The Mac 512K Blog chronicles the Macintosh 512K and my projects with it. We will test software, fix hardware, program it, hack it, and generally take the 512K Macintosh to its limits. 25 users online. When you buy a Mac, you become a member of the large and supportive Mac community. You’ll find have access to a wealth of help and support from your fellow Mac users. There are amazing Mac articles, blogs, and forums. Mac users are typically a passionate bunch. We like to help and take care of our own. How to Erase Porn from Your Old Computers (from a Tech Guy Tired of Cleaning Up Your Porn) Don't recycle that old laptop without reading this first! Jan 21, 2015 When the latest.

Privacy is more important than ever nowadays – especially on the Internet. In fact, you’ll hear tons of people and read dozens of articles talking about how vital it is to hide your IP address when you’re online.

But what can someone do with your IP address, actually?

Here’s all you need to know:

What Is an IP Address?

An IP (Internet Protocol) address acts as an identifier for the device you use to access the web. That helps websites know exactly where to send the data you ask for through connection requests.

Besides just identifying your device, your IP address also reveals your geo-location since it contains info like:

• What country you are from.
• What city you are from.
• Who your ISP is.
• What your ZIP code is.

How Can People Find Your IP Address?

• The easiest way for someone to find your IP address is if you torrent files, that makes it very simple for every member of the Swarm (the total number of seeders and leechers) to see your IP address. They just need to check the list of peers, and they can see your whole address right there – along with the type and version of the torrent client you’re using.
• Also, if you send an email to anyone, they can just check the email message’s header since it might contain your IP address. Not all email services reveal IP addresses, though. For example, Gmail doesn’t do that (they only show their mail server’s address), but Yahoo! and Microsoft Outlook do.
• A more unconventional way for someone to find your IP address is if you run a website, and host it on your own server at home. They can just open their operating system’s command prompt, and ping the website’s domain. When they do that, the command prompt will return the website’s IP address.
  Alternatively, they could just use an online IP lookup tool to do the same thing.
  Of course, if you use a data center server to host your website, you don’t need to worry about that.

Here are other “minor” ways someone could find your real IP address:

• By checking the web server logs of the websites you visit. Don’t forget – every website you access sees and stores your IP address. Of course, only website owners and admins can see that info – or pretty much anyone if the website suffers a data leak.
• Email HTML bugs can reveal your IP address when you open an email or view an image in said email. This isn’t exactly a “bug,” but a piece of code in a transparent image that’s present in an email. People can use services like WhoReadMe to attach such an image to the emails they send. If you interact with the message, the service will alert the sender, and will also show them your location (so, your IP address).
• If someone is in your home, and are using your WiFi network, they can just use Google, and type “what is my IP address,” and they’ll instantly see it.
• Forum, blog, and gaming server admins can see your real IP address. That’s how they block you, after all.
• Interacting with any online ad (especially on social media) will reveal your IP address to advertisers.
• Someone could use a tool like Grabify to create a link to a legit website, and send it to you. Clicking on the link takes you to a real website, but will also allow the person who sent it to track info about you, including your IP address.

So, What Can Someone Do With Your IP Address?

Here are the main ways your online experience can take a hit if someone has your IP address:

Restrict Your Access to Certain Services

“If someone has my IP address what can they do to my online access?”

Well, content providers can use your IP address to target you with geo-blocks – content restrictions that essentially prevent you from accessing a web page or the content on a website if you’re from a blacklisted geographical region.

Like we already mentioned, your IP address leaks your geo-location, and any website you send connection requests to or visit will see and log your IP address.

That’s how services like Netflix or Hulu keep people from accessing US content from other countries, for example.

Spam You With “Personalized” Ads

Ever looked up an article reviewing the best vacuum cleaners, read it and closed it, only to later see tons of vacuum cleaner ads on your social media feed?

The vacuum cleaner is just an example – really, anything goes with that statement.

Well, that creepy “coincidence” is actually how advertisers track you on the web, and spam you with ads you “might” be interested in.

Advertisers normally use tracking pixels, but they also make use of your IP address too. With it, they can deliver location-based ads that are in your native language.

Some people might find that useful, but for most of us it feels like an invasion of our privacy.

Add It to a Database and Sell It on the Dark Web

Some hackers might collect IP addresses to sell them on the dark web for a profit.

