should put them on to the guy who thinks virus scanners need a signature to detect something. I believe hueristic analysis is employed by the best scanners, which doesn't look at the signature. In fact, if mac scanners only look at signatures then that would explain why some of these scans are so damn quick - it's the heuristics that take the time when a product employs this tactic.

It's not that I don't know how to install their software, it's that some of it will have been downloaded, using an email account they won't remember, or maybe not even use/own anymore. Some will have been from disc, and the disc will be lost, and the vendor won't have copies of the old one and their os version will be "unsupported" with the new one...etc...etc.

No,they don't have a backup, but what use is the backup in this situation if we can't be confident that the backup is clean? You can wipe it and backup/reinstall but you might be putting some malware back. How do you know if you just hit it with a sledgehammer approach?

The "nuclear option" is for amateurs and paranoids. Of course, you still can't be sure that the computer wasn't shipped with a virus (if you use the recovery partition) or that your install media is clean if you go down that route.

So, in summary, I believe your HO is flawed due to the above. Also, if you just format and reinstall and it works you never learn anything new about the threats and how they work. You never get any better at your job and you let your customers down with treatments that I expect from PC world staff

This is unnecessarily rude. And using your clients computer as a learning lab is very unprofessional (and a waste of their time). You should instead consider taking a clone of their system and then restoring them to a known good state.
Have fun.