Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iMac was hijacked by fake Canon Tech Support Chat


  • Please log in to reply
13 replies to this topic

#1 jeanierenae

jeanierenae

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 March 2017 - 01:38 PM

Hi,

 

My iMac was hijacked yesterday when I went to Canon tech support for help with a software problem. I thought I was chatting with a legit tech support person.  I let them remotely control my computer for an hour and charge my credit card for the help. I contacted Canon by phone after to confirm that I was hijacked.  Now I know that my computer has been compromised, but I do not know what they've done to it. 

 

My iMac is running OS X El Capitan Version 10.11.6

I am a photographer and have 7 external hard drives connected to the system.  (This is pretty usual).

I am backed up by Backblaze.com and use Dropbox regularly.  

My business website is generated by Smugmug and houses photo and video backup as well.

I have 4 Apple computers, 3 iphones, an iPad and a PC computer connected to my network most of the time.

 

I've changed my passwords on all 4 Mac computers on my ip address.  I've turned on the File Vault app on my iMac computer (the affected system) and run the encryptions (but after the compromise happened).  I've turned internet/wifi off on the iMac that was affected. I am running a new scan on Sophos, but it takes a long time because of the number of hard drives connected to my system, so it isn't complete since this happened.  I ran malwarebytes Anti-Malware and it shows that there are no threats.

 

I expect that this hijacker has done some damage to the depths of my hard drive but it is too soon to tell what may have been done. 

 

Please help me know what steps I should take to protect my computer, curtail any problems that may happen and resolve any problems that I can't yet see. I hope I've provided the pertinent information needed to get the help I need.

 

I appreciate any help you can give me.  Thank you so much!

 

Sincerely,

jeanierenae



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 24 March 2017 - 05:37 PM

You gave your CC to criminals. That's should be your main concern. First, dispute the charges. That has been successful.

I suggest you consider cancelling that CC.

 

On Windows computers the criminals install one or two junkware programs that they charge for. The criminals may even continue

to charge your CC yearly or even monthly for "support services".

 

Other than the above I can't tell you what programs they may attempt to install on Macs. Part of their scam involves using your

email account to send YOUR confirmation agreeing to purchasing whatever they were selling. You should look for that.

 

They would of had you install a program to use to remotely access your computer, too. Which you are aware of. I suggest removing

that program...if you haven't already done so....along with whatever junkware the criminals installed.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 March 2017 - 06:04 PM

Thank you so much for your quick reply.

 

Yes, I immediately disputed the cc charges and canceled my card, so they shouldn't be able to continue charging me.

 

I've also filed a complaint with the FBI's internet crime complaint center for what it's worth. And I put up a "Google" notice where I saw another person's similar problem with this same company hijacking them while looking for support at HP just last week.

 

I did remove the remote access program they used on my iMac.  I am not sure how to find the junkware they may have installed.  Is there a process to detect this?  

 

I am also wondering if there could be any invisible bugs they could have placed into my system...is there a process to determine this other than the usual antivirus and malware software that I am already running?  (Sophos Home and Malwarebytes).  

 

Do you think it is safe to run my computer as normal or should I take more precautions?

 

Thank you so much!!!



#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 24 March 2017 - 06:24 PM

I seriously doubt any malware was installed. Really, MBAM and other such security programs work well on finding and removing

Windows platform malware and as far as I know on Macs that malware doesn't work. But those programs will prevent Mac computers

from spreading the malware to Windows users.

 

Really there is no way for you and I to know except you watching what files they accessed that could be used for financial gain such as

banking passwords, or account info for say Amazon other stores.

 

If you found the email the criminals sent themselves it may mention the names of any programs they may have installed....if any. Other

than that...reviewing the list of installed programs should confirm what was installed if anything. I'm not a Mac user so if you need help

with finding a list of recently installed programs....then I can ask other members here for that or you can ask in the Mac OS forum here at

BC.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 24 March 2017 - 06:44 PM

I use CCleaner in Windows. Using its Tools you can see a list of installed programs and you can delete them by simply clicking on

the program you want to uninstall and then choose uninstall on the right. You can use CCleaner in your Mac, too. On Windows it gives

the date of install for each program. It may do the same on a Mac.

CCleaner for Mac - Piriform

 

On Windows you would need to UNcheck the install of Google Toolbar during the install of CCleaner. Be sure to watch for that or similar

extra piece of software and UNcheck to prevent the install.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 March 2017 - 07:00 PM

Oh, thank you buddy215!  I didn't realize I wan't in the Mac forum, so it sounds like I should go there.  (I just joined this today and had a little trouble finding just where to post).  Should I just click your link for Mac OS forum and post my original question?  

