A friend just sent along this story of a fellow tech from his consultant's list who gave a scammer a run for their money. The most devious part of this, and something I hadn't seen before, was that the scammers are now able to spoof the call coming from 800-MY-APPLE.
"I had three calls today from 1-800-MYAPPLE, two hang-ups and one that bore
(ha ha) fruit.
Tl;dr - it's the same old
PC/We-Are-The-Microsoft-There-Are-Viruses-On-Your-Computer phone scam with
some new and exciting wrinkles. I'll do this with bullet points because it
works well that way and because hey, bullet points are kinda fun.
• The caller - a very concerned-sounding Indian lady - had my name and knew
that I owned at least one Apple device - which was kind of interesting as
prior scams are more or less fishing expeditions and actually used to ask
if you had a device rather than telling you that you had one. More to the
point, they told me that I had a 2013 MacBook Pro, which was the case a
couple of years ago until someone poured the better part of a decaf
Americano into the wretched thing and sent it to the recycler in the sky.
• I hopped on my Mac Pro, killed the WiFi, made a new dummy (non-admin)
user while filling time and pretending not to remember my password, then
followed the link that they fed me to LogMeIn fastconnect, installed the
plugin, and sat back to watch the proceedings with my free hand on the
ethernet cable so I could yank the thing if something really intelligent or
egregious occurred. Per her instructions I typed in my name, phone number
and email address, and she was keen to let me know that I needed to put the
most up-to-date and accurate information in there so that they could help
me better. I agreed, and then wrote down a variety of fictions that bore no
relation to reality whatsoever.
• This seemed to satisfy the nice lady, who immediately took control, fired
up Safari and navigated to Apple.com, hit the https green lock icon and
asked me to observe the resulting pop-down sheet and agree with her that
yes, the encrypted certificate contained within was ample proof that she
really was calling from Apple. I agreed. It seemed only polite.
• Next, she fired up spotlight, searched for netstat, got confused,
muttered something in Gujurati and then found the Terminal and typed in
netstat and made a series of disapproving clucking noises. "Do you see the
list called Local Devices on the left?" she asked me. "Yes," I told her. "I
do. Is that bad?"
• More disapproving noises. "Those are all the IP addresses on your router.
Those items on there are there because they are already compromised." That
sounded bad, I fretted, and she agreed. "The list of Foreign Addresses are
all the people on the internet that are in your router," she continued,
"and where it says 'Established' that means that they are downloading
private informations from all your devices right now."
• She scrolled up and down for a few seconds, and did a lot of
sudden-inhalations-of-breath over everything else that netstat churns out
before scrolling down to the bottom of the window, which read thus:
>: AMAZON ACCOUNT HACKED
-bash: AMAZON: command not found
>: PAYPAL ACCOUNT HACKED
-bash: PAYPAL: command not found
>: APPLE SECURITIES HACKED 88%
-bash: APPLE: command not found
....and so on with a few other things that I don't remember. I'm pretty
sure that Ebay was in there, too. When I asked her what "-bash: AMAZON:
command not found" meant she got a little flustered, said that it wasn't
something on the screen, and then that it was, and then that it meant that
hackers were in my Amazon account RIGHT NOW, which - to be fair - was a
pretty solid attempt at a recovery on her part.
• At this point I may have become a little hysterical. I mean, hackers were
in my Amazon account! In my router! Was nothing safe? I babbled for a
while, having a lot of fun putting together semi-coherent concerns and
questions while I played a little Sudoku on my phone. It never hurts to
play up the human angle with these people. They expect it, and they hate it
so very, very much when you rapid-fire through all the stages of grief a
couple of times, and when I finally suggested that I just turn the computer
off she became terribly agitated and passed me to a Senior Technician.
• The senior technician fired up top in the terminal and pointed to all the
running processes and told me that they were how many attacks were on my
computer right now. The sleeping processes were attacks that were waiting
until I wasn't at my computer so they could run without being detected. He
fired up System Preferences and the Security pane and showed that my
firewall was on, but that didn't mean anything because hackers can get
through firewalls without any trouble at all.
• Finally, he jumped back into Safari, navigated to Apple.com, and asked me
to log in to my Apple ID. It was at this point that I demurred, pointed out
that I'd been taking lots of notes, and asked for his name. Oddly, he
wasn't keen to provide that information, called me an asshole, and hung up
on me, which was rather rude.
I've had a few of the PC scam calls before, but this was the first one I've
received that catered specifically toward macOS and had scammers who had a
Mac-centric script. Hopefully it won't catch on, but I suspect that we'll
be hearing more about these things going forward...."
Thanks - it’s useful to know what sort of script the scammers are following so that if I get a client who has been duped I have a “quick start” idea of what things to check first.
Interesting that the scammer had both a name and a computer model in their database. I’m not aware of browsers “leaking” model or device serial number?