Plannedscape Postings

Image

Compromised Mac
Basic Checklist Of Triage Responses

Posted by Charlie Recksieck on 2022-07-21
Every once in a while, we here at Plannedscape have to deal with a client reporting having a computer compromised from a likely virus - or even more often, I hear the same request from a friend or family member looking for help.

We thought it might be a good idea to recycle an assistance plan we wrote out a couple of months ago.


The Situation

A client of ours was looking for help about his father's computer. The dad, who is in his elder years, has slipped a little on his security and vigilance.

He fell for a fake virus message, clicked it and even went through to grant him access to his Mac. A classic scam which left his computer definitely acting up.

The remainder of this post is our email plan.


Computer Recovery Plan

Friday


  • Call fraud protection number on any/all banks

  • Change passwords on anything with money (including Amazon) - Just to be safe, request new credit and debit cards. The phone number on the back of each should be fine. Maybe go to bank during the day to get walking around money, enough for a few days (til replacement cards arrive), if you cancel all cards.

  • Change Apple password (write it down in 2-3 places; will be big hassle if we lose the new password)

  • Buy a USB drive. Any size and cheap price should do fine.


Friday Questions


  • What day do we suspect things started going wrong?

  • Have ads been popping up out of nowhere?

  • Are web pages being opened that you didn't open?


Saturday Checklist


  • Activity Monitor - Applications -> Utilities ... CPU tab and sort, see what's churning away

  • Check Safari homepage (Safari -> Preferences -> General ... look for Homepage section)

  • Suspicious Apps Being Loaded At Startup - System Prefs -> Users & Groups -> Login items ... see if anything weird in there; Google anything suspicious

  • Run Malwarebytes program (download from other computer and brought over via flash drive)

  • Check email address reported - haveibeenpwned.com

  • Look For Recent Apps - Finder then Applications. If can sort by date, check it out. Make sure no recent applications were installed when access was granted.

  • Email - Help change email password. 1) Look through email account (including Trash and Junk) to see if address used for new accounts, 2) Check Sent Items

  • iCloud - See what's up there, recent activity, what's been stored in cloud

  • Checklist of what files are on computer - grab what we can via USB drive


Saturday All Of Us


  • Report it to credit bureau(s) - Experian, Equifax or TransUnion. Confirm with first agency that they will notify the other two.


Then


  • Factory Reset? - If we deem it necessary, lets do it. (Starting in System Preferences on the Mac.)