Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

jbencie

macrumors newbie
Original poster
Jun 28, 2017
3
0
Utah
Howdy! I've read many a thread on this forum over the years. Thanks for all the tips. I signed up because I'm just stumped on what to do next and I would like to give back. Being a Mac user since 1987 I've learned at least a few things...
Not sure where to post this because I don't see anybody having this problem. Which is great really, but makes it even MORE frustrating for me. I'll try to keep it as short as possible but give as much info as needed.

Brief history: I started working with someone whom I am now business partners with in 2015. I lived in the Chicago area until 05/2016 when I relocated to Utah and now we share a large home. We both have significant others, if you are wondering. She does consultations via Zoom (we used Skype until 09/2016). I handle all other aspects of the business. Her ex started harassing us around 02/2016 when the business started to do well. He is a nutjob and not fond of working. First it was keyloggers deployed through Skype attachments. He has now worked his way up to ActivTrak. I believe all of the machines we have are compromised. Fairly certain he's reading this (Hi dink). He has someone working locally and probably someone he hired overseas. I do not wish to inventory our equipment just in case there is something he doesn't know.

Proof of hack:
- system password changed by itself 05/2016 - wiped OS after, he was back in 3 days
- desktop picture changed while I was looking at it!! (several times)
- used CC info taken from Safari to make purchases (several occurrences)
- found activetrak listed as authorized app on the business Google account
- windows, emails, tabs etc. open/close/change while I'm looking at them most times my hand is not even on the mouse
- somehow hacks iCloud and gets an iMac that he stole from my partner listed as one of my computers under my iCloud account. I have removed it several times.
- tried to get in through airdrop, tried a DOS attack our modem and computers numerous times, managed to change the password on our cable TV box! I'm going to skip all the accounts he has hacked and the issues there since it's not pertinent
- there is more but I can't remember everything and I don't want to make this post novel length. Many of the events are timed with when things don't go his way legally, also with horrendous text attacks to my partners phone (on rare occasions that he isn't blocked). I even have him admitting to the keyloggers on a Skype call.
- Law enforcement has offered to do nothing..."because there is no direct proof it's him". He knows enough to spoof everything that can be traced and if you knew more about the whole situation, he tries to make it look like it's my partners son (which it's not, I'm sure).

What I've done:
-Bitdefender BOX and software (not impressed).
-Replaced Comcast modem with my own (no hotspot). It's in bridge mode to a second modem for wifi that the BOX controls DHCP
-stopped using iCloud, Safari and everything that sync's
-many things along the way, if it's online general knowledge I have it, tried it, done it or it's installed
-contacted numerous local companies for help, most know less than me.

The last guy I spoke with recommended a Sonicwall Modem. Seems like a plan, but there are several companies that have enterprise grade solutions and I have no idea which is the best for my situation. Also don't know how to eradicate dink from the network completely. Installing the firewall to keep him out won't work if he's still in the system. I don't mind wiping all the computers again, but my backup drive concerns me. Can't get a straight answer from anyone on that. Have a lot of audio and video archive recordings that I can't part with. Thanks for reading.
 
Last edited by a moderator:

casperes1996

macrumors 604
Jan 26, 2014
7,599
5,771
Horsens, Denmark
Well that's genuinely scary. Regardless of whether or not there's proof of it being him, law enforcement should do something. In fact, they should be investigating for who it is. Regardless of whether or not you can prove who it is, the law is being broken, and they should investigate it. That's like asking a murder victim's family if they know who did it, and giving up if they don't.

Anyway, in what ways are the affected machines open to the internet? Are they open for SSH? Apple Screen Sharing services? What kind of technical knowledge does the sh*thead have? What version of macOS are you running? How secure are your passwords and do you have two factor authentication enabled?
 

jbencie

macrumors newbie
Original poster
Jun 28, 2017
3
0
Utah
Well that's genuinely scary. Regardless of whether or not there's proof of it being him, law enforcement should do something. In fact, they should be investigating for who it is. Regardless of whether or not you can prove who it is, the law is being broken, and they should investigate it. That's like asking a murder victim's family if they know who did it, and giving up if they don't.

