Mac Mail Contacts Hacked

[BrianBaughn]

If the contacts computer got compromised then please explain how the contact had all my contacts to give away to the hackers?

Sorry that I didn't retract that clearly enough in my subsequent post.

As for cleaning malware vs. clean install...you have a point about virus/malware education but I think in most cases it's a cost and time based decision.

If you want more help here you might post reports from System Profiler/System Information (installed applications) or the list of processes in Activity Monitor. Someone here might recognize a particular item as malware or an application that asks for access to Contacts when it is installed.

You could also check the system log after adding a new contact to see if anything suspicious happens.

You didn't mention if you checked System Preferences>Security & Privacy>Privacy (tab)>Contacts. Anything there?

One more thing that's not completely clear from your posts...are you saying that the contacts aren't synced with any online services?

 

[whoisthatchild]

As I have said there is no backup. How do we know that the good known state is actually good, if we do not know where the problem lies? We could be restoring the problem. A virus could lay dormant for ages.

As for using it as a learning lab - what tosh! If you don't figure out the problem then you're a failure in my eyes, and the customer wants it cleaned, not restored. They also don't want it to happen again. If it were some app that let the info out then we can remove/disable it. If I can't find the problem then we wont even know if it were a virus or some poor app.

If you're not learning something new every day then it's time to move on.

Nuking it is amateur. If you want to figure out a totally new threat that noone ever encountered then using your methods will leave you in the dark and totally knackered in future when you encounter it again.

Any kid or fist line support at HP can tell someone how to factory restore their computer. That isn't a fix. I'ts like chopping off your arm cos your finger hurts. Sure it gets rid of the finger pain. Could cause a whole lot more pain though.
Better to examine the finger and find the cause of the pain and remedy it. If there's a splinter, then remove it. If the finger is cut, then stitch it.

I believe the apple "geniuses" always do a restore, instead of fixing the problem. I understand big companies doing it as a way to show the warranty repair isn't needed, and that something the customer has done has caused the problem, but as independent support firms we should endeavour to provide a better service than that. If we recommend factory reset every time someone gets a virus then we would be the laughing stock, and very soon out of work. You apple guys might get away with it, but business runs on windows and business wouldn't accept such limited options. I dare say my customer will be switching to windows now.

I'm sorry you thought I was rude, but when someone is telling me black is white then I will tell them they are wrong.

 

[whoisthatchild]

Sorry that I didn't retract that clearly enough in my subsequent post.

As for cleaning malware vs. clean install...you have a point about virus/malware education but I think in most cases it's a cost and time based decision.

If you want more help here you might post reports from System Profiler/System Information (installed applications) or the list of processes in Activity Monitor. Someone here might recognize a particular item as malware or an application that asks for access to Contacts when it is installed.

You could also check the system log after adding a new contact to see if anything suspicious happens.

You didn't mention if you checked System Preferences>Security & Privacy>Privacy (tab)>Contacts. Anything there?

One more thing that's not completely clear from your posts...are you saying that the contacts aren't synced with any online services?

Very helpful - I will follow up with info you suggested. Thanks

 

[whoisthatchild]

Sorry that I didn't retract that clearly enough in my subsequent post.

As for cleaning malware vs. clean install...you have a point about virus/malware education but I think in most cases it's a cost and time based decision.

If you want more help here you might post reports from System Profiler/System Information (installed applications) or the list of processes in Activity Monitor. Someone here might recognize a particular item as malware or an application that asks for access to Contacts when it is installed.

You could also check the system log after adding a new contact to see if anything suspicious happens.

You didn't mention if you checked System Preferences>Security & Privacy>Privacy (tab)>Contacts. Anything there?

One more thing that's not completely clear from your posts...are you saying that the contacts aren't synced with any online services?

The contacts are not synced with any online services, AFAIK.

I had to rename the sytem info file from SPX to TXT so I could upload it - this website wouldn't allow the SPX file.

I haven't even checked these files, so if any info in there that should be removed please feel free to advise...

