Subscriber Discussion

Anyone Seeing Teamviewer Hacks?

Avatar
Brian Karas
May 24, 2016
IPVM

I've been hearing/seeing multiple reports of what appear to be TeamViewer account hacks that look like more than simple password leaks. Has anyone else seen/heard of this?

http://security.stackexchange.com/questions/115330/unauthorized-remote-control-performed-today-teamviewer

http://teamviewerforums.com/index.php?topic=3485.0

http://teamviewerforums.com/index.php?topic=3500.0

http://teamviewerforums.com/index.php?topic=3501.0

http://teamviewerforums.com/index.php?topic=3483.0

https://www.paypal-community.com/t5/About-Protections/Hacked-teamviewer-Fraudulent-PP-Transactions/td-p/1040227

It looks like in most cases attackers are using stored credit card info or credentials in browsers to order gift cards or other online purchases.

Teamviewer has come up in discussions about remote access on IPVM before, if you have Teamviewer installed you may want to review the above links and check up on those machines.

KL
Keefe Lovgren
May 24, 2016
IPVMU Certified

Brian,

Thank you for the information, time to go through the accounts again and change passwords. For those in the articles above it seems as though the hackers were looking to place orders using the account information that they have saved in their browsers, another example of why L/P shouldn't be auto saved.

(1)
Avatar
Jon Dillabaugh
May 25, 2016
Pro Focus LLC

Don't you still need the CVV2 code to make a purchase at most retailers? I know Amazon may be an exception to that, but most online stores do require it.

Avatar
Brian Karas
May 25, 2016
IPVM
In reply to Jon Dillabaugh

Jon - in my experience, yes, but it seems there are several reports of online purchases with stored credentials. There also reports of Apple gift card purchases, which may be possible through iTunes, and also Paypal purchases, which you can do with just user credentials.

If you enter a new address in Amazon they ask you to re-enter card details for verification.

GR
Graham Reid
May 25, 2016
IPVMU Certified

If there is any chance that your machine has been accessed don't change passwords on that machine as the hackers could well have installed a keylogger type app that reports all keystrokes back to them. The only safe way is to wipe the machine & reinstall everything. Not very palatable but there are no tools that can guarantee all malware has been removed.

UM
Undisclosed Manufacturer #1
May 25, 2016
In reply to Graham Reid

I haven't read the links from the OP regarding the hack, but it seems premature to wipe the machine without more investigation. i.e. wouldn't the TeamViewer access log indicate the presence or absence of a potential intrusion?

MM
Michael Miller
Jun 01, 2016

Looks like more issues with Teamviewer

(1)
KL
Keefe Lovgren
Jun 02, 2016
IPVMU Certified
In reply to Michael Miller

the website is down today and so is the application... spoke with support on the phone and they stated (as the article did) that it is a server related issue... they will provide an email with instructions to the current work around if you are unable to connect... not sure what to think about the whole situation...

Avatar
Brian Karas
Jun 02, 2016
IPVM
In reply to Keefe Lovgren

For what they charge, if I were a large customer I would be demanding a partial refund at least.

(2)
UM
Undisclosed Manufacturer #2
Jun 02, 2016

A little old (v7) but an in-depth analysis of Teamviewer's authentication protocol:

https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3

There are a few attack vectors that he specifically mentions. Hopefully they were patch in versions 7,8,9,10,11.

JH
John Honovich
Jun 26, 2016
IPVM

From Krebs, reporting that an American pizza chain, Cici's was impacted by team viewer hacks:

All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support

Avatar
Jon Dillabaugh
Jun 26, 2016
Pro Focus LLC

I hope this isn't too off topic, but Splashtop recently added two factor authentication and this makes them a better candidate as an alternative to LMI/TeamViewer/etc.

AS
Ashley Schofield
Jun 27, 2016

My Teamviewer got hacked a couple months ago and $400USD was sent out via paypal.

I caught them in the act and disabled their sessions keyboard and mouse activity whilst I took photos.
I emailed my logs to teamviewer and they told me that it was my account that was logged, so I thought they just guessed my password.

So anyone running teamviewer on their home pc, make sure that 2FA is setup for emails and/or any money sending website (paypal etc...) and don't save passwords for the important sites...

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions