Question on what to check after unauthorized scammer connect to my MacBook

jana
jana used Ask the Experts™
on
Hi,

My assistant has a macbook pro and just a couple of days ago he was scammed out of $300 by fraud apple support.  The called him up convincing him to connect to his computer and to buy some sort of gift card so they can "fix" his computer.  Anyways, $300 gone and a valuable lesson - he did called apple (the official apple and confirmed they never did call - he was scam).  The apple technician, the official apple, did connect and found nothing wrong with the computer.  My question to the experts is, since he is no expert and doesn't even know what the scammers did while connected, what areas should he check in his computer? Any advice in a Post-Scammed situation is appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
Commented:
Erase the drive and reload the operating system from scratch.  Don't just reload the operating system; erase the drive first.  Polymorphic viruses are very clever and can hide in apparently innocent, unused areas of a disk.

Once a system has been infected it can never be trusted again, and you can be sure it was infected with something while the scammers were in it.
Distinguished Expert 2017
Commented:
Main point if the user had stored credentials, those shoukd all be updated/changed.
Often such scammers merely try to pretend, not your user/assistant accessed their sire and granted access.
Contacting the cc to term the payment.
Requiring the purchase of gift cards is always a sign of a scam.  Make sure the assistant is trained to recognize it in the future.  Your assistant is one of the reasons these scammers keep doing it.  They have enough suckers to fund them.

If you have data that you need to save, get another disk.  Install a brand new OS onto the other disk.  Manually copy the data off the Desktop, Documents, Downloads, Photos.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

noxchoIT Product Manager
Top Expert 2009
Commented:
I have assisted such victims several times. The best way is to erase the drive and complete reinstall of the system. Tell to your colleagues that Apple would never ever call anyone and suggest support on their own initiative. Same for Microsoft.
As I first time did this for one of the victims of the fraud the next day another call came in asking if everything is ok with the machine because it was not reachable anymore. So it had some sniffing software before erase. Though nowhere to find.
ste5anSenior Developer
Commented:
hmm, what is an authorized scammer?
David FavorFractional CTO
Distinguished Expert 2018
Commented:
As Dr. Klahn said, "Erase the drive and reload the operating system from scratch".

This is the only way to be sure you remove all backdoors from this system.
noxchoIT Product Manager
Top Expert 2009

Commented:
hmm, what is an authorized scammer?
It is someone whom you gave access to your machine because he lied you about himself being a worker of Apple etc. Usually they ask you to download teamviewer or similar and give them the id and password. Then connect and install their scum software.

Author

Commented:
Ha, ha, ha! just reread my question and saw "unauthorized scammer" - thanx noxcho for your input.  But it's true, shouldn't have  said "unauthorized scammer", like there were "authorized" scammers out there - All are unauthorized - just should've said "Scammer".

Well guys, seems like there is no way around this, all points to erase & reload OS as the most appropriate.  Will do.  

Last questions, and I know u guys recommended erase & reload, but are there any anti-virus or tools for detect and delete sniffers and Polymorphic viruses for the macbook?
Distinguished Expert 2017

Commented:
Depending on location,
Misleading someone to give you money is one thing. If they planted something, referring the matter to authorities would be a significant criminal act with potential of prosecution.

These fake support waste little time just pretending they are "fixing"

Nonetheless, prior suggestion as the only way to be sure, reload...
First, if you're not familiar with a unix system, you should just reinstall.

You need to scan for rootkits, just like on a unix system.  If you don't know how to look for them manually, then it's best to run a tool like chkrootkit. https://www.cnet.com/news/amazon-announces-new-echo-dot/

You can install several AVs to try and scan for something, but that will only find known viruses and known malware.  The main thing that Mac virus scanners scan for is Windows viruses to prevent them from spreading to a Windows machine.  There's still only a handful of known Mac OS X malware, not because it's safer, but because it's not targeted.  However, this does mean that any low key, specialized malware for infiltrating individual users may never be spotted until many years later.

I suggest a full wipe and reinstall if you're not sure and not familiar with OS X.

Author

Commented:
unix system? it's an Apple MacBook - u mean Apple macbook uses Unix? (don't understand)
Yes Apple uses OS X, which is a POSIX compliant Unix OS.  If you don't understand how it works, wipe it and reinstall it fully.  You're not going to easily find a trojan without understanding the underlying OS.
Distinguished Expert 2017

Commented:
Macos9 was the last ..
Os X is based on unix bsd kernel
OS X was originally taken from Steve Jobs previous failed NeXTSTEP venture.

I should also add that some Linux trojans that depend solely on scripting languages can run on OS X, although not very neatly.  I've discovered and cleaned them many years ago from several User's systems.  They used them as linux like systems so they were phished or trojaned with linux malware.

Author

Commented:
Oh, super to new to me, never thought Apple was o related to unix!  Well, glad to say that the reinstall process has begin this morning... thank u all!

Author

Commented:
Thanx!
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial