MacOS reinstall...

[Cr00zng]

My Macbook had been hacked, instead of trying to find out how, I need to reinstall my Macbook.

• What's the best process for a late 2013 Macbook for reinstalling the MacOS?
• Will it erase the exploit from the Macbook?
• Should I remove the Macbook from my Apple account first?
• Would it be better just to get new one?

TIA...

PS: I am not kidding about it had been hacked, let me know if you'd need details...

 

[Raz0rEdge]

There are enough opinions around being hacked, so let's not even explore that with the varying theories..

As long as you are running a version of macOS post Lion, then you have the Recovery Console built-in. So assuming you've backed up your important data off the machine. Power down the MBP. Power it back up while holding down CMD+r, this will put you into the Recovery Console.

You will now have a menu with 4 options like the one below

Choose Disk Utility and select your internal drive and erase it.

Once the erasure is completed, exit out of Disk Utility and return to this menu and choose the Reinstall macOS option and let it do its work.

Once completed, the system will start up like a brand new machine asking you to set up your account and so on. Do so and then carefully (and manually) restore the files you want from your backup.

 

[Cr00zng]

Thanks @ashwin...

Yeah, the first time I forgot erase the drive first and while it did work, it didn't remove programs and data. The second time it did just fine and wiped all of the data.

For the last two years, this Macbook had been used for accessing financial accounts online with Safari. On this MackBook, most if not all previous programs had been removed, but MacOS had not been reinstalled. Of course, it had been updated all the times and hadn't had an issue until this passed Monday. That's the time when one of my investment account company's fraud department sent an email and suspended the account due to suspicious activities. I wish it had been part of "varying theories", but it is not; in the process of replacing my account names and passwords all around....

 

[MacInWin]

That's the time when one of my investment account company's fraud department sent an email and suspended the account due to suspicious activities.

Not a symptom of being hacked. Bad guys will try logging in, failing, but triggering the fraud department if they look for too many fails. All they need for the attempt is your account name. And since a LOT of logins are an email address, they get your email from somebody else to whom you sent an email and they then use that email address to try to get in. I get notices periodically that someone has asked for my password t be changed, and would I kindly confirm it was me. Since it isn't me, I don't confirm and the password isn't changed.

 

[Slydude]

I always hate these situations. Obviously, in addition to all the issues springing from a compromised account, there're other issues which make this situation murky at best:

1. I don't trust some of these companies to be "on the ball" so to speak with security. I remember when Safari was initially released. For some time afterward, several financial sites didn't work with Safari but continued to work with the Mac version of Internet Explorer which Microsoft had stopped updating/supporting. These same people were advocating use of Netscape which was clearly on the road to being obsolete.

2. Sometimes months pass before users are informed of any issues. This seriously impacts our ability to take steps to mitigate the problem in a timely manner.

 

[Cr00zng]

@MacInWin....
Well, the short description of the event can be viewed as "not a symptom of being hacked", but...The longer one below may change your mind...

@Slydude...
I tend to agree with you about being "on the ball", but in this case investment company was. I don't get impressed by fraud protection department these guys were just fine.

So some background....

Last Sunday, I did log in to the investment company without any issues. Late last Monday I've got the alert that my email address had been changed on the account and called the company first thing on Tuesday. That's when I had been informed that the account had been locked due to fraudulent activities by the fraud department. Yesterday the fraud department contacted me and stated, that someone tried to setup a bank account and transfer out a substantial amount from my account.

He restored my account to the previous state and requested to change the account name and password. So I did in KeePass. For financial accounts my standard is minimum 12 charterers randomly generated UID and so is the PWD. He set a temporary password and me to login to my account and change the password. After logging in couple of times for testing purposes, we were pretty much done and he of course removed the lock. This is where it becomes interesting, keep in mind that the UID/PWD had only been stored on the MacBook.

An our later he called and informed me that someone tried to wire out 1K to the same bank that he removed, he had prevented the wire transfer and locked the account again. He also stated that it seems the MacBook had been hacked. I had him leave the lock on until I clean up my MacBook.