 

 

I think I have CCleaner on my mac....if I don't, I'll get it.  I do for sure have Clean My Mac 3, but I don't think that is the same thing.

 

Thank you so much!



#7 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2017 - 07:38 PM

Dear Buddy215,

 

Thank you for your help yesterday. I tried posting in the mac forum from the link you gave me. No response as of yet.  I've tried to read about similar problems, but have not found any more info.  Maybe I've done everything I can do aside from cleaning the hard drive completely.  Still am disconnected from wifi on that machine for fear something bad will happen.  Eventually, I'll have to test the waters.  I've run every scan I have on the machine and find nothing.

 

The one thing I have not done is reset my router and password there.  I dread it....it's confusing to me, but I have done it before.  Do you think I need to do that before I turn my iMac wifi back on? Could the person who was working remotely on my computer have gotten into my router?  I think they would have had to know my password (key), right?  It is not saved on that computer and there is no way they could have found that that I can think of.  Does that sound right?  

 

Thank you for your help!

 

Sincerely,

Jeanirenae



#8 hdriscoll

hdriscoll

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 25 March 2017 - 08:32 PM

You should also contact Canon and make them aware of this.



#9 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2017 - 09:10 PM

Hi hdrsicoll,

 

The first call I made was to a Canon Customer Service person because the fake "tech support" person didn't "fix" my original problem and that is when I was aware I'd been had.  The Canon CS person said this has been happening every day and that they do not have a chat support team.  She confirmed I'd been hijacked. Apparently they are aware.  I was too shaken to ask if they were doing anything about it to secure their site.  Not sure if that is even possible, but they do know this is happening.



#10 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 26 March 2017 - 05:57 AM

I doubt the criminals did anything to the router or were able to gain access to it. You've backed up your work on external drives.

So, fire up the computer and see what happens...I suspect nothing unusual unless the criminals unintentionally harmed it. Like deleted

the wrong file or installed a wrong driver for the camera.

 

Your computer wasn't actually hacked. You allowed them to access it. Their main goal was to get your CC and charge you. They were successful.

Only Google and other Search providers can prevent these criminals from being seen when searching for help.

 

A British ISP took some action against the criminals. But it didn't go over very well with their customers.

ISP Blocks TeamViewer Because of Tech Support Scammers


Edited by buddy215, 26 March 2017 - 05:58 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 26 March 2017 - 09:43 AM

Dear buddy2015,

 

Thank you for this news and information. This all makes a lot of sense.  The article explains a similar scenario to my situation. My "tech" support scammers ware also Indian but used American names.  (one "tech" and one customer service guy that took my cc number).  That should have told me right away to disconnect, I guess, but I live in an area with a large Indian population and the young people often do go by American names. (Some not all) So I didn't think much of it.

 

Anyway, I did turn the computer back on and I've started using it.  I am noticing that some websites, including my internet provider are showing up not secure.  I haven't changed my password there because of that. I've tried all my computers including my iPhone.  Could they really not be secure?  That seems really odd.

 

The other weird thing going on is Dropbox has deleted a bunch of folders that I have not deleted.  I can restore most except my most important photo catalogs are not restoring....I am getting an error.  It was backed up on Backblaze, so I will try to retrieve from there and see if Dropbox eventually resolves.  

 

Thank you again for helping me with me on this.  I know my computers well, but that is relative....better than most consumers or even most pro photographers, but not like an IT person.



#12 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 26 March 2017 - 11:44 AM

What program is telling you that websites are "not secure"? This could or could not be legit. Does the notice include a link or phone number? Does it say click

here for help? If so, it could be something similar to malware causing this.

 

At some point you will decide whether it is less time consuming and less effort to just reinstall. It would definitely give you some anxiety relief.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 26 March 2017 - 04:48 PM

When I go to certain websites on Google Chrome AND Safari, they are showing up as not secure.  (the little green lock button at http is not there).  I am noticing it on at Xfinity/Comcast when I go to my account and look at my billing page.  I am afraid to change my password till I see a green secure lock.  I am also noticing that the lock goes away when I open Yahoo email, until I refresh the page.  It may have always done that and I didn't notice because I can't say I've watched very closely in the past.   I am also getting emails from Xfinity with the subject, 

New sign in with your 
XFINITY username 

 This is very odd or a very crazy coincidence.  I'll call Comcast tomorrow to check it out.  

 

Maybe I am just being paranoid now. 



#14 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:07 PM

Posted 26 March 2017 - 06:16 PM

That is very suspicious. The one website that I use that you do, too.....Yahoo News and Yahoo Mail. I always see the https..green lock.

The Xfinity is suspicious, too.

 

If that was happening on my Linux OS I would not hesitate to reinstall the OS.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users