A True Tech Nighmare - MACattack

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
This is a tech scam I recently helped my parents through.

It all started one afternoon...

My mother, who is 83 years old, received a call, claiming to come from Apple support.  The "technician" on the line said that her computer had been hacked, they had detected unusual activity on her Apple ID.  They asked her if they could remote into her computer to fix the problem.  I had warned her about such scams and suggested she access snopes.com to check such problems.  So my mother asked the caller for verification and they mentioned her Apple ID and password, the credit card she uses on the account, and some personal information.  All of which should have been a giveaway, Apple insists they don't know your AppleID password and will never ask for it - although my experience has been somewhat different.  

This, unfortunately, convinced her.  She let the person remote into her computer.  Once in, they said they had found multiple instances of infection and it would take some time to clean it up.  She was asked to leave her computer on while they worked on it, and she did so.

Several hours later, after she and my father had gone on some errands, she mentioned it to him.  He immediately called me and I told him to disconnect the computer from WiFi (a laptop) and to start changing all passwords, especially those with banking institutions, and canceling all their credit cards.  I suggested a couple of other things for them to get started on and said I would be over as soon as I got home from work (they live a couple of blocks from me).  Needless to say, I left work almost immediately.

When I got to their house, I went straight to work on her computer.  Fortunately or unfortunately, depending on your perspective, it is a MAC laptop.  This was a small problem as I am almost strictly a Windows/Linux person.  I had done a little homework on my way home (I take a bus) about the problem, in order to be better prepared to troubleshoot the issue.  

I had decided to use Carbon Copy Cloner to make a complete backup of the computer, due to my previous experience with the software and the extremely positive online reviews.  

I made both a Time Machine backup and a Carbon Copy ISO backup of the entire laptop.  During the backup I explained to my mother what she would need to do next.  She told me that she had already contacted Apple Support about this and they had helped her change her AppleID password.  

As I have said previously on EE, the only way you can ever trust a computer that has been infected in such a way again, is to completely wipe it and reinstall the operating system.  She was not pleased to hear this, to say the least. 

When the backups were complete, I tested each.  The Carbon Copy backup was easy to mount - a simple double click mounted it as if it was the hard drive of the computer.  It's then about finding the files you're interested in restoring. I showed my mother how to do this, explaining each step.  I then checked the Time Machine backup.  I am not used to Time Machine, but it seemed to be fine.

  • She finished canceling her nearly two dozen credit cards and having some reissued.  (I just learned she decided that since there was no activity on some she didn't cancel them)
  • She contacted her banks and online accounts to either move money (they had just put a significant amount into one of their accounts), or change passwords, or in one case to close the account
  • She contacted her email provider to change that password (and I suggested that she contact everyone in her contact list to warn them about this - it turned out that the same "technician" contacted one of her friends the next day)
  • When my mother was done, she contacted Apple support to make an appointment to have her laptop reformatted - she has Apple Care.

The next day she took the laptop into the Apple store to get it serviced.  They, as is their policy, wiped the machine and reinstalled the operating system after asking her if she had a backup.  The"geniuses" at the genius bar in the Apple store were unable to mount the image created by Carbon Copy Cloner, and which I had tested the night before, and proceeded to tell her that she had lost all her data.  They told her that the Time Machine image was last updated in 2014 (which is the date it was first created).  Needless to say I went over to their house that night and was easily able to mount the image from Carbon Copy and restore all the files she had on her desktop.  She asked then about her Quicken program, which she uses to write all her checks to pay bills, and that also was easy to reinstall.

My mother did have trouble printing, which is the next step.

This page on the Apple website now addresses this scam. This article addresses a similar problem and what you should do when confronted with these scammers.

The moral of this story is simple:

  • NEVER give out any personally Identifiable information (PII) or personal financial information.  
  • ALWAYS make sure you verify someones identity by calling a known phone number, not one they give you.  If you don't have a phone number for say Apple, visit the official website and check the contact information (or just Google something like "Apple Support Phone number").  Remember that no reputable place will ever ask you for your passwords.  If you are asked for your password, hang up and call the official contact number.


Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.