Family member permitted remote Mac access to stranger on phone
March 8, 2024 7:10 PM Subscribe
A family member allowed a stranger on the phone "into" their computer, thinking that the stranger was a legitimate rep for $big_internet_provider. They had access for hours, as far as I know. It is powered off, now.
It's a Mac, running something between macos 10.15 and 12.
When I go to look at it, I know to sever wifi for an initial looksee. Beyond that, I don't have much experience.
Should I look around, run something like malwarebytes? Clean OS install right off the bat? I'm aware of Migraine--should we just throw the whole thing out at start afresh?
Is there known lore about what kind of remote access these actors install, such that I should look at this or that first?
I'm comfortable with institutional, POSIX-style operating systems and hardware, but have no experience with consumer-targeted malware.
When I go to look at it, I know to sever wifi for an initial looksee. Beyond that, I don't have much experience.
Should I look around, run something like malwarebytes? Clean OS install right off the bat? I'm aware of Migraine--should we just throw the whole thing out at start afresh?
Is there known lore about what kind of remote access these actors install, such that I should look at this or that first?
I'm comfortable with institutional, POSIX-style operating systems and hardware, but have no experience with consumer-targeted malware.
Have they frozen all their bank accounts, credit cards, etc? Everything touching money? Amazon account?
posted by clew at 8:34 PM on March 8, 2024 [11 favorites]
posted by clew at 8:34 PM on March 8, 2024 [11 favorites]
Response by poster: Thanks, all--I'll not be onsite until Sunday, Pacific time. I have nothing but compassion for this person, so, we'll just do what we need to do and press on. I'll see what credentials we can change, meantime.
posted by german_bight at 10:23 PM on March 8, 2024 [3 favorites]
posted by german_bight at 10:23 PM on March 8, 2024 [3 favorites]
They almost certainly took account numbers for banks, retirement accounts, IRS, Social Security numbers, every password stored, esp. email. Many accounts send en email with a verification code. Shut down, lock down every possible account, put credit warnings on the credit reporting companies, IRS, banks. Change every password and every security question.
They may have left software that will let them back in, so back up all data and store, then reinstall everything from the OS up. Geek Squad at Best Buy might be useful. I'm so sorry they were scammed; it happens to tons of people. The main thing is to act immediately.
posted by theora55 at 8:21 AM on March 9, 2024 [3 favorites]
They may have left software that will let them back in, so back up all data and store, then reinstall everything from the OS up. Geek Squad at Best Buy might be useful. I'm so sorry they were scammed; it happens to tons of people. The main thing is to act immediately.
posted by theora55 at 8:21 AM on March 9, 2024 [3 favorites]
These days social media accounts are just as valuable as access to cash. They'll need to lock down their socials if they haven't already. If they were logged in during this time, they could be compromised and unknowingly selling more scamware to their friends.
Your family member might need to re-request access to them if they can, as the scammer may have already changed the password/email. For some accounts this might not be possible and the account might be lost. Once passwords have been changed, log out of all devices from within each account, and maybe post something to the effect of "I've been hacked, if you got a message from me recently, please don't click on anything".
Once you have the space and breathing room, definitely get them to enable 2 or 3 factor authentication in as many places as possible.
posted by fight or flight at 8:25 AM on March 9, 2024
Your family member might need to re-request access to them if they can, as the scammer may have already changed the password/email. For some accounts this might not be possible and the account might be lost. Once passwords have been changed, log out of all devices from within each account, and maybe post something to the effect of "I've been hacked, if you got a message from me recently, please don't click on anything".
Once you have the space and breathing room, definitely get them to enable 2 or 3 factor authentication in as many places as possible.
posted by fight or flight at 8:25 AM on March 9, 2024
I would never let that kernel boot up again. Pull the hard disk, copy important files using another computer, wipe the disk and reinstall everything.
posted by qxntpqbbbqxl at 10:56 AM on March 9, 2024 [3 favorites]
posted by qxntpqbbbqxl at 10:56 AM on March 9, 2024 [3 favorites]
Have they frozen all their bank accounts, credit cards, etc? Everything touching money? Amazon account?