One more note... The company does use 2FA with text PIN#. Instead of coming to my phone it went to my wife's, who did not receive it. I don't know why, still looking into it and open for suggestions....

TIA...

 

[MacInWin]

@MacInWin....
Well, the short description of the event can be viewed as "not a symptom of being hacked", but...The longer one below may change your mind...

@Slydude...
I tend to agree with you about being "on the ball", but in this case investment company was. I don't get impressed by fraud protection department these guys were just fine.

So some background....

Last Sunday, I did log in to the investment company without any issues. Late last Monday I've got the alert that my email address had been changed on the account and called the company first thing on Tuesday. That's when I had been informed that the account had been locked due to fraudulent activities by the fraud department. Yesterday the fraud department contacted me and stated, that someone tried to setup a bank account and transfer out a substantial amount from my account.

He restored my account to the previous state and requested to change the account name and password. So I did in KeePass. For financial accounts my standard is minimum 12 charterers randomly generated UID and so is the PWD. He set a temporary password and me to login to my account and change the password. After logging in couple of times for testing purposes, we were pretty much done and he of course removed the lock. This is where it becomes interesting, keep in mind that the UID/PWD had only been stored on the MacBook.

An our later he called and informed me that someone tried to wire out 1K to the same bank that he removed, he had prevented the wire transfer and locked the account again. He also stated that it seems the MacBook had been hacked. I had him leave the lock on until I clean up my MacBook.

One more note... The company does use 2FA with text PIN#. Instead of coming to my phone it went to my wife's, who did not receive it. I don't know why, still looking into it and open for suggestions....

TIA...

Still don't see any evidence that your Mac was hacked. The guy who told you it had obviously knows zero about Macs. From the sequence of events, I would say that the investment company has a hole in their security if they let someone change your email. In addition, I would be nervous about the "fraud department" contacting me, instead of asking me to contact them. Phishing starts with a contact from someone pretending to be from the company. When I get contacted that way. I just say "thanks," and then call back to the contact point on a statement and ask for the security department/fraud department so that I KNOW I am talking to the right people. Maybe all was on the up and up, but that's how I try to make things work. The fact that the company allowed a new bank, new telephone number, and new email without any 2FA authorization would signal to me that it was time to leave that company and move to one with better security.

 

[Lifeisabeach]

One more note... The company does use 2FA with text PIN#. Instead of coming to my phone it went to my wife's, who did not receive it. I don't know why, still looking into it and open for suggestions....

Her phone number was spoofed, perhaps? What kind of phone? if Android, you should be looking at her phone, not your Mac.

 

[Cr00zng]

@MacInWin...
I could tell you more details, but your reply would the same, my MacBook had not been hacked. Let's just agree to disagree, before you make up more stories...

@Lifeisabeach...
The account's secondary cell number was hers. What I've gathered so far, she did receive her iPhone text messages on the MacBook too, that may, or may not explains how access had been gained to her text messages. It doesn't really matter, since her number had been removed from the account.

If someone posts a similar message, I'd be just as suspicious as you are. But I've seen this exploit in action and it had been scary. The help that I've got from the fraud department (yes, the real one MacIn... ) had been great. While the MacOS had been reinstalled couple of times, at this point, I'll probably end up using one of the Windows laptops for accessing financial accounts online.

At least it is easier to get some help when the system is exploited, instead of getting unwavering defense of the platform and finger pointing...

 

[Rod]

Probably not a bad time to suggest that you ensure you are running the latest equipment with the latest software.
Further, that you regularly run a good anti-malware application.
Current hardware and software is as up to speed with current hacking techniques as you can get. That apart from the usual online precautions is about all you can do when working with overseas financial companies.
I do note however that you say, "Yesterday the fraud department contacted me and stated, that someone tried to setup a bank account and transfer out a substantial amount from my account." The "someone tried" bit would be reassuring to me, it means they failed.

 

[Raz0rEdge]

And that's why I suggested that we not get into the discussion on hacking.

You've been told how to re-install the OS, please do that and let's move on.