TeamViewer denies hack after PCs hijacked, PayPal accounts drained

[Atlas147]

Content source

http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/

TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company's systems mysteriously fell offline. TeamViewer denies it has been hacked.

In the past 24 hours, we've seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote-control tool on their machines. Even users with strong passwords and two-factor authentication enabled on their TeamViewer accounts say they were hit.

It appears miscreants gained control of victims' TeamViewer web accounts, and used those to connect into computers, where they seized web browsers to empty PayPal accounts, access webmail, and order stuff from Amazon and eBay.

Full Article TeamViewer denies hack after PCs hijacked, PayPal accounts drained

 

[DJ Panda]

This why NEVER to trust any software with credentials.. If it asks me if I want to save it so I don't have to type everything again (No thanks..)

 

[rigor]

This why NEVER to trust any software with credentials.. If it asks me if I want to save it so I don't have to type everything again (No thanks..)

I got affected by this. I had 2FA on which means there should be no way anyone except me can gain access to my account. For some reason however, they were able to.

 

[DJ Panda]

I got affected by this. I had 2FA on which means there should be no way anyone except me can gain access to my account. For some reason however, they were able to.

2FA can save your butt. However after I am done using my browser I log out of my google and MalwareTips accounts. Sometimes its also easier to write checks and other credentials than doing on a possibly getting hijacked computers. Anything can happen after all.

 

[SHvFl]

I got affected by this. I had 2FA on which means there should be no way anyone except me can gain access to my account. For some reason however, they were able to.

If i may ask did you have the program running or they somehow got in just from the teamviewer service?

 

[rigor]

If i may ask did you have the program running or they somehow got in just from the teamviewer service?

I always had Teamviewer running logged into my account. If someone else tries they have to get past 2FA.

 

[SHvFl]

I always had Teamviewer running logged into my account. If someone else tries they have to get past 2FA.

I see. An unfortunate situation. Hope you can recover from whatever happened without issues.

 

[Cats-4_Owners-2]

I got affected by this. I had 2FA on which means there should be no way anyone except me can gain access to my account. For some reason however, they were able to.

@rigor, I hope your breach was minimal, stoppable now that it's been revealed, & (hopefully) suffered zero loss.

Although, I am currently not a user of TeamViewer, this article was so unsettling I've checked that neither this system nor it's apps have remote access activated.

 

[King Alpha]

ATM uninstalling teamviewer.

 

[rigor]

ATM uninstalling teamviewer.

Good choice. Even if they fix the issue I will NEVER use teamviewer again, they are blatantly lying about it. Just check out this subreddit, TeamViewer • /r/teamviewer.

 

[Atlas147]

I got affected by this. I had 2FA on which means there should be no way anyone except me can gain access to my account. For some reason however, they were able to.

Did a random account try to add you as a friend by any chance? There was an unknown account requesting to be my friend, I thought nothing of it at first but now that I read this, I'm thinking it might be connected.

Side note I keep teamviewer closed when I'm not using it and I think it's much safer that way seeing that it's basically a way that might allow someone to view or control your entire PC

 

[omidomi]

BackDoor.TeamViewer.49 is the name of a backdoor trojan discovered by Russian security vendor Dr.Web, who claims it will install the TeamViewer application on infected computers so that it can relay Web traffic from the crook to other servers on the Internet, effectively using the host as a proxy server.

Dr.Web researchers, together with security experts from Yandex, first discovered the trojan at the start of May, distributed via a complex multi-stage mechanism.

Initial infection occurs via a tainted Adobe Flash update package
Users don't get infected with BackDoor.TeamViewer directly, but first through a malware dropper called Trojan.MulDrop6.39120, which Dr.Web says is distributed online together with an Adobe Flash Player update package.

When users install this malicious Flash Player update, they get a legitimate Flash version, but also the Trojan.MulDrop6 trojan, which secretly installs TeamViewer on the victim's computer.

Dropping TeamViewer on infected devices is not something new, but the crooks don't use it to log into the victim's PC and take control of the device. Dr.Web claims that TeamViewer is used for something else.

Crooks don't steal anything from infected devices
Crooks replaced TeamViewer's avicap32.dll file with a malicious version that contains the BackDoor.TeamViewer trojan. Since TeamViewer automatically runs avicap32.dll in the OS memory, crooks only need to add auto-run functions to TeamViewer and make sure the app's icon is hidden from the Windows notification area.

After the criminals make all the necessary modifications and TeamViewer is running, BackDoor.TeamViewer connects via an encrypted channel to the crooks' command and control server, where it waits for instructions.

Dr.Web says that, in the versions it analyzed, the trojan's main function was to operate as a Web proxy, taking traffic it receives from the C&C server and relaying it to the Internet, effectively masking the crooks' real IP.

"While we will have to look closer into this matter, the real issue is the installation of a malware program. Once a system is infected, perpetrators can virtually do anything with that particular system - depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth," a TeamViewer spokesperson told Softpedia. "So first and foremost, it is important that users protect their systems best they can by having proper anti-malware in place."

source: Windows Trojan Uses TeamViewer to Turn Your PC into a Web Proxy

 

[Evjl's Rain]

hi, do I get infected if I dont have a teamviewer account? The last time I used to teamviewer to quickly fix my friend's laptop was 30/5. I just used generated ID & password to login
Thanks

 

[cruelsister]

TeamViewer, although really, really handy in a number of situations is at the core indistinguishable from a RAT.

It is a grave mistake not to uninstall it completely after using it.

 

[_CyberGhosT_]

Agreed sis,
I used it frequently with a couple of my clan mates I game with helping config some of the games ini files.
One day TeamViewer started all by itself, launched and attempted to login.
After that I removed it and only install before I use it, and promptly uninstall after.
PeAcE

 

[TwinHeadedEagle]

What really happened we will never know. But I only know that 2-3 months ago all of this mess started.

First we had Surprise ransomware, then Proxy trojan and now this.

Until we get a better alternative to TeamViewer, I suggest you all to enable Two Factor authentication for your accounts.

TeamViewer Support – Help regarding licensing and technical issues

 

[SHvFl]

What really happened we will never know. But I only know that 2-3 months ago all of this mess started.

First we had Surprise ransomware, then Proxy trojan and now this.

Until we get a better alternative to TeamViewer, I suggest you all to enable Two Factor authentication for your accounts.

TeamViewer Support – Help regarding licensing and technical issues

This doesn't help when TV is already running. 2FA is only when logging in, not on connections.
Only solution is to only run,not install it and also close it when done. Personally i also have the installer blocked with rehips until i need it.

 

[generalwu]

Seems like their PR department is not doing a great job in this.

Time to boot them out.

 

[TwinHeadedEagle]

Are you sure about it? To be able to access your computer they need to login your account right?

 

[SHvFl]

Are you sure about it? To be able to access your computer they need to login your account right?

2FA is activated on login of accounts and you are correct to think it would have stopped them from accessing TV online management but if reports are true it's not the case.
Now how they manage to do it and bypass the 2FA on TV online management page we have no clue because TV is denying they are breached.

EDIT: Don't get me wrong 2FA should be set to on because nothing is confirmed until TV decides to explain the issue. I am just stating that some users report they got "hacked" even when they had 2FA on.
Obviously 2FA is better but we can't be sure it's 100% secure that's why TV should be removed until we do.