user plist file deleted by hackers

OnieBrand

macrumors newbie
Original poster
Jun 26, 2019
1
0
Hi,

I had an elderly friend come to me today to say his Mac had been hacked and they had changed his password. he thought they were security people and he followed their instructions (over the phone) until he saw they were in his banking system and then cut them off. They then told him they would not fix the Mac unless he gave them $10K. Thankfully he cut them off at that point.

I am a PC girl, so had a rummage and googled as much as I could.

It seems they have actually deleted his <username>.plist - I've been in terminal and had a look.

Is there any way to recovery from this. He does not have his Recovery Key to change the password. Would that even work?

Thanks in advance.
 

Fishrrman

macrumors P6
Feb 20, 2009
17,160
5,520
Your elderly friend, of course, fell for a phone scam.
We don't know the "extent of the damage" to his/her files and OS setup.
One way to be sure is to "wipe the drive" and start with a clean version of the OS.
But your friend may have personal data that needs to be protected and saved before you do this.

I would backup the drive, then "nuke it and start over".
(PRINT THIS OUT)

1. Get an external USB drive
2. Download CarbonCopyCloner from here:
http://www.bombich.com/download.html
CCC is FREE to download and use for 30 days
3. Use CCC to create a cloned backup of the internal drive onto an EXTERNAL drive. Then disconnect that drive and "set it aside" for now
4. Reboot to "internet recovery":
a. power down
b. press power on button
c. IMMEDIATELY hold down "command-OPTION-R" and KEEP HOLDING IT DOWN until the internet symbol appears. A wifi password will be needed to get connected.
d. Give the MacBook time to "load up the software" via the internet. BE PATIENT.
5. OK, you will see the Mac utilities menu and the OS installer may already be loaded, BUT... DON'T try to use it yet.
6. Open Disk Utility from the Utilities menu.
7. In the upper left corner, there may be a popup menu with the choice "show all devices". If you see it, you need to choose that option.
8. Now, select the "uppermost" item in the list "on the left" that represents the PHYSICAL drive inside the MacBook. We're going to nuke it.
9. Click the erase button up above. Choose "Mac OS extended with journaling enabled", also GUID partition format.
10. Click the erase button. This erases the ENTIRE drive.
11. Now quit Disk Utility and re-open the OS installer.
12. Let the OS installer do its thing. WARNING: the MacBook may reboot more than once, and it will take a good bit of time. BE PATIENT.
13. When done, you'll see the initial setup screen.
14. Now have your friend create a NEW ACCOUNT for himself/herself. I would suggest that you DO NOT choose to "migrate the old data" from the backup drive (not yet), because we don't know what the scammers have changed. Migrating it over may RE-IMPORT the corruption (if there is any at all, we don't know that).

IF YOU CAN GET THIS FAR, you've got your friend up-and-running again on a "clean" OS install. There are ways to "get the old data back", but it's important to get "this far" first BEFORE you try to get that data back...
 
  • Like
Reactions: Texas_Toast

jtara

macrumors 68000
Mar 23, 2009
1,826
432
Story doesn't make sense.

If your friend's password was changed, how were you able to have "been in terminal, and taken a look"?

Smart thing is just take it to the Genius Bar, if you are near an Apple Store. They will figure out what WAS done - if anything.
 
  • Like
Reactions: mikzn

ApfelKuchen

macrumors 68040
Aug 28, 2012
3,138
1,795
Between the coasts
It's dangerous to speculate as to what was or was not done, or what the fix may be.

You've mentioned a Recovery Key, which suggests the disk has been encrypted. Now, we don't know whether it was encrypted prior to this incident, or whether the "hackers" encrypted.

One way or the other, "honest" hackers would not do damage that they could not easily undo after receiving the ransom. Dishonest "hackers" may claim to have done all sorts of things to justify the ransom, but may have done little or no damage at all. Why do hard work when you have a gullible user on the other end of the phone?

A plist - properties list - is normally going to be regenerated with a default configuration if it's been deleted.

Further, presuming the answer to this post is accurate, you wouldn't be able to locate that plist file when booted into Recovery: https://apple.stackexchange.com/questions/229289/os-x-yosemite-10-10-3-username-plist-cant-be-found

You haven't told us what happens when you try to boot the Mac normally. This support article may give you some hints as to what may be going on: https://support.apple.com/HT204156
 
  • Like
Reactions: hobowankenobi

hobowankenobi

macrumors 6502a
Aug 27, 2015
977
260
on the land line mr. smith.
Could be several things, hard to say with this info. They could have:

• Encypted the drive
• Changed admin password
• Deleted admin account

What exactly do you mean by "recovery key"? If the drive has been encrypted, he is likely done. Need backups to restore. If you have been in Terminal, and could poke around...the drive is not encrypted.

How exactly did you boot or log in to get to Terminal? Or were you in single user mode?

If they changed the PW or deleted the user account (not the home directory, that is seperate from the user account), it can be resolved.

FYI, user credentials are not kept in a .plist file. More involved than that.

Assuming you can boot to single user mode....depending on what OS it is, the easiest way in would be to reset the setup assistant. This prompts the setup assistant to run, which allows making a new admin user account. Once you have a new user account, you can change the old account password, or recreate the user account, or recover the data, assuming it is there...

If you lost your admin access, you can do this process through the Safe Boot:

Boot into Single user mode (cmd+S). Run the following commands:

mount -uw /
rm /var/db/.AppleSetupDone
reboot


On next reboot the system will start the Setup Assistant again.


------

BTW....I know it is the meta these days, but it only confuses the issue to call everything hacking. There was no hacking.

This is a phone scam. They asked for permission to get access, and tricked the user into giving it, and likely his password too. I have seen it myself a few times.

Scary how folks will trust some random person that calls them. Have seen it happen to college students, as well as my own father...although everyone I have seen got cold feet before the intruder/scam artist could get far enough to lock them out of their own machine.

At this point, on a modern OS (Mac or Win) it is easier to trick—or "hack" if you must—the user than the computer. Sad, but true.
 
Last edited:

Fishrrman

macrumors P6
Feb 20, 2009
17,160
5,520
What follows is not "mac-related", but may help your friend in the future.

First, if he/she has a VOIP phone landline connection, sign up for NoMoRobo. It stops many scam callers in their tracks. The phone will ring one time, and then... nothing.

Next, get caller ID -and- a good phone answering machine.

Advise your elderly friend to NOT ANSWER THE PHONE unless he/she recognizes the caller (and even then, it could be spoofed).

Even the numbers of hospitals, etc. are being faked and spoofed now by scammers.

Personal experience follows:
I have a VOIP phone, but I almost never "answer it".
The incoming calls either go to NoMoRobo or the answering machine.
I will only "pick up" for a VERY few numbers that I recognize. Three or four.

That means that YOU can't call me directly.
You will have to speak to my answering machine first.
I might call you back (but sometimes I don't even call back people I know).

I have an old cell phone, but it's ALWAYS TURNED OFF 100% of the time, with a very few exceptions. I might make one or two calls PER YEAR on it. I only carry it in the car on longer trips. Otherwise, the battery has usually run out... ;)
 
  • Like
Reactions: Texas_Toast