The word virus gets thrown around a lot but...

Discussion in 'macOS' started by MacBoobsPro, Nov 20, 2009.

  1. MacBoobsPro macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #1
    My cousin has an iMac, he's not the most computer literate but he's not an idiot either.

    Last week his googlemail password and facebook password got changed and he was locked out of both. Because his email was locked out we couldn't reset his facebook password until we sorted his email. It took a lot of effort to figure it out but eventually I got it sorted by giving some bloke at Google the answer to some easy questions and the password was reset.

    Everything was fine.

    Today I get a call saying his email password has changed again (different password from before) and now his hotmail account (set up as a back up) has been hacked too. His Facebook profile is fine and Im thinking thats because we had to jump through hoops to reset the password for it and the hacker doing all this crap can't be bothered. The googlemail password reset by google was easily sorted by answering a few simple questions so my guess is whoever is doing this did the same thing to rehack it.

    My cousin says he has not let anyone onto his computer, he doesnt use his googlemail etc on public computers and he is on a wired internet connection.

    The only things I can think of are:
    1. that someone has had access to his computer at some point and wants to piss him off for some reason. However they must be really pissed at him as they have now cracked his password since we changed it.

    2. There is a remote hacker, literally hacking and tracking his mac and watching what he does on screen.

    3. Or there is a virus or trojan that is tracking and changing his stuff (for what gain Im not sure) but I am not aware of any on the mac that can do this.


    What do you guys think is going on? There is a little side story here but I wont mention it until I get a few answers as it may sway the replies to the question.

    Intriguing isn't it? :p

    UPDATE: His facebook has now gone too. :(
     
  2. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #2
    Someone either has access to the machine or the network.
     
  3. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #3
    Its a wired network straight to his Mac and he lives on his own. Why do you say this?
     
  4. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #4
    Unless there is someone social engineering him, this makes the most sense if it happened after the password was changed.

    There are keyloggers for the Mac, is it possible that someone installed one on his machine?
     
  5. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #5
    I doubt theres any social engineering going on as after the other day he has battened down the hatches but it has still been cracked.

    It is possible a keylogger is on there after downloading something, but what does changing his facebook and email passwords give the keylogger writer? Keyloggers are supposed to be stealthy but changing the password just tells him something is not right.
     
  6. harperjones99 macrumors 6502

    Joined:
    Nov 3, 2009
    #6
    Were his passwords the same or obvious? It doesn't take much to find all of someone's emails and sites if they use the same name too. I don't think two public sites being compromised means his actual computer is compromised. You said he is not using wireless and nobody else has access to the machine so it makes the most sense that someone was able to get into one thing and use this info to get into more.

    If he ever logged into either of those on a public network or someone else's computer there is an opportunity for them to get log in info also.
     
  7. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #7
    Originally his email and facebook were the same and easily cracked if you knew him. Since then we created a new more cryptic password and it too got cracked. However his hotmail password was totally different and that has now gone too.
     
  8. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #8
    If he was socially engineered, changing just the password wont do much, as you said, the security questions are the same.

    Keyloggers often send their logs to the writer. So, when the hacker gets a file from the machine with:
    www.gmail.com
    username
    password

    They've got the new password. If the machine is compromised that way, changing the password will not help.

    Keylogger makes more sense here.

    I'd try something like Little Snitch to see what traffic is going out.
     
  9. MasterDev macrumors 65816

    Joined:
    Sep 14, 2009
    #9
    Could have been phished... And it could have been good to a point where he didn't know it was a bad site.

    Also, his Facebook email address is probably the hotmail one, so usually they try the email address they have and that password on multiple popular social networking sites.

    EDIT: Posted to late...

    Anyways, I agree with r.j.s... Check to see what exactly is going on in the network.
     
  10. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #10
    Hmmm.... that is interesting (and disconcerting). But why change them? Why not just use them to access his bank details etc? This is what confuses me.
     
  11. thegoldenmackid macrumors 604

    thegoldenmackid

    Joined:
    Dec 29, 2006
    Location:
    dallas, texas
    #11
    Keylogger would be my guess. Any other strange things going on besides internet passwords?
     
  12. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #12
    By changing them, they have locked him out of his life, by not being able to get into email accounts that he uses to manage different things, he cannot see what they are doing, and cannot do anything about it. It's a distraction.

    They may have accessed bank details (or are planning to).

    By the time he gets back into the email, the real damage is done, all he can do is sit and look at the remains.
     
  13. cjmillsnun macrumors 68020

    Joined:
    Aug 28, 2009
    #13
    My guess is that he is entering passwords "in the clear"

    if you're on a site that requires a username or password make sure that the prefix is https:// and that you have the padlock on the status bar (firefox) or the top right hand corner (safari).
     
  14. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #14
    You said there was other information that might be useful, what is it?
     
  15. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #15
    Well he has recently split with his girlfriend. It wasn't a totally amicable split but it wasn't bad either. If she had accessed his computer at some point and it slipped his mind when I asked him about her using it (as far as he knows she didnt) she could be doing it to piss him off. But being grown adults its not something that you would expect to happen.

