7

My girlfriend recently had her university MS Exchange account hacked. The attacker took over her email account and started using it to send thousands of spam emails. After a while, her email account must've hit some kind of limit, and the university server started sending her an email for every email that the spammer attempted to send from her account!

Anyway, she remembers accidentally clicking a phishing link in an email in webmail on her MacBook Pro that claimed to be an email from the university's IT Services, but that's all. Apparently, the link "did nothing" and closed immediately. She did NOT fill in any form that asked for her email address or password.

Despite changing her password, the attackers did not stop. How is this possible? Her Exchange account is linked to the university's central account system, but I'm not sure how exactly. Anyway, changing one password changes the whole thing.

Now IT services is telling her to reinstall everything (Mac OS X, files etc) on her laptop before they agree to re-activate her university account. This seems wrong to me - how could the laptop be infected, if all she did was click a link in an email via webmail? Is that even possible? (I expect she was probably using Firefox). They are worried that she has a rootkit virus.

Update: I forgot to mention, she also had Sophos installed. Not sure exactly how up to date it was.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
Joseph Humfrey
  • 173
  • 1
  • 1
  • 6
  • 4
    A simple test, if possible, is to check if the spam emails continue to be sent when her computer is powered off. Is so the problem likely lies elsewhere whether it began with that link or not. – adric Aug 21 '12 at 20:08
  • 3
    If the attackers have a keylogger on her computer and can see her change the password (or when she logs in) then they don't need her computer to be on. @adric –  Aug 21 '12 at 20:09
  • Related: http://security.stackexchange.com/questions/3374/phishing-red-flags-and-countermeasures – Iszi Aug 21 '12 at 20:26
  • 2
    @Rell3oT Good point, but determining what happens when the computer is offline is still a good diagnostic check. If the issue continues while the computer is off, then either the e-mail server is compromised (unlikely) or the attacker has some means of regular access to her password updates. The latter could be a keylogger on her own computer, or on another computer she regularly uses to access her account. If it stops when the computer is offline, then that means it's something running as a service or through her existing client on her system. – Iszi Aug 21 '12 at 20:30
  • Your girlfriend's email account was not compromised without help. In other words the criminal who was able to access actually knew her password, and it likely wasn't because, they tried every possible combination. So I actually would follow the schools IT service's advice. – Ramhound Aug 22 '12 at 12:39

3 Answers3

13

Answer: Yeah. It's possible. Re-install OSX and then change all her passwords. She got phished.

IT Services is correct here.

Prevention: To prevent this from happening in the future make sure she understands the importance of updates, and how to spot and avoid phishing scams.

How it Happened: A lot of attackers will use shortened URLs or legitimate websites with XSS vulnerabilities in them. Even though your University scans the links and e-mails for viruses, if the attacker is using a legitimate site to attack then the university will let it happen.

Next, the link she clicked probably took her to a page that attempted a browser exploit, an attack on adobe flash, or against whatever your girlfriend hadn't updated recently. Less likely, but still possible, is that they may have used a zero-day exploit - one for which there currently is no patch available. After this point, the attackers could do whatever they wanted to her laptop including installing malicious software.

Side Note: You ask in the title "something..something...virus on a mac". Contrary to popular belief, the idea that a Mac is more or less secure than a 'PC' is a fallacy. If a Mac or a PC is running a vulnerable service they are both possible to exploit.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks for adding the bit about the zero day. I always forget the possibility of a zero day when talking about phishing. –  Aug 21 '12 at 20:27
  • No problem. Wish I could upvote you again just for the "*something... something... virus on a mac*" note. Unrelated: I wonder if that's going to be the next Family Guy movie? ;-) – Iszi Aug 21 '12 at 20:34
  • Thanks very much for the detailed reply. Re-installing Mac OS X as I type this! If the virus could be lurking in her system, what's to stop it from re-infecting her laptop when we copy her files back on though? Should I be copying the entirety of ~/Library for example, or just picking and choosing the important things she needs? – Joseph Humfrey Aug 21 '12 at 22:25
  • Honestly. I would say its safe. But there is no guarantee.... As a hacker the effort is too high and the payoff is too low to infect files and executables she has laying around. Most of the time these people will just go try to infect more people from phishing (assuming this is not a targeted attack...). –  Aug 21 '12 at 23:33
  • To edit what I just said. I can't recommend her to keep her files....but it is more than likely safe.... –  Aug 21 '12 at 23:40
  • @JosephHumfrey The best you can do with the files you want to keep is to run them through an AV scanner on a known-good system. If you still *really* don't trust them after that, dump 'em. Chances are, you don't really need to dump them but I wouldn't restore them without scanning first. – Iszi Aug 23 '12 at 20:05
1

@Ramhound - I will need to respectively disagree with you about "Sophos...is not designed to detect malware."

