1

Somebody I know saw a pop-up on their iMac running Sierra (10.13.5) that advised them to call 877-336-5833.

enter image description here

They called the number and the representative advised that they install a program called "GoToAssist" to gain remote access. They did.


At this point, I'd like to clean up whatever might have been installed.

I looked through files that were modified on the date they called the number.

One possible file of interest was: /Library/Logs/DiagnosticReports/GoToAssist Customer_2018-06-28-181403_Irwins-iMac.wakeups_resource.diag

...created on Jun 28 18:14.

Another, found in the user directory was: ./Library/Logs/com.logmein.g2a.rs/Customer/20180628_181221/GoToAssist Remote Support Customer_00.log

which showed me that the GoToAssist session was exactly between 2018-06-28 18:12:19.403450 and 2018-06-28 18:28:09.964376

With that, I can narrow down file changes: $ sudo find / -newermt "2018-06-28 18:12" ! -newermt "2018-06-28 18:29" > /tmp/changed.txt

But, I am not really sure what to look for.

And I realize that if they are being sneaky, they can change the modified dates anyway.

I did notice that the user's .bash_history was modified at that time, but the last thing that is in there is something I did a week before. So, that makes me think that something was deleted from the .bash_history??

Would it be best to just cleanly reinstall everything?

Do tools like MacKeeper work well for finding things like this? Or any particular anti-virus software?

Or would the smartest approach be to just cleanly reinstall the operating system and restore their personal files?

That is probably what I'm going to end up doing, but I am and also don't want to waste time if I can simply find whatever application that they might have installed and removed it.

I don't want to be paranoid, but I realize that with a scam like this, one can easily install whatever they want and I want to be cautious.

chaimp
  • 113
  • 4
  • Tech support scam normally will install and also delete stuff to crash the system in order to convince the user to "subscribe" for fake tech support package. Backup all the important file and reinstall is the best way to deal with this. Antivirus software will blocked known tech support scam, but it is a cat and mouse game because the site contents always change the obfuscation mechanism to avoid detection. By the way, the – mootmoot Jul 09 '18 at 07:58

1 Answers1

3

File created/modified dates are not enforced to be accurate in any way, and can not reliably be used to detect malicious changes.

They probably did use real GoToAssist for its ambiance of credibility... this is not the software you are worried about, and not what you care about removing.

This system has been fully compromised, no utility is going to help you to be certain that no malicious parts remain.

Reinstalling the operating system and wiping the drive is the only way to even vaguely trust this computer again. This is not paranoia at all, just good practice. Make sure that no executable files are restored. One of the possible scams here is ransomware... Turn the machine off and leave it off. Do not boot the compromised system install again.

Backup the files that really matter to something that is offline and not updated with changes, like an external hard drive that is left disconnected. Change all passwords that might have been available on that machine.

Paranoia would be wondering if the machine was flashed with bad firmware or some other hardware level permanent security compromise.... Apple is probably reasonably good about security here, but there are "jailbroken" iPhones.

trognanders
  • 2,985
  • 1
  • 11
  • 12