Anyway, in what ways are the affected machines open to the internet? Are they open for SSH? Apple Screen Sharing services? What kind of technical knowledge does the sh*thead have? What version of macOS are you running? How secure are your passwords and do you have two factor authentication enabled?


Thanks for your reply. While I agree you completely, law enforcement doesn't want to get involved with anything they can label civil and so they do when ever they can.

I disabled all sharing long ago, firewall and filevault on. Running 10.12.5 Two factor on everything now with very strong pw, that stopped a lot of his crap with accounts. It's been a process, took a while to get to where I am now. I think he hires out most of the thinking.
 

casperes1996

macrumors 604
Jan 26, 2014
7,599
5,771
Horsens, Denmark
Thanks for your reply. While I agree you completely, law enforcement doesn't want to get involved with anything they can label civil and so they do when ever they can.

Breaking into someone else's computer shouldn't be classified civil. That's on level with breaking and entering into someone's house.

I disabled all sharing long ago, firewall and filevault on. Running 10.12.5 Two factor on everything now with very strong pw, that stopped a lot of his crap with accounts. It's been a process, took a while to get to where I am now. I think he hires out most of the thinking.

Right... Are we talking personal machines or business machines? Are the devices hosting any internet data? Websites, mail servers, etc? You might want to use something like WireShark to keep an eye on traffic, and see if any data is being sent to curious places, such as passwords or whatnot. And avoid passwords that can be easily dictionary attacked. Oh, and actually, if you're not already this is a pretty good security measure to take - The user account that you use on your device, right? Don't use one with admin rights unless when you have to. That way any process started by the user account can't escalate to root privileges by guessing the password of the account it's on.
 

gsahli

macrumors 6502a
Jun 1, 2007
655
32
Chicago
I think you should get and run etrecheck and post the output here. It will help us tell you what you have on your Mac that allows this to happen.
 

jbencie

macrumors newbie
Original poster
Jun 28, 2017
3
0
Utah
I think you should get and run etrecheck and post the output here. It will help us tell you what you have on your Mac that allows this to happen.
Nifty little app, thanks for the suggestion. Here you go:

EtreCheck version: 3.4 (420)
Report generated 2017-07-01 12:02:32
Download EtreCheck from https://etrecheck.com
Runtime: 1:45
Performance: Excellent
 
Last edited:

gsahli

macrumors 6502a
Jun 1, 2007
655
32
Chicago
Uninstall Bitdefender - it's not helpful. Get Malwarebytes for Mac, and run it "occasionally."
I don't have personal experience with Zoom, but I think it's a security risk for you. Possible steps:
a) find out how to turn off Zoom until you want it on.
b) change password on Zoom, and change your admin password on your Mac.

Zoom advertises that it allows desktop sharing - that means that anyone who is allowed to connect can change settings on your Mac if they know your password.
 

SaSaSushi

macrumors 601
Aug 8, 2007
4,156
554
Takamatsu, Japan
She deleted the original post and the etrecheck output.

The plot thickens. Perhaps the intruder deleted it.
[doublepost=1499067083][/doublepost]
Breaking into someone else's computer shouldn't be classified civil. That's on level with breaking and entering into someone's house.

It is not a civil matter. It is criminal. Apparently in the state of Utah it becomes a felony once damages exceed $1000. It is a misdemeanor crime below that.

I doubt very much law enforcement would refuse to get involved and if they did I'd certainly want to know why if I were the one being hacked.

It might be a good idea for the OP to consult an attorney for advice as well.
 
Last edited:

casperes1996

macrumors 604
Jan 26, 2014
7,599
5,771
Horsens, Denmark
She deleted the original post and the etrecheck output.

Ah, right. Thanks for clearing that up. Was confused about your psychic abilities.

It is not a civil matter. It is criminal. Apparently in the state of Utah it becomes a felony once damages exceed $1000. It is a misdemeanor crime below that.

I doubt very much law enforcement would refuse to get involved and if they did I'd certainly want to know why if I were the one being hacked.

It might be a good idea for the OP to consult an attorney for advice as well.

Yep- Agree with this plan of action.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.