Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed: iMac was hijacked by fake Canon Tech Support Chat


  • Please log in to reply
5 replies to this topic

#1 jeanierenae

jeanierenae

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 24 March 2017 - 08:23 PM

Hi,

 

My iMac was hijacked yesterday when I went to Canon tech support for help with a software problem. I thought I was chatting with a legit tech support person.  I let them remotely control my computer for an hour and charge my credit card for the help. I contacted Canon by phone after to confirm that I was hijacked.  Now I know that my computer has been compromised, but I do not know what they've done to it. 

 

My iMac is running OS X El Capitan Version 10.11.6

I am a photographer and have 7 external hard drives connected to the system.  (This is pretty usual).

I am backed up by Backblaze.com and use Dropbox regularly.  

My business website is generated by Smugmug and houses photo and video backup as well.

I have 4 Apple computers, 3 iphones, an iPad and a PC computer connected to my network most of the time.

 

I've changed my passwords on all 4 Mac computers on my ip address.  I've turned on the File Vault app on my iMac computer (the affected system) and run the encryptions (but after the compromise happened).  I've turned internet/wifi off on the iMac that was affected. I am running a new scan on Sophos, but it takes a long time because of the number of hard drives connected to my system, so it isn't complete since this happened.  I ran malwarebytes Anti-Malware and it shows that there are no threats.  I've also run CCleaner for Mac and Clean My Mac 3 and tried to look for any newly installed software/apps that I did not install.  

 

I expect that this hijacker has done some damage to the depths of my hard drive but it is too soon to tell what may have been done and I can't see anything that could be a problem.  I've uninstalled the remote access app they used to control my computer for that hour.

 

Please help me know what steps I should take to protect my computer, curtail any problems that may happen and resolve any problems that I can't yet see.  Is there a way to find bugs, software or potential threats that may not have been seen by the apps I've already used to clean my computer?

 

I hope I've provided the pertinent information needed to get the help I need.

 

I appreciate any help you can give me.  Thank you so much!

 

Sincerely,

jeanierenae



BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 PM

Posted 26 March 2017 - 09:17 AM

The only surefire way to make sure your iMac is no longer compromised is to boot from a USB with a Mac OS installer on it, wipe the hard drive clean using Disk Utility, and then reinstall whatever OS you had installed on it.

 

Short of that, running full scans on all affected systems and drives and monitoring any outbound Internet traffic from you Macs is a second-best solution.

You could install Wireshark for Mac, or use the tcpdump or nettop commands from the terminal. You would be looking for TCP/IP connections going to suspicious IP addresses, or outbound TCP/IP connections to sites that you didn't initiate.



#3 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 PM

Posted 26 March 2017 - 11:44 AM

You can also try posting in the "Am I Infected?" forum on this site:

https://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

It is the more "general" forum for problems that might entail potential "infections" of a computer system, even Mac OS computers.

As a side note, I don't believe FileVault will help if you do have an infection. I believe FileVault when used as a whole boot disk encryption tool (newer version of FileVault also allow the encryption of external drives) will essentially unlock/unencrypt the boot drive when you log in. Thus, once you log in and are actively using the system, any "rogue" program that might be phoning home and trying to send out copies of personal files would have full access to those files on the boot drive since it would have been unencrypted when you logged in. And this would also apply for any external drives that you unlock/unencrypt during a session while logged in.

#4 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 26 March 2017 - 04:59 PM

Thank you both so much.  I suspected that turning on FileVault was done too late.  I don't quite understand it, though....should i leave it running?  Should i turn it on my other two macs?  

 

I've now turned wifi back on and am using the computer.   I am noticing that some websites, including my internet provider are showing up not secure. (Comcast/Xfinity)  I haven't changed my password there because of that. I've tried all my computers including my iPhone.  I've also tried accessing the website on Google Chrome as well as Safari.  Doesn't matter which I use or which computer I use.   Could they really not be secure?  That seems really odd.

 

The other weird thing going on is Dropbox has deleted thousands of folders and files that I did not delete, last night when I turned my wifi back on.  I can restore most except my most important photo catalogs are not restoring....I am getting an error.  It was backed up on Backblaze, so I will try to retrieve from there and see if Dropbox eventually resolves.  I've written a help request to Dropbox but their response says to expect 24-48 hours to receive their help. 

 

Thank you again for helping me with me on this.  I know my computers well, but that is relative....better than most consumers or even most pro photographers, but not like an IT person.



#5 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 PM

Posted 26 March 2017 - 05:44 PM

Are all these devices connected to the Internet using your WiFi/router? If so, it appears the router may have been hacked. You should call Comcast and have them run some diagnostics.

#6 jeanierenae

jeanierenae
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 26 March 2017 - 06:04 PM

yes they are. 

Thank you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users