TIA

 

[barbu]

If the system was compromised and data was exfiltrated, that is not "a virus", that is getting pwnd. It is not amateurish to wipe a system that was compromised to an unknown degree before putting it back into service, it is a prudent, standard corrective action. As i suggested, take a clone, study it in a VM if you want.
Furthermore, your confidence in your ability to clean a compromised Windows box would be hilarious if it wasn't so dangerously misguided. I suggest investing in more education.
One last thing: signing up to a forum and asking for help is a good step. Next time, try showing more humility and respect for the members who respond to your post, you might get farther.

 

[satcomer]

To the OP: To check the Mac there is the free software EtreCheck. It will scan your system and txt out a report file telling you what is installed and if any programs, services are running. This txt file will show the file path to manually delete this bad services, etc. then restart if you delete and services.

This should help figure out what is on your Mac. Trust me that several Mac techs use this program to diagnose OS X all the time. Some feel that a former Mac tech wrote the program.

 

[whoisthatchild]

If the system was compromised and data was exfiltrated, that is not "a virus", that is getting pwnd. It is not amateurish to wipe a system that was compromised to an unknown degree before putting it back into service, it is a prudent, standard corrective action. As i suggested, take a clone, study it in a VM if you want.
Furthermore, your confidence in your ability to clean a compromised Windows box would be hilarious if it wasn't so dangerously misguided. I suggest investing in more education.
One last thing: signing up to a forum and asking for help is a good step. Next time, try showing more humility and respect for the members who respond to your post, you might get farther.

So, nuking every computer that gets infected with malware is the professional choice? The general public would give up with computers all together if they had to have their machines reset every time they picked up some malware.

I try to be humble, but as I said before black aint white.

I signed up because I was interested to see if there were any other malware scanners, but it seems the apple way is to nuke everything rather than find it and fix it. I didn't realise how bad the support for apple was until I tried finding some malware scanners. I know you are restricted with apple, but this is terrible.

 

[whoisthatchild]

If the system was compromised and data was exfiltrated, that is not "a virus", that is getting pwnd. It is not amateurish to wipe a system that was compromised to an unknown degree before putting it back into service, it is a prudent, standard corrective action. As i suggested, take a clone, study it in a VM if you want.
Furthermore, your confidence in your ability to clean a compromised Windows box would be hilarious if it wasn't so dangerously misguided. I suggest investing in more education.
One last thing: signing up to a forum and asking for help is a good step. Next time, try showing more humility and respect for the members who respond to your post, you might get farther.

YES it is amateurish if you don't know how it happened. You therefore may get the same again next week. Please do not comment on this thread any more if you cannot be of any help.

 

[barbu]

YES it is amateurish if you don't know how it happened. You therefore may get the same again next week. Please do not comment on this thread any more if you cannot be of any help.

you have repeatedly ignored my suggestion to take a clone of the compromised system. then you can study it at your leisure. i can't imagine your client wanting to have a machine out of service for an extended time while you conduct your investigation. and i would recommend letting your poor client know that someone will have to review the network security at that site, since that is actually where the problem lies. you know that, right?
if you don't like my posts, you can have a full refund for the purchase price.

 

[whoisthatchild]

you have repeatedly ignored my suggestion to take a clone of the compromised system. then you can study it at your leisure. i can't imagine your client wanting to have a machine out of service for an extended time while you conduct your investigation. and i would recommend letting your poor client know that someone will have to review the network security at that site, since that is actually where the problem lies. you know that, right?
if you don't like my posts, you can have a full refund for the purchase price.

You have repeatedly ignored my posts that say the client doesn't want to nuke it as they will never get all their expensive software back. You offer poor advice and do not read the thread before commenting. You also ignore my very valid point that if you do not find the issue then it can (and probably will recur). There is no network, and even if there were it wouldn't be down to "network security", I am probably correct in my initial assumption that is either malware or the result of some crappy service like icloud getting hacked. You do know that icloud was hacked, right?

Please explain what particular network security would prevent the hacking of icloud etc and what network security would prevent malware from being downloaded from a website and run? I'm keen to know as anyone who comes up with a successful solution would undoubtedly become rich beyond their wildest dreams. In fact..please define "network security" as I'm not sure I know what you mean...Thanks

 

[barbu]

the client doesn't want to nuke it as they will never get all their expensive software back.

