Apple - Can someone help me evaluate if this is a scam for Mac support?

Your gut reaction feels correct. The description of sleeping processes and idle % CPU use is misleading.

The description of tracking IP addresses to a single location is unrealistic.

The costs involved are high. For that sum, consider suggesting your father-in-law engages a local Mac expert – or go to a local Apple Store for help.

Erase and Reinstall

If possible, back up your father-in-law's Mac to an external hard drive. Then erase and reinstall OS X:

  1. Before you begin, make sure your Mac is connected to the Internet.
  2. Restart your Mac. Immediately hold down the Command (⌘) and R keys after you hear the startup sound to start up in OS X Recovery.
  3. When the Recovery window appears, select Disk Utility then click Continue.
  4. Select the indented volume name of your startup disk from the left side of the Disk Utility window, then click the Erase tab.
  5. If you want to securely erase the drive, click Security Options. Select an erase method, then click OK.
  6. From the Format pop-up menu, select Mac OS Extended (Journaled). Type a name for your disk, then click Erase.
  7. After the drive is erased, close the Disk Utility window.
  8. If you’re not connected to the Internet, choose a network from the Wi-Fi menu.
  9. Select the option to Reinstall OS X.
  10. Click Continue and follow the onscreen instructions to reinstall OS X.

This should entirely remove any third party tools and processes that have been installed by the support company.

With the reinstalled OS X, only restore personal files and documents from the back up.

An Aside: Distractions and Blame

Please do not blame the father-in-law. We have not been asked to judge the company or individuals affected. @milesmeow asked for help to decide if their decision was defensible and if others have encountered this type of situation.

A lot of the things they said are absolute nonsense. Sleeping processes are absolutely the norm. For example you might have a process looking after your printer, and that process will be sleeping 23 hours and 59 minutes a day except for the one minute where you are printing. High percentage of idle time: There's absolutely nothing wrong with that. Your Mac is supposed to be "idle" most of the time. "Idle" means your computer isn't using its battery, it isn't heating up, everything is fine.

Of course they are telling your relative this nonsense to frighten him into handing over more money. Common sense: What are the chances of a hack happening just after they fixed an issue with his computer? What a coincidence. However, there is unfortunately a chance that his computer is hacked - by the friendly guys who fixed it. And since they are trying to pull a scam on him, they cannot be trusted.

I'd strongly recommending to make an appointment at the nearest Apple Store to have a look at the computer, and for general advice what to do.

My wife was subjected to a similar scam while I was away on a business trip. By letting a remote user install software that (they say) enables them to provide them with tech support, you have actually enabled them to install anything they like, for example, a program to trap keystrokes while you are typing passwords.

The only safe response is to delete and reinstall the OS from a new download and also reinsatall all applications, and then to restore only personal data files (no executable files) form the backup, as you have already been advised.

The scammers are relying on the fact that most users will not know what hidden viruses look like in netstat or a top. (If the computer really had been hacked, then netstat and top would probably have been replaced by hacked versions that did'no show the virus activity.) SLEEPING processes, as has been said, are absolutely the norm.