Recently somebody made some gift card purchases on gyft.com with my paypal and without my knowledge or consent. Paypal contacted me about the suspicious charges and I changed my password, etc., but as I was looking into what had happened I found some extremely weird stuff.
First, I was asleep when these transactions occurred, and when I first looked at my iMac after getting up, there was a weird website in a safari window. I think it was some subpage of the Arris website (a site I had never heard of, before, but I remember seeing the "Arris" logo). I closed the window/tab without thinking about it. A few hours later paypal calls and I start looking into "gyft" (another website I had never heard of). I started to get worried when I went to the gyft site and I was already logged in.
I called the gyft corporate support line and they said they have seen a rash of instances where fraudulent purchases were made my people actually taking over the victims' computers. Except that's a Windows thing, not a Mac thing, right? I looked in my browser history, and, sure enough, there were all the steps where somebody had gone to gyft, created an account, verified it using my google+ profile (and a google subscriber phone number), and then authorized the payments with my paypal. Once they had access to my iMac screensharing, they didn't need to know my google or paypal passwords because the keychain automatically put them into the fields.
I've turned off screensharing and remote access in the sharing system preferences, and changed my admin password. I've installed Avira and scanned for known malware. I've also set up OS X to require password on screensaver/sleep and set the screensaver to activate after just a few minutes, but my son swears he saw somebody move the mouse pointer and activate the login window today when I was sleeping (I take care of his disabled sister and keep odd hours). They didn't get past the login screen, but I don't understand how they could even start a screensharing session now that I've turned that off in the system preferences.
Now I'm paranoid that there is some sort of daemon running on my system that allows them access despite me turning off my services, and if there's a key logger or something similar active that they might be getting my new passwords as I scramble around trying to make sure everything is secure.
My iMac is one of three Macs behind an AirPort administered LAN with NAT and DHCP and I've set a different IP address from my iMac as the default host, but I'm terrified that this is going to happen again. I already had my AirPort locked down to where only devices with known MAC addresses can connect (and WPA2), but I don't think this is somebody accessing my wifi network (I live very rural with my closest neighbor at least a few thousand feet away). I think the most likely way I was compromised was by looking for a Doctor Who episode via kat.cr while I had forgotten my adblocker/ghostery were temporarily turned off. I remember being bombarded by a bunch of sketchy pop-ups before I realized I needed to reenable them.
My paypal is tied to my bank account, and I'm currently waiting on the funds to trickle their way back from gyft to paypal so I can transfer them back to my bank. Everybody involved was kind enough to undo the damage, but I'm still going to be out some banking fees, and I don't know if the merchants and banks involved would be so kind if this happened, again.
The help I'm looking for is this: Are there any particular clues I can look for as to key loggers or hidden screensharing processes? Are there any settings I should be looking at on my AirPort to make it more secure?
And finally, are there any logs I can look at to try to get an IP address or something that can point to the asshats that did this?
First, I was asleep when these transactions occurred, and when I first looked at my iMac after getting up, there was a weird website in a safari window. I think it was some subpage of the Arris website (a site I had never heard of, before, but I remember seeing the "Arris" logo). I closed the window/tab without thinking about it. A few hours later paypal calls and I start looking into "gyft" (another website I had never heard of). I started to get worried when I went to the gyft site and I was already logged in.
I called the gyft corporate support line and they said they have seen a rash of instances where fraudulent purchases were made my people actually taking over the victims' computers. Except that's a Windows thing, not a Mac thing, right? I looked in my browser history, and, sure enough, there were all the steps where somebody had gone to gyft, created an account, verified it using my google+ profile (and a google subscriber phone number), and then authorized the payments with my paypal. Once they had access to my iMac screensharing, they didn't need to know my google or paypal passwords because the keychain automatically put them into the fields.
I've turned off screensharing and remote access in the sharing system preferences, and changed my admin password. I've installed Avira and scanned for known malware. I've also set up OS X to require password on screensaver/sleep and set the screensaver to activate after just a few minutes, but my son swears he saw somebody move the mouse pointer and activate the login window today when I was sleeping (I take care of his disabled sister and keep odd hours). They didn't get past the login screen, but I don't understand how they could even start a screensharing session now that I've turned that off in the system preferences.
Now I'm paranoid that there is some sort of daemon running on my system that allows them access despite me turning off my services, and if there's a key logger or something similar active that they might be getting my new passwords as I scramble around trying to make sure everything is secure.
My iMac is one of three Macs behind an AirPort administered LAN with NAT and DHCP and I've set a different IP address from my iMac as the default host, but I'm terrified that this is going to happen again. I already had my AirPort locked down to where only devices with known MAC addresses can connect (and WPA2), but I don't think this is somebody accessing my wifi network (I live very rural with my closest neighbor at least a few thousand feet away). I think the most likely way I was compromised was by looking for a Doctor Who episode via kat.cr while I had forgotten my adblocker/ghostery were temporarily turned off. I remember being bombarded by a bunch of sketchy pop-ups before I realized I needed to reenable them.
My paypal is tied to my bank account, and I'm currently waiting on the funds to trickle their way back from gyft to paypal so I can transfer them back to my bank. Everybody involved was kind enough to undo the damage, but I'm still going to be out some banking fees, and I don't know if the merchants and banks involved would be so kind if this happened, again.
The help I'm looking for is this: Are there any particular clues I can look for as to key loggers or hidden screensharing processes? Are there any settings I should be looking at on my AirPort to make it more secure?
And finally, are there any logs I can look at to try to get an IP address or something that can point to the asshats that did this?