You said it would be a nightmare, maybe impossible. They sound like very disorganized clients. They are running their business mission-critical software for which they have no receipt? Sounds like the kind of client to avoid. Anyway, taking a clone (look up CCC -- btw this is a good idea from a law enforcement POV as well, since there may be traces of evidence on that computer, and your attempts at repairing it may destroy that evidence, keep that in mind next time) and *trying* to restore the system seems like a better use of your time than an open-ended analysis that may never be completed. You can always put the clone back onto the system. At the very least, re-install OS X (archive & install) in case system files were compromised.

There is no network, and even if there were it wouldn't be down to "network security"

Wait a minute. How does this machine send mail to the hosted server? Why do you dismiss network security? The client claims they did not run or install any software, so might it not stand to reason that someone else did?

You do know that icloud was hacked, right?

No, it wasn't. If i guess your iCloud password (which you based on publicly available information), have i hacked iCloud?

what network security would prevent malware from being downloaded from a website and run?

seriously? Cisco, Checkpoint, Juniper, Bluecoat, Barracuda, and many others offer firewall security appliances that will prevent malware from being downloaded to a client. As a "Microsoft Professional", you should at least be aware of Forefront TMG. Maybe you could help your client get that set up. That would be one good step towards prevent this from happening again.

You can call my advice bad all you want, you get what you pay for. I have suggested courses of action that are industry standard.

 

[satcomer]

You have repeatedly ignored my posts that say the client doesn't want to nuke it as they will never get all their expensive software back. You offer poor advice and do not read the thread before commenting. You also ignore my very valid point that if you do not find the issue then it can (and probably will recur). There is no network, and even if there were it wouldn't be down to "network security", I am probably correct in my initial assumption that is either malware or the result of some crappy service like icloud getting hacked. You do know that icloud was hacked, right?

Please explain what particular network security would prevent the hacking of icloud etc and what network security would prevent malware from being downloaded from a website and run? I'm keen to know as anyone who comes up with a successful solution would undoubtedly become rich beyond their wildest dreams. In fact..please define "network security" as I'm not sure I know what you mean...Thanks

You ignored my post and you wouldn't have to wipe an OS X machine!

 

[nosnittap]

I haven't come on here for people to show me how I could be wrong - I am an IT professional (microsoft) and deal with problems like this every week on windows computers. As per my post above I really don't believe there is any other explanation, but if you can explain to me please do. Please read the entire thread first as brianbaughn didn't seem to.


So...I have 2 questions...

1. Is there any other "service" like icloud that may have uploaded all the contacts and mail accounts?
2. What are my options for scanning for infections now?


Thanks

All these forums are full of Apple apologists with no desire to actually read/listen to questions. Their fandom of the biggest corporation in the history of mankind is frustrating and absolute. I'm having a similar issue but don't need to hear that somehow my contacts windows PC is the answer. Good luck, man.

 

[millerj123]

All these forums are full of Apple apologists with no desire to actually read/listen to questions. Their fandom of the biggest corporation in the history of mankind is frustrating and absolute. I'm having a similar issue but don't need to hear that somehow my contacts windows PC is the answer. Good luck, man.

Well, if you didn't get help before, this will certainly encourage it.

 

[whoisthatchild]

icloud was hacked :

This is where I got that little gem from (not known this site to make false statements in the past)

http://www.hackersnewsbulletin.com/2015/02/icloud-hack-leaks-nude-pics-100-celebs.html

Why do you believe that icloud wasn't hacked and that it was down to weak passwords? Surely it would be a bit coincidental if a load of celebrities got hacked at the same time, all down to weak passwords? If I were a cop I would be looking for the common link between them. I am guessing you just assumed that was the case, due to your undying love and support for apple.



If you believe that a firewall can totally prevent malware then someone is missing a trick. This tech should be mass marketed to the consumer and someone would become very rich...or maybe you are wrong about this TOO.


Basically, Barbu, you sound like a "typical" Apple guy. You also make a lot of assumptions (like this client is willing/can afford a state-of-the-art firewall, that won't offer the protection you assume it does). If any firewall could possibly do what you claim then the developers would use that claim (no malware gets past OUR firewall) to sell it. And sell it they would do! They would be richer than Apple! Please send links to any firewalls (and their blurb) that claim to be malware-proof. If you cannot please remain silent as you have nothing helpful to add.

 

[barbu]

icloud was hacked :

This is where I got that little gem from (not known this site to make false statements in the past)

http://www.hackersnewsbulletin.com/2015/02/icloud-hack-leaks-nude-pics-100-celebs.html

Why do you believe that icloud wasn't hacked and that it was down to weak passwords? Surely it would be a bit coincidental if a load of celebrities got hacked at the same time, all down to weak passwords? If I were a cop I would be looking for the common link between them. I am guessing you just assumed that was the case, due to your undying love and support for apple.



If you believe that a firewall can totally prevent malware then someone is missing a trick. This tech should be mass marketed to the consumer and someone would become very rich...or maybe you are wrong about this TOO.


Basically, Barbu, you sound like a "typical" Apple guy. You also make a lot of assumptions (like this client is willing/can afford a state-of-the-art firewall, that won't offer the protection you assume it does). If any firewall could possibly do what you claim then the developers would use that claim (no malware gets past OUR firewall) to sell it. And sell it they would do! They would be richer than Apple! Please send links to any firewalls (and their blurb) that claim to be malware-proof. If you cannot please remain silent as you have nothing helpful to add.

1. That site you posted the link from is a SEO joke. Read better websites. I recommend starting with Bruce Schneier
2. iCloud hack involved password guessing and security questions. Sorry, you are wrong. Get a clue.
3. All of those products i mentioned are real and are designed to filter malware. You ignorance is not my problem. I never said they are anywhere near 100%. They are, however, a very good first line of defence. Compare and contrast with your misguided belief in the infallibility of Windows antivirus - LOL
4. All of my suggestions are OS independent, so your "apple-guy" insult stuff is pointless. You have some growing up to do.

How is your investigation coming anyway?

 

[satcomer]

Why do you believe that icloud wasn't hacked and that it was down to weak passwords?

Yes it was to week passwords! The largest problem with home security and Cloud security sits between the keyboard and the chair! By you actions it looks like this was case in your situation because all you seem to like to do is argue!

You should really invest in a good password generator like 1Password. It will help you not to use the same password on every site!

 

[Wondercow]

Surely it would be a bit coincidental if a load of celebrities got hacked at the same time, all down to weakpasswords?

The images and movies were all made public at the same time, but they weren't "hacked" at the same time. It was something that was done over years and from many different places, not just iCloud.

The problem with iCloud was that it allowed multiple password attempts without a forced timeout after getting too many wrong.

 

[tscott]

I have just found this thread via google search as I am experiencing the exact same problem and I can't believe the comments that have been made.

The insinuation that someone seeking genuine assistance and support is being rude?

Lecturing to someone who spends their lives removing malware and viruses and maintaining their OS?

The condescending and belittling attitude is not one that we should allow to happen.

So, whoisthatchild, what did you find out?

I have 600 + machines, my own mailserver, latest operating systems, industry best practice firewall and filtering.

There is some vulnerability in the 'system' that is playing me like a fiddle andI haven't been able yet to pin point it.

 

[monokakata]

The same thing happened to me and my partner within the last month.

My thinking is that the bad guys got into our hosting company and somehow grabbed our email (IMAP) stores from there. Is that possible? The hosting company (1and1.com) did allow as how some of their Linux servers had been at risk.

The only dodgy sites I go to are those that pop up when I misspell a URL. I leave immediately. I never allow apps to access my contacts.

 

[millerj123]

I have just found this thread via google search as I am experiencing the exact same problem and I can't believe the comments that have been made.

The insinuation that someone seeking genuine assistance and support is being rude?

Lecturing to someone who spends their lives removing malware and viruses and maintaining their OS?

The condescending and belittling attitude is not one that we should allow to happen.

So, whoisthatchild, what did you find out?

I have 600 + machines, my own mailserver, latest operating systems, industry best practice firewall and filtering.

There is some vulnerability in the 'system' that is playing me like a fiddle andI haven't been able yet to pin point it.

