Home Forums FineTunedMac Community Lounge so my neighbor got her macbook hacked into AGAIN today

TL;DR: some of the emphasis on "protecting the children from the internet" needs to be shifted to "protecting the elderly from the internt"

Had an exhausting Saturday so was taking a nap this afternoon. Phonecall. Nope, I'm not answering that. My neighbor left a message about having a problem with her computer, "I'll check with her when I get up..." and back to sleep.

Awoke to my doorbell. Well, we can guess who that is. OK whatever I guess this much sleep will have to do.

So there I am answering my door in my jammies and she's there with her cell phone open, "I was having a problem with my computer and you weren't answering your phone so I called the number on my screen..." oh good grief here we go again. "He put me on hold..." HANG UP THAT CALL AND BRING ME YOUR COMPUTER, NOW

She gets back with her macbook and I take it inside to look over. Our house walls here are faraday proof so the wifi had disconnected him. Her phone rings. DO NOT ANSWER THAT, I'd imagine he wants back in.

LogMeIn is running (no surprise) though he doesn't appear to be doing anything. There's a chat window and text editor open where she was interacting with him but there's nothing too useful there. Terminal has been launched but has no open windows

She said she did a google search for something and after the page opened, a warning came up that said her computer was infected and the window wouldn't close. It had a phone number to call to fix it. When I didn't answer my phone, she called it and he walked her through using force quit to kill safari, and spotlight to find logmein and run it. When he started asking her for passwords that's when she came to my door.

I quit logmein. It was downloaded to /var/tmp/, I assume by safari as part of the java ad that locked safari up. I checked the launchagents, launchdaemons, and startupitems at system, shared, and user level and removed all hooks, I didn't find anything else. When I quit logmein, it did a respectable job of cleaning itself out of the computer.

Unfortunately she was too flustered to go into much detail about what she'd seen him do, so I had to look around myself to see what traces he may have left.

I did notice that logmein had crashed at least once. The only solid lead I came up with was in bash's history file. I'm guessing whatever he was trying to do in an automated way with logmein wasn't working, and so he opened a terminal window to work from there. It was pretty obvious in the history that he was winging it, building up commands incrementally and testing them, working toward doing an rsync file transfer.

The problem I had was he deliberately used READ to load the from and to locations for rsync into shell variables, so they showed up in the command only as $f and $g. So I couldn't tell what files he was targetting or where he was sending them to. (and rsync doesn't keep logs) He had closed the terminal window so they weren't there either. It's possible he was pasting a text file with a list of paths to access, as it was in a while read loop.

Fortunately, history indicates he was using the "-n" parameter with rsync as he tested it, so it was only showing him file lists, not actually downloading anything. I suspect I caught it just in time, as he looks to have had the command fully built up and probably had put her on hold while he looked through the file liststs to decide what he wanted to download.


OK she stores her passwords in Stickies. Thats gotta stop. Stickies database was probably on his hit-list. Moved all of those to keychain access Secure Notes.

Unfortunately all I can do from this point is education, though we've been through this before. "If you have a problem with your computer, and you can't get ahold of me or someone else you trust to help you fix it, DON'T just accept any help from someone that pops up offering to fix it." "But I couldn't use safari!" "That doesn't matter. If you can't get ahold of me, stop using your computer until I can look at it." Too many computer novices will accept help from anyone that offers it when they're having a problem, and that's why this scam is so effective. They *create* a problem, and are conveniently there to "fix" it. They prey on a novice's inexperience and willingness to accept help with something they don't understand.

I'm probably going to convert her account to non-admin tomorrow and set her up an admin account for software installation and update etc, with a heavy dose of warning on using the password for it. That's what I ended up doing with my mom, who ALSO fell victim to this once. Unfortunately, that alone would not have prevented this attack. Admin rights are not necessary to open ports, and the files he would have most preferred to have were available to her user account. AFAIK, nothing short of Little Snitch will prevent LogMeIn from connecting to its servers?

I did some brief googling around after the fact and it looks like LogMeIn is in rampant use by a wide variety of scammers, all following this basic formula. Many people have attempted to discuss/report this issue to LogMeIn, and have gotten only "we're very concerned about security and are looking into this". (ie we're ignoring it because we make money from it) So it's unlikel to stop anytime soon. (I wonder how long before Apple adds LogMeIn to gatekeeper? surely they get calls about this all the time)

Questions, Comments, Advice, Discussion?

You've pretty much brought the dark into the light.

People really believe — due to ignorance and/or stupidity — that flogging a dead horse can actually resurrect it.

The truth is that the "new technology" (or whatever name you want to give it) runs people rather than the other way around.

And that's why, until the technology serves rather than directs its users, I for one will never allow myself to be duped into buying into it. (My only access to the ethereal world is via my Mac with its firewall and my paranoia not permitting anyone or anything to wreak havoc on my privacy.)

Is that standard where you live, or have you customized your house?


Don't hold you breath for success with your lecture!


Write a shell script that scans for LogMeIn and pops up an alert to "Shut down your Mac until you speak to Virtual 1!"

Built in 1953, all of my walls are 1/2 sheetrock, covering 3/4" plasterboard, (covered in MANY layers of lead-based paint) and I have aluminum siding. Mosts of the houses in this area are that way. Most phones struggle to even ring, and rarely can hold a call. And you can forget about a pager going off. It's not all the house's fault, the location places it in a valley that has a tall hill immediately to the east and to the west, and line-of-sight has to cut through a smaller hill and 15 blocks of houses to get to the north. (and there are no towers to the south) So you can have problems with cell phones even when standing in my driveway. And I live in the middle of town!


It's on my list of things to do. This guy was slightly paranoid though, he had opened activity monitor, and was clearly looking to see if anything unusual was running.

I was thinking of writing a launch daemon that watches for new things to appear in /var/tmp/ and checks to see if they are apps. (there's NO reason an .APP should be there unless a malicious javascript has downloaded it?) If found, nuke it, and possibly osascript a dialog box with a message similar to your suggestion. Unfortunately, OS X has started boarding up the windows, and I can't pop an applescript dialog from outside the user's context, so it will actually need to be a launch agent that is run by the user.

fwiw, here's a good quick example of how to do that, for those that are interested:

msg="hello earthlings"
osascript -e "tell application \"System Events\" to display dialog \"$msg\" buttons {\"OK\"} default button 1 with title \"Message from Administrator\" with icon file \"Macintosh HD:System:Library:CoreServices:Feedback Assistant.app:Contents:Resources:State-Success.icns\""

You can also add buttons or make a button a cancel button, or make it timeout to a default button. there may be some other useful accessories, I haven't explored it much. The dialog will return text of the button that was clicked, so you can present them a choice and get feedback too. It wouldn't surprise me if you could populate the window with a text box for the user to enter text into, though I haven't seen it done.