One of its (and other packages out there) major purposes and functions is to detect malware and viruses. The article 'Sophos Anti-Virus for Mac Review' from CultofMac explains the Sophos product pretty well. Additionally, this article from ArsTechnica goes into a little more depth about other Mac anti-virus products.

However, if the attack was server side it would not have most likely have detected it.

@Joseph Humfrey: How do you know that the Mac was actually infected? Is it possible that they attacked on the server side not on the client side? It sounds as though she was using a browser to access the email. It is possible that they hijacked the session or she had a weak password or they compromised firefox in some way.

As far as rootkits go, there are not a ton of rootkits right now in the wild for Mac OS X especially if you are up to date. Here is a comment on the Sophos Open forum by on of their technical reps on the matter,

Most of the rootkit reports I get for OS X turn out to be people who turn on remote login with password authentication and then have an easy to guess login/password combo. Others have been to do with people who have installed trojans that change the DNS Server settings to point at a malicious DNS server. Very few could actually be considered a rootkit, and these have mostly been targeted (therefore, a generic detection/cleanup tool would not provide much benefit).

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
AndyMan
  • 11
  • 1
  • It looks like your answer is framed more like a traditional forum post as opposed to answering the question directly. Would you care to summarize the interesting pieces of those articles? If you can rephase your comments so that they directly address the question that would be pretty awesome too. – Scott Pack Aug 23 '12 at 19:31
  • Now that I'm noticing, this is probably better to be merged into your previous answer and deleted. – Scott Pack Aug 23 '12 at 20:32
  • That's exactly it - I *don't* know that the Mac was definitely infected! Yes, it's quite possible that the attack was server side, and a hijacked session sounds very likely indeed because yes, she was using a web browser to access webmail. The only thing I really don't understand is how they continued to send emails after my girlfriend changed her password. Thanks for the links to the Sophos articles! – Joseph Humfrey Aug 24 '12 at 08:34
-2

Another approach to this would have been to install an Antivirus program and scan the computer to see if there were any potential issues.

The major ones that come to mind are ClamXav and Sophos. I would definitely recommend doing this (even though it might be too late now) rather than having to reinstall then migrate files. Why fix something that might not even be broken? Not all phishing emails use OS X based exploits.

Both of these programs (Sophos in particular), are very likely to find anything that might be amiss. Here is a link to a lifehacker article that reviews the different Antivirus software packages (these also check for malware etc): http://lifehacker.com/5800267/the-non+alarmists-guide-to-mac-malware-protection.

If you performed a clean install on the MB Pro you will most likely not need to transfer anything from ~/Library or Macintosh HD/Library (I would keep a backup if at all possible since there are preference, email, sticky notes, etc that are stored there). I would transfer Documents, Desktop, Downloads, Music, Movies from Macintosh HD/User/. Also if you have any applications that you do not have the install disk for you can try transferring them from the Macintosh HD/Applications/ folder.

If you are concerned about these files being infected, scan them with the aforementioned AV solutions.

Again, I wouldn't cry chicken little and reinstall everything. When I was doing this sort of work every day on Macs it was rarely needed for an issue such as this.

Andy

AndyMan
  • 7
  • Thanks AndyMan. Oddly enough, she did already have Sophos installed, but it didn't manage to catch it! – Joseph Humfrey Aug 22 '12 at 07:29
  • @JosephHumfrey - Sophos like other similar security software on Windows is not designed to detect malware. The built-in malware detection in OS X actually is better suited for that. Of course if you keep your software updated you really don't have to worry about malware even on Windows, provided you don't click on links contained in an email, that is one serious mistake your girlfriend made. – Ramhound Aug 22 '12 at 12:42