Hey tscott, Welcome!

If you ever get back, whoisthatchild's been gone since September. I'm not sure how you couldn't see that folks actually tried to help. Repeatedly.

May you discover your vulnerability ASAP.

 

[satcomer]

The same thing happened to me and my partner within the last month.

My thinking is that the bad guys got into our hosting company and somehow grabbed our email (IMAP) stores from there. Is that possible? The hosting company (1and1.com) did allow as how some of their Linux servers had been at risk.

The only dodgy sites I go to are those that pop up when I misspell a URL. I leave immediately. I never allow apps to access my contacts.

Scott do a couple of things:

1. Quit Address Book and Mail and Go to System Preferences->iCloud pane and log out.
2. Then Log into Apple's site Apple - My ID and reset your iCloud password!
3. Download the free EtreCheck and let it scan because it print out a text report to show every program, extensions and plugins that is in your system. The orient will point to where to manually delete any item, then reboot.

This should help, good luck!

 

[barbu]

If you ever get back, whoisthatchild's been gone since September. I'm not sure how you couldn't see that folks actually tried to help. Repeatedly.
.

I have an inkling that he's back with a new name. But that's probably just me being 'paranoid' again.

 

[whoisthatchild]

I have just found this thread via google search as I am experiencing the exact same problem and I can't believe the comments that have been made.

The insinuation that someone seeking genuine assistance and support is being rude?

Lecturing to someone who spends their lives removing malware and viruses and maintaining their OS?

The condescending and belittling attitude is not one that we should allow to happen.

So, whoisthatchild, what did you find out?

I have 600 + machines, my own mailserver, latest operating systems, industry best practice firewall and filtering.

There is some vulnerability in the 'system' that is playing me like a fiddle andI haven't been able yet to pin point it.

I assume you have a Mac problem, not Windows? My original need was to find out if there were any decent scanners for Macs (there are not, it seems) and whether any apps may have been hacked, and hence could be the weak link. It seems not. Therefore my conclusion is that it was down to some sort of infection (which of course doesn't exist in the Mac world, lol). I haven't been back to this thread for a long time due to the points you mentioned about the rudeness and lack of actual help, although some comments were helpful even if they did not pinpoint the problem.

The mac is still in use, and no honeypot mail addresses have been caught up in this, so it seems that the infection was cleaned by some of those scans that did find something before. The hackers are still using the info the gleaned before, but we cannot do anything about that now.

What is going on at your end? (I appreciate it is a while ago now).
[doublepost=1465543612][/doublepost]

The same thing happened to me and my partner within the last month.

My thinking is that the bad guys got into our hosting company and somehow grabbed our email (IMAP) stores from there. Is that possible? The hosting company (1and1.com) did allow as how some of their Linux servers had been at risk.

The only dodgy sites I go to are those that pop up when I misspell a URL. I leave immediately. I never allow apps to access my contacts.

Although 1and1 are an absolute joke I doubt this is down to them. If you had exactly the same problem then it's probably the same issue - infected computer. Are all your contacts stored on 1and1's servers? If you are using a mail client (as opposed to webmail) then I seriously doubt it. My advice would be to leave 1and1 as soon as possible though.

 

[tscott]

Dear all

Thanks for the replies. Especial thanks to Satcomer - I had not heard of EtreCheck and have now included it in my collection of helpful stuff.

I overcame my problem by going to google for my mail services. We already had Google Apps for Education happening but had not decided to use their mail option until this happened.

So, some things to think about. I believe my attack was sophisticated in that the payload being relayed was organised to scrape under our filtering. The offending traffic was intranet based. The malware relied on the ability of the mail app to relay the mail. Individual users had no idea that their mail client was being used to relay mail unless they were using Avira which popped up when one of the offending mails included recognised malware.

As soon as any interest was shown in a machine, it was not longer used to relay. This was as simple as using the web mail client for a number of hours.

The hit list included some members of our domain but the addresses included people who had left many years ago. It looked as if the address were from the Adobe and LinkedIn data breaches.

I would love to know how they have the mail app working - this is on El Capitan and Yosemite computers.