TL;DR: some of the emphasis on "protecting the children from the internet" needs to be shifted to "protecting the elderly from the internt"
Had an exhausting Saturday so was taking a nap this afternoon. Phonecall. Nope, I'm not answering that. My neighbor left a message about having a problem with her computer, "I'll check with her when I get up..." and back to sleep.
Awoke to my doorbell. Well, we can guess who that is. OK whatever I guess this much sleep will have to do.
So there I am answering my door in my jammies and she's there with her cell phone open, "I was having a problem with my computer and you weren't answering your phone so I called the number on my screen..." oh good grief here we go again. "He put me on hold..." HANG UP THAT CALL AND BRING ME YOUR COMPUTER, NOW
She gets back with her macbook and I take it inside to look over. Our house walls here are faraday proof so the wifi had disconnected him. Her phone rings. DO NOT ANSWER THAT, I'd imagine he wants back in.
LogMeIn is running (no surprise) though he doesn't appear to be doing anything. There's a chat window and text editor open where she was interacting with him but there's nothing too useful there. Terminal has been launched but has no open windows
She said she did a google search for something and after the page opened, a warning came up that said her computer was infected and the window wouldn't close. It had a phone number to call to fix it. When I didn't answer my phone, she called it and he walked her through using force quit to kill safari, and spotlight to find logmein and run it. When he started asking her for passwords that's when she came to my door.
I quit logmein. It was downloaded to /var/tmp/, I assume by safari as part of the java ad that locked safari up. I checked the launchagents, launchdaemons, and startupitems at system, shared, and user level and removed all hooks, I didn't find anything else. When I quit logmein, it did a respectable job of cleaning itself out of the computer.
Unfortunately she was too flustered to go into much detail about what she'd seen him do, so I had to look around myself to see what traces he may have left.
I did notice that logmein had crashed at least once. The only solid lead I came up with was in bash's history file. I'm guessing whatever he was trying to do in an automated way with logmein wasn't working, and so he opened a terminal window to work from there. It was pretty obvious in the history that he was winging it, building up commands incrementally and testing them, working toward doing an rsync file transfer.
The problem I had was he deliberately used READ to load the from and to locations for rsync into shell variables, so they showed up in the command only as $f and $g. So I couldn't tell what files he was targetting or where he was sending them to. (and rsync doesn't keep logs) He had closed the terminal window so they weren't there either. It's possible he was pasting a text file with a list of paths to access, as it was in a while read loop.
Fortunately, history indicates he was using the "-n" parameter with rsync as he tested it, so it was only showing him file lists, not actually downloading anything. I suspect I caught it just in time, as he looks to have had the command fully built up and probably had put her on hold while he looked through the file liststs to decide what he wanted to download.
OK she stores her passwords in Stickies. Thats gotta stop. Stickies database was probably on his hit-list. Moved all of those to keychain access Secure Notes.
Unfortunately all I can do from this point is education, though we've been through this before. "If you have a problem with your computer, and you can't get ahold of me or someone else you trust to help you fix it, DON'T just accept any help from someone that pops up offering to fix it." "But I couldn't use safari!" "That doesn't matter. If you can't get ahold of me, stop using your computer until I can look at it." Too many computer novices will accept help from anyone that offers it when they're having a problem, and that's why this scam is so effective. They *create* a problem, and are conveniently there to "fix" it. They prey on a novice's inexperience and willingness to accept help with something they don't understand.
I'm probably going to convert her account to non-admin tomorrow and set her up an admin account for software installation and update etc, with a heavy dose of warning on using the password for it. That's what I ended up doing with my mom, who ALSO fell victim to this once. Unfortunately, that alone would not have prevented this attack. Admin rights are not necessary to open ports, and the files he would have most preferred to have were available to her user account. AFAIK, nothing short of Little Snitch will prevent LogMeIn from connecting to its servers?
I did some brief googling around after the fact and it looks like LogMeIn is in rampant use by a wide variety of scammers, all following this basic formula. Many people have attempted to discuss/report this issue to LogMeIn, and have gotten only "we're very concerned about security and are looking into this". (ie we're ignoring it because we make money from it) So it's unlikel to stop anytime soon. (I wonder how long before Apple adds LogMeIn to gatekeeper? surely they get calls about this all the time)
Questions, Comments, Advice, Discussion?