Hacked via Team Viewer11

madspec · 15 May 2016

Hi,

Well, this just happened...

I was playing a game and decided to get something to drink. Closed the game and was upstairs for 1 minute. Got to my computer and someone was remotely on my pc

Team viewer was the culprit. I instantly closed team viewer and got crazy changing all my passwords(paypal, windows, and roboform) . Then I scanned everything with Malwarebytes, Zemana, windows defender, Panda, Mbar....Found absolutely nothing, pc looks clean. Then I sent the logs from team viewer to the support department over there.

The pc was not locked at the moment he hacked in team viewer so I guess he did not need the windows password ???

What would you guys do after all that ?

Thanks !

MoxieMomma · 15 May 2016

Hello and welcome:

madspec said:

Hi,

<snip> instantly closed team viewer and got crazy changing all my passwords(paypal, windows, and roboform) . Then I scanned everything with Malwarebytes, Zemana, windows defender, Panda, Mbar... <snip>

It's not clear from your post, so I will ask: did you change your passwords from the same, compromised system before scanning for malware, or from a different, known clean system?
(The latter would have been preferred.)

Just checking,
MM

madspec · 15 May 2016

Same Computer...you think maybe a keylogger ??

MoxieMomma · 15 May 2016

madspec said:

Same Computer...you think maybe a keylogger ??

I'm not qualified to say for sure (and we lack sufficient information to know).

But "best practices" would have been to use a different, known clean computer for the password/credential changes.

As a general rule, one should not conduct any financial transactions or divulge any sensitive data on a computer that may have been compromised UNTIL it has been thoroughly and deeply scanned for malware. For many home users, the best/safest course of action would be to seek a bit of free, expert help from a malware specialist, if not here then at one of several reputable computer disinfection fora.

If I were you, I would probably change my credentials again from a known clean system.

JMHO,
MM

madspec · 15 May 2016

Ok, will do it from my phone, thanks !

But I did scan everything and nothing came up, kinda weird.

essenbe · 15 May 2016

I also assume you changed the password in Team Viewer too. Has anyone used Team Viewer recently to remote into your computer? Who else has access to your computer.

madspec · 15 May 2016

Absolutely no one ever connected via team viewer. I only use it to help out family and connect from work. And yes, team viewer password is changed.

simrick · 15 May 2016

Hi.
I have used Teamviewer for years, and have never had this happen. I can, however, recommend some security settings for the future.

In Options>Security
- Disable the Random Password
- Populate the Whitelist with your work computer ID. No one else will be able to login.
- Make sure your access password to remote in is at least 12-16 characters, includes numbers, upper and lowercase letters, and special characters, and is not comprised of any words that can be found in the dictionary.
- Do not "save" the login credentials in your Teamviewer account - manually enter the password every time you log in from work.

Hacked via Team Viewer11-teamviewer-security.png

As mentioned above, all passwords should be changed from a known clean system.

You might want to run an ESET Online Scan. It's quite possible the hacker only "stole information" and did not leave anything behind. Then again, he could have dropped a time bomb. You can find detailed information on how to manipulate an ESET scan in the post here:
BSOD after boot up, during login or right after, (bad spool header?) - Page 3 - Windows 7 Help Forums

It will be interesting to see what the tech support people have to say about your logs. They should be able to identify the ID of the system that logged in, but I am not sure how much further that can be traced. I hope you'll share the findings with us.

TairikuOkami · 16 May 2016

A few more tips, do not let TeamViewer run at startup, run it only when needed.
You do not need its service running either, especially if you are the one giving support.
The safest way is to use the portable version or two factor authentication: TeamViewer Support.

It seems, that crooks are focusing on TeamViewer recently:

Ransomware Uses TeamViewer to Infect Victims

Attackers bundle an old version of TeamViewer to exploit vulnerability

jimbo45 · 16 May 2016

madspec said:

Ok, will do it from my phone, thanks !

But I did scan everything and nothing came up, kinda weird.

Hi there

doing it from the phone probably isn't advisable --Phones are now the new target for hackers and scammers rather than PC's and my experience is that people tend to think of Phones as having Linux based OS'es and therefore secure.

Phones CAN be hacked and of course the same care needs to be taken when accessing websites - rogue websites etc are just as available when using a phone as using a computer. The criminal fraternity these days see phone users as available for "much richer pickings" - so try and find some good AV software for your phone. - Seems the AV companies aren't on the ball at all on this one --I really wouldn't bother too much with AV on computers apart from standard Windows defender --phones are the new target. - and people give passwords / data all over the place on phones when using instagram, texting, facebook, twitter etc etc.

Personally I would never use an app like teamviewer in the first place -- why store your IP address on to a publically acessible server.

If you need to remotely access your computer -- just get the computer via a batch program to get your IP address every so often and email it to you.
Then you can connect to your remote computer via RDP etc -- just port forward to a specific IP address (internal) on your LAN -Routers can do this easily.

If you use Cable connections and leave your computer on most of the time then the IP address wont change after start up - so if you are only away say at work then get the IP address before you leave home -it won't change during the course of the day with Cable --it might (but not always) if you have the older Copper wire based broadband. Use port forwarding as before to RDP to your own computer.

I'll try and write this up -- since the services like no-Ip all went "Pro" (i.e pay)my method seems the easiest and cheapest way to do it without requiring anybody else's servers to be involved.

Cheers
jimbo