This. Plus change passwords on everything they use passwords for. Facebook. Amazon. The bank. The public library. Their ISP. Gmail. Anything accessed through the computer.
They were likely looking for logins, rather than installing malware. Still, it's a good idea to nuke it and clean reinstall.
posted by Thorzdad at 12:58 PM on March 9, 2024 [4 favorites]
This. Plus change passwords on everything they use passwords for. Facebook. Amazon. The bank. The public library. Their ISP. Gmail. Anything accessed through the computer.
They were likely looking for logins, rather than installing malware. Still, it's a good idea to nuke it and clean reinstall.
posted by Thorzdad at 12:58 PM on March 9, 2024 [4 favorites]
Check for rules in their email too- they could be forwarding everything to another email address.
use Google's/Facebook/etc tools to log you out of all sessions in addition to changing passwords.
posted by noloveforned at 2:50 PM on March 9, 2024 [3 favorites]
use Google's/Facebook/etc tools to log you out of all sessions in addition to changing passwords.
posted by noloveforned at 2:50 PM on March 9, 2024 [3 favorites]
Along with resetting passwords and 2FA everywhere and changing their security question, they need to reset their prompts for security questions to nonsense. Favorite dog's name? Yosemite. Favorite food? Gravel. Etc. Most of us use stuff from our lives for our security questions - of course! - and that info is going to be all over your computer.
Is there anyone that has a call-in PIN that might have been stored in a file on the computer or would be something obvious like a birthday? For example, if you call into Verizon customer service, they require a PIN. That needs to be reset.
Speaking of, y'all need to come up with a list of anyone that your loved one calls for customer service on a regular or even irregular basis. It's not just changing logins - the scammer likely now has enough information to call anyone and pretend to be your loved one. Birthdate and social (or even just the last 4) and address will get you into 95% of accounts (all I need to talk to the VA on the behalf of my wife is her name and last 4).
posted by joycehealy at 3:11 PM on March 9, 2024 [2 favorites]
Is there anyone that has a call-in PIN that might have been stored in a file on the computer or would be something obvious like a birthday? For example, if you call into Verizon customer service, they require a PIN. That needs to be reset.
Speaking of, y'all need to come up with a list of anyone that your loved one calls for customer service on a regular or even irregular basis. It's not just changing logins - the scammer likely now has enough information to call anyone and pretend to be your loved one. Birthdate and social (or even just the last 4) and address will get you into 95% of accounts (all I need to talk to the VA on the behalf of my wife is her name and last 4).
posted by joycehealy at 3:11 PM on March 9, 2024 [2 favorites]
Response by poster: I was able to wrest back primary email account creds yesterday, and then reinstalled the OS on the computer today.
The attack, from what I can see, was simple: they socially engineered my family member on the phone to install Zoho, then logged in from there. They then reset the primary email account password, and put in a forward rule to some gmail account.
Ongoing audit / monitoring of institutional accounts continues, the two big ones I knew to address have been addressed.
Sincere thanks again for your responses!
posted by german_bight at 7:27 PM on March 10, 2024 [3 favorites]
The attack, from what I can see, was simple: they socially engineered my family member on the phone to install Zoho, then logged in from there. They then reset the primary email account password, and put in a forward rule to some gmail account.
Ongoing audit / monitoring of institutional accounts continues, the two big ones I knew to address have been addressed.
Sincere thanks again for your responses!
posted by german_bight at 7:27 PM on March 10, 2024 [3 favorites]
This thread is closed to new comments.
But the odds are high that there is no backup solution so that will probably just be painful.
You need to probably get them to change their passwords for everything from another computer, if possible. It's going to suck.
I hope others can chime in with more comprehensive ideas.
posted by Alensin at 7:24 PM on March 8, 2024 [1 favorite]