Anyone Seeing Teamviewer Hacks?

I've been hearing/seeing multiple reports of what appear to be TeamViewer account hacks that look like more than simple password leaks. Has anyone else seen/heard of this?

http://security.stackexchange.com/questions/115330/unauthorized-remote-control-performed-today-teamviewer

http://teamviewerforums.com/index.php?topic=3485.0

http://teamviewerforums.com/index.php?topic=3500.0

http://teamviewerforums.com/index.php?topic=3501.0

http://teamviewerforums.com/index.php?topic=3483.0

https://www.paypal-community.com/t5/About-Protections/Hacked-teamviewer-Fraudulent-PP-Transactions/td-p/1040227

It looks like in most cases attackers are using stored credit card info or credentials in browsers to order gift cards or other online purchases.

Teamviewer has come up in discussions about remote access on IPVM before, if you have Teamviewer installed you may want to review the above links and check up on those machines.


Brian,

Thank you for the information, time to go through the accounts again and change passwords. For those in the articles above it seems as though the hackers were looking to place orders using the account information that they have saved in their browsers, another example of why L/P shouldn't be auto saved.

Don't you still need the CVV2 code to make a purchase at most retailers? I know Amazon may be an exception to that, but most online stores do require it.

Jon - in my experience, yes, but it seems there are several reports of online purchases with stored credentials. There also reports of Apple gift card purchases, which may be possible through iTunes, and also Paypal purchases, which you can do with just user credentials.

If you enter a new address in Amazon they ask you to re-enter card details for verification.

If there is any chance that your machine has been accessed don't change passwords on that machine as the hackers could well have installed a keylogger type app that reports all keystrokes back to them. The only safe way is to wipe the machine & reinstall everything. Not very palatable but there are no tools that can guarantee all malware has been removed.

I haven't read the links from the OP regarding the hack, but it seems premature to wipe the machine without more investigation. i.e. wouldn't the TeamViewer access log indicate the presence or absence of a potential intrusion?

Looks like more issues with Teamviewer

the website is down today and so is the application... spoke with support on the phone and they stated (as the article did) that it is a server related issue... they will provide an email with instructions to the current work around if you are unable to connect... not sure what to think about the whole situation...

For what they charge, if I were a large customer I would be demanding a partial refund at least.

A little old (v7) but an in-depth analysis of Teamviewer's authentication protocol:

https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3

There are a few attack vectors that he specifically mentions. Hopefully they were patch in versions 7,8,9,10,11.

From Krebs, reporting that an American pizza chain, Cici's was impacted by team viewer hacks:

All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support

I hope this isn't too off topic, but Splashtop recently added two factor authentication and this makes them a better candidate as an alternative to LMI/TeamViewer/etc.

My Teamviewer got hacked a couple months ago and $400USD was sent out via paypal.

I caught them in the act and disabled their sessions keyboard and mouse activity whilst I took photos.
I emailed my logs to teamviewer and they told me that it was my account that was logged, so I thought they just guessed my password.

So anyone running teamviewer on their home pc, make sure that 2FA is setup for emails and/or any money sending website (paypal etc...) and don't save passwords for the important sites...