Naturally, a cybercriminal won’t sell just your IP address. That’s not really worth much to anyone. Instead, they’ll compile a whole database containing user data they stole from various websites – and that data includes your IP address.

Still, that doesn’t mean you should take this lightly. If someone buys your IP address on the dark web, it’s not because they have good intentions with it. They’ll either try to use it to impersonate you, find out personal info about you, or use it in scams.

Find Limited Personal Info About You

Don’t think someone could find your name, physical address, and phone number by just knowing your IP address.

At most, they’d be able to pinpoint your location to a specific area – a country, city, or even a neighborhood.

Still, if the cybercriminal is skilled enough, they could find out who your ISP is from your IP address, and use phishing and vishing attacks against them to find out your personal details. Stuff like that has happened before, so it’s no speculation.

Cyberstalkers who are persistent enough could also try using your IP address to track your online actions, and find more personal information about you. Though, again, that would only work if they manage to trick your ISP into revealing sensitive data, or hack them to get it.

DoS/DDoS Your Network

If a cybercriminal knows your IP address, they can DDoS/DoS you – essentially flood your network with unwanted traffic to the point where your web connection goes down.

This tends to happen a lot in online gaming – with upset players DoS/DDoS-ing other players.

Sue You for Copyright Infringement

Yep, stuff like that can happen if you live in a country where the law is very tough on torrenting – like the US, for instance.

Torrent monitoring and copyright agencies might keep an eye on torrent traffic, and single out your IP address. If they do that, they can find out who your ISP is, and get in touch with them to ask them to hande over your contact details and personal information.

Then, depending on how serious your “torrenting crime” is, they might just threaten you with DMCA notices, or they could sue you directly.

Prevent You from Playing Online Games

This just applies to online games. Basically, an admin who’s a sore loser might ban you from the match.

Now, when they ban you, they’re actually banning your IP address. Since the gaming server blacklists it, you can’t reconnect to it anymore until someone lifts the ban.

Files That Mac Guys

“Can My IP Address Be Hacked and Used?”

Not exactly, though you might see people talking about “IP hacks” online.

However, a cybercriminal can’t exactly hack an IP address. It’s just a number, not software or hardware.

“Okay, so what can a hacker do with an IP address then?”

Well, a cybercriminal could theoretically use your IP address. To do that, they’d need to hack your device, therefore getting access to its IP address. That, or they could get access to your home WiFi network – which they can easily do if you don’t secure it properly.

Once they’re using your network or device, they can start doing illegal stuff with your IP address – like making death threats or downloading illegal torrents, child pornography, or content that might threaten the country’s national security.

“Can Someone Remotely Access My Computer With My IP Address?”

It depends.

Usually, no. Just knowing someone’s IP address isn’t exactly enough to remotely hack their devices.

Still, a very skilled cybercriminal could use your IP address to scan for open ports associated with it. If you’re not familiar with ports, just think of them as pipelines data flows through into and out of your network and device.

If a hacker were to manage to find an open port, and gain control over it (and many others), they might have a way to remotely control your computer. However, that can only happen if your operating system is out of date, you don’t use antivirus/antimalware software, and you turned your firewall off.

Another thing a cybercriminal could do is use your IP address to learn personal info about you and your browsing habits, and use phishing methods to try and trick you into installing malicious software on your device. If they’re successful, they can get remote access to your device.

How to Protect Your IP Address from Hackers, Advertisers, and Surveillance

Here are some good ways to hide your IP address to make sure nobody can track or steal it:

1. Use a VPN Service

A VPN is an online service you can use to quickly and easily hide your IP address. All you need to do is connect to a VPN server, and it will automatically replace your real IP address with its own address.

Before committing to a VPN, it’s a good idea to test the connection well to make sure it doesn’t suffer any IP leaks.

Also, using a VPN with a Kill Switch is preferable. That way, if you ever lose your VPN connection for any reason, you won’t need to worry about anyone seeing your real IP address since the VPN will automatically cut off your web access until the connection is running again.

Looking for a Secure VPN?

No need to worry about that anymore if you use CactusVPN. We offer a VPN service with military-grade encryption, and high-speed servers that also feature unlimited bandwidth.

We also provide shared IP addresses, so our servers mix your traffic with the traffic of other users, further protecting your privacy.

That, and we also offer DNS leak protection, a Kill Switch, and a guaranteed no-log policy.