    The reason I didnt mention this before is because everyone would say that is what it is and not offer any possible alternatives. I am quite sure its not her as to keep trying to hack his passwords after we changed them takes a bit of work for no real benefit for her.

    Its all a bit strange.

    I'll be wiping his mac tomorrow and reinstalling everything and creating new accounts for him (each with there own passwords). I'll also give him the 101 on online security.

    Any more possibilities it could be I'd like to hear them to try and stop this happening again.
     
  16. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #16
    I don't think it would be the ex, after the password change.
     
  17. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #17
    Probably checked for this already, but make sure there is no hardware keylogger as well. Anything plugged into the USB that you don't recognize?
     
  18. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #18
    I havent seen it but I very much doubt that as he lives on his own and would of spotted it if something random was hanging out of his mac.
     
  19. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #19
    Ok. As far as checking if there is anything on the computer sending data like a trojan or a hacker try using a firewall. Set it to strict so that it asks you about every app that wants internet access. If anything you don't know comes up then you've found it. Also, go to Settings>Sharing and make sure you have all remote accesss options turned off. Assuming your friend doesn't SSH, RSH or VNC to his Mac.
     
  20. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #20
    Everything will be default Leopard settings with regards to sharing and security etc. I installed Leopard for him from scratch around 2 years ago and he wouldnt know where to start and is not willing to go into those preferences anyway.

    I set the Safari 'open safe files' to off as its on by default.

    This is why I'm stumped. However it is likely he installed something (giving it his password along the way). I'll be putting Snow Leopard on it for him and I'll tell him what to be aware of on the net.
     
  21. topmounter macrumors 68020

    topmounter

    Joined:
    Jun 18, 2009
    Location:
    FEMA Region VIII
    #21
    Gmail always uses HTTPS for the login even when you go to http://mail.google.com. You can also login using http[b]s[/b]://mail.google.com and all of your traffic is encrypted, not just the login.

    Facebook does NOT use HTTPS by default for the login, unless you specifically type http[b]s[/b]://www.facebook.com. So it is plausible that someone managed to poach his Facebook username and password somewhere along the line.

    I don't know what the options are with Hotmail, but surely they use HTTPS by default for the login process.

    And when you say "Its a wired network straight to his Mac", does that mean he has his own cable or dsl modem? I just wanted to make sure he didn't live in an apartment complex that was wired for Ethernet and included Internet access free in the rent.

    I always hear these "keylogger" accusations, but how often is the culprit actually a keylogger?

    edit... I'd also make sure he had a login password setup, just in case someone has a key to his place (previous resident, property manager, etc.) and they're accessing the computer directly.
     
  22. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #22
    That wouldn't really help. The firewall is about blocking things from coming in, not going out. LittleSnitch blocks things from going out. Though, even LittleSnitch may not detect a key logger sending data out depending on its sophistication.

    There's a potential a key logger was installed after calling for a phishing scam or the potential trojan got onto his machine. This would be able to account for the hacker knowing the new account info. That said, I doubt it's a key logger issue. One possibility is that they are taking an advantage of some Hotmail or Facebook weakness to steal people's info when logging in.

    I generally setup a local SSH tunnel as a SOCKS proxy for all of my web traffic so everything is encrypted. It's not the easiest thing to setup for casual users though.
     
  23. aristobrat macrumors G5

    Joined:
    Oct 14, 2005
    #23
    That's kind of what I was thinking, too. IIRC, even if he's creating new passwords for his websites, if they're being stored in his Mac's keychain, anyone that knows his Mac's password can view the website passwords.

    It's obvious this isn't just random hacking, ... someone's really making his life miserable. :(

    NPR ran a story the other week about how for $100 or so, "websites" can give you just about anyone's gmail password. Essentially, the hacker does brute force guessing via IMAP/POP3, which apparently doesn't lock the account after so often.

    The whole interview is here. Neat read.
    http://www.npr.org/templates/story/story.php?storyId=112679747
     
  24. MacBoobsPro thread starter macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #24
    So to continue the story, I went round Saturday, wiped his computer and reinstalled everything from scratch. We created brand new accounts for everything with brand new and much stronger passwords. I cranked up the firewall to max, turned off his airport card.

    Everything seemed ok then on Sunday I got a call saying he received an email (to his new address he had not even told anyone about yet), from his old email account saying 'Ha!'.

    What the hell is going on? :confused:

    I think because of the new passwords and stuff they can no longer mess with his accounts, but to get his new email address without him telling anyone about it is freaky!

    Oh and his Facebook page has completely vanished! :mad:
     
  25. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #25
    At this point you may want to get the authorities involved along with the owners of Facebook and Hotmail to see if they can aid in this. I doubt the Mac is the weak link here since you've wiped it. The network is likely the weak link, but I'm not sure how to advise troubleshooting over a forum.
     

Share This Page