Special Deal! Get CactusVPN for $3.16/mo!

And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.

2. Use a Proxy Server

Much like a VPN, a proxy server will also hide your IP address whenever you connect to it. However, it doesn’t offer the same level of security VPNs do.

So you don’t get high-end encryption that properly secures your traffic and data. Also, proxy servers often tend to be slower than VPN servers, so keep that in mind.

If you’re worried about that, but still want to use a proxy server, consider getting a VPN whose servers double as proxy servers – like CactusVPN, for instance.

3. Switch WiFi Networks

If you’re worried someone is targeting your IP address, and you have access to multiple WiFi networks, just switch between them. The moment you connect to a network, you’ll get a new IP address.

Of course, this isn’t an ideal solution. Public WiFi is pretty risky and full of cyber threats since most networks don’t use any kind of encryption.

4. Switch to Mobile Data

If you don’t have any WiFi networks you can use (can happen if you’re at home), another way to hide your IP address is to just turn on your mobile data.

When you do that, you’ll start using your cell phone provider’s network, so you’ll get a new IP address.

5. Talk With Your ISP

Since your ISP is the one who assigns IP addresses to you, it’s obvious you need to talk with them if you want to change it.

You could try seeing if they’d be willing to offer you a dynamic IP address – basically an address that changes every single time you go on the web.

Of course, if your ISP agrees, they might charge you more for that. And they might have you answer a few questions or fill out some forms too.

What About Tor?

Sure, Tor can also hide your IP address. It’s an anonymity network, after all.

However, there’s one big problem with it – the network already had a flaw some time ago that leaked users’ real IP addresses.

True, it was fixed, but who knows if an issue like that will show up again? The last thing you want is randomly exposing your IP address without even knowing it.

Besides that, you’ll also have to put up with other issues like the lack of encryption on the exit relay, having to only use the Tor browser, and slow speeds since there aren’t enough relays to support the huge number of Tor users.

What to Do If Someone Has Your IP Address

Well, it’s pretty obvious – change it. You can do that with a VPN or proxy, or by asking your ISP to do it for you.

Other than that, there’s not much you can do. If you fear a cybercriminal is using your address to download or do illegal things, it’s best to alert the authorities as soon as possible.

What Can Someone Do With Your IP Address? The Bottom Line

Quite a lot – they can use it to find out approximate details about your location (country, city, ZIP code, ISP), restrict your access to certain websites or gaming servers, and target you with annoying ads.

As for how someone can find your IP address, they can try many things – from using IP lookup tools and checking the list of peers on torrent clients to using email HTML bugs and online ads.

To make sure your privacy stays intact, you should use a VPN or a proxy server to hide your IP address whenever you’re on the web.

A new data wiper and info-stealer called ThiefQuest is using ransomware as a decoy to steal files from macOS users. The victims get infected after downloading trojanized installers of popular apps from torrent trackers.

While not common, ransomware has been known to target the macOS platform in the past, with KeRanger, FileCoder (aka Findzip), and Patcher being three other examples of malware designed to encrypt Mac systems.

ThiefQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss and analyzed by Malwarebytes' Director of Mac & Mobile Thomas Reed, Jamf Principal Security Researcher Patrick Wardle, and BleepingComputer's Lawrence Abrams, who found an interesting twist.

Files That Mac Guy Vs

Installs a keylogger and opens a reverse shell

Devadoss discovered that ThiefQuest includes the capability to check if it's running in a virtual machine (more of a sandbox check according to Wardle), and it features anti-debug capabilities.

It also checks for some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard) and opens a reverse shell used for communication with its command-and-control (C2) server as VMRay technical lead Felix Seele found.

The malware will connect to http://andrewka6.pythonanywhere[.]com/ret.txt to get the IP address of the C2 server to download further files and send data.

'Armed with these capabilities the attacker can maintain full control over an infected host,' Wardle said.

Distributed as pirated apps on torrent sites

As Reed found after examining the ransomware, ThiefQuest is dropped using infected installers wrapping legitimate software including but not limited to Little Snitch, Ableton, and Mixed in Key.

Even though the malicious .PKG installers downloaded from popular torrent sites are code signed and look just as any legitimate installer would when launched, they are distributed as DMG files and don't have a custom icon, a warning sign that something is not quite right for many macOS users.

Reed also found that, in the case of one of the ThiefQuest samples analyzed, the packages of compressed installer files include the pirated apps' original installers and uninstallers, together with a malicious patch binary and a post-install script used to launch the installer and launch the malware.

ThiefQuest also copies itself into ~/Library/AppQuest/com.apple.questd and creates a launch agent property list at ~/Library/LaunchAgents/com.apple.questd.plist with a RunAtLoad key set to true to automatically get launched whenever the victim logs into the system.

After gaining persistence on the infected device, ThiefQuest launches a configured copy of itself and starts encrypting files appending a BEBABEDD marker at the end.

Unlike Windows ransomware, ThiefQuest has issues starting to encrypt files. When it does, it isn't picky.

It seems to be locking files randomly, generating various issues on the compromised system from encrypting the login keychain to resetting the Dock to the default look, and causing Finder freezes.

'Once file encryption is complete, it creates a text file named READ_ME_NOW.txt with the ransom instructions,' Wardle added, and it will also display and read a modal prompt using macOS' text-to-speech feature letting the users know that their documents were encrypted.

The victims are asked to pay a $50 ransom in bitcoins within three days (72 hours) to recover their encrypted files and are directed to read a ransom note saved on their desktops.

Suspiciously, ThiefQuest is using the same static Bitcoin address for all victims and does not contain an email address to contact after payment has been made.

This makes it impossible for the attackers to identify victims who paid the ransom, and for a victim to contact the ransomware operators for a decryptor.

Combining a static Bitcoin address with a lack of contact methods is a strong indication that the ransomware is a wiper instead.

Wipers, though, are usually used as a cover for some other malicious activity.

Wiper malware used for data theft

After the malware was analyzed by BleepingComputer's Lawrence Abrams, we believe that the ransomware is simply a decoy for the true purpose of this malware.

That is to search for and steal certain file types from the infected computer.

When the malware is executed on a Mac, it will execute shell commands that download Python dependencies, Python scripts disguised as GIF files, and then run them.

The tasks conducted by the above command are:

• Delete the /Users/user1/client/exec.command and /Users/user1/client/click.js files.
• Download and install PIP
• Install the Python 'requests' dependency
• Download p.gif, which is a Python file, and execute it.
• Download pct.gif, which is another Python file, and execute it.

The p.gif file is a heavily obfuscated Python script, and we have not been able to determine what its functionality is.

Of particular interest in the above file is the comment:

The pct.gif file is not obfuscated and is clearly a data exfiltration script that steals files under the /Users folder and sends it to a remote URL.

When executed, this script will search for any files under the /Users folder that contain the following extensions

For any files that matches the search criteria, it will base64 encode the contents of the file and send it and the path of the file back to the threat actors Command & Control server.

These files include text files, images, Word documents, SSL certificates, code-signing certificates, source code, projects, backups, spreadsheets, presentations, databases, and cryptocurrency wallets.

To illustrate how this may look on the other end for the threat actor, BleepingComputer created a proof-of-concept script that accepted the requests from the aboves Vitali Kremez, who BleepingComputer shared the script with, agreed with our findings and pointed out that many of the searched file types are generally over 800KB in size.

What victims should do?

As you can see, the ThiefQuest wiper is much more damaging than first thought, as not only will data be encrypted, but it may not even be decryptable if a victim pays.

To make matters worse, the malware will steal files from your computer that contain sensitive information that could be used for a variety of malicious purposes, including identity theft, password harvesting, stealing of cryptocurrency, and stealing private security keys and certificates.

If you were infected with this malware, you should assume any files that match the listed extensions have been stolen or compromised in some manner.

While it is not known if a decryptor can be made, users can install Wardle's free RansomWhere utility, which detects ThiefQuest's attempts to gain persistence and allows them to terminate it once it starts locking their files.

Reed also says that Malwarebytes for Mac is capable of detecting this new macOS ransomware as Ransom.OSX.ThiefQuest and will remove it from infected Macs.

At the moment, researchers are still looking into what encryption ThiefQuest uses to encrypt its victims' files and if there are any weaknesses in the encryption.

Update July 02, 09:00 EDT: We updated the title and the article to reflect the malware's name change to ThiefQuest from EvilQuest (a name used by Chaosoft Games Xbox 360 and PC video game since 2012.)

IOCs

Network traffic:

Ransom note text: