TeamViewer users having bank and store accounts remotely controlled

Heads up, TeamViewer users. There's trouble in the air, and it's not quite clear where it's coming from. The software is making inroads into remote banking automation, though not in the form one would expect. Many users are reporting that their TeamViewer-enabled computers were broken into by unknown attackers, who proceeded to clean out PayPal accounts, order gift cards and items from online stores, and perform other equally helpful operations. The company has issued a statement indicating there was no security breach on its servers, and attributes the break-ins to poor password choices and a piece of Windows malware currently in the wild.

The TeamViewer software offers cross-platform remote control functionality. While the most common method for using it is on a single machine with a randomly-generated username and password, the service also allows users to have a site account to keep a collection of computers and optionally log into them directly. The company may have a point about weak passwords. The recently-reported LinkedIn and Tumblr breaches have potentially exposed over 100 millions passwords, and it's a well-known fact that many users can't be bothered to pick a more imaginative password than "firstnameyearofbirth."

There's a fly in TeamViewer's ointment, though. Some users that reported break-ins had the service's two-factor authentication enabled, which should have prevented unauthorized access even if the attacker was holding the correct credentials. That would leave the Windows malware as the only avenue for exploitation. The company's servers were down for about three hours, too, although the relevance of that fact is open to interpretation.

TeamViewer says a DDoS attack was targeting its DNS servers, although predictably, many users aren't convinced. A few of them actually caught the miscreants in the act, too. TR gerbil "HorseIicious" told us his tale of woe, mercifully to the tune of "only" $175. The company is recommending that users contact law enforcement agencies about the break-ins.

Comments closed
    • jihadjoe
    • 3 years ago

    TeamViewer has [url=https://www.teamviewer.com/en/company/press/teamviewer-launches-trusted-devices-and-data-integrity/<]a statement[/url<] on this, which tl;dr is basically blaming the users and telling them not to re-use passwords, use secure passwords, and enable 2FA.

    • ronch
    • 3 years ago

    Blacklisted.

    • maxxcool
    • 3 years ago

    Another vector. locking your desktop is not enough IF you have automatic logon set up for windows. TV can issue a acpi reboot command.

    • psuedonymous
    • 3 years ago

    A “worrying if true” story, but thus far I have not seen anybody show any evidence of exploitation of a machine with 2FA enabled.

      • BurntMyBacon
      • 3 years ago

      [quote=”psuedonymous”<]A "worrying if true" story, but thus far I have not seen anybody show any evidence of exploitation of a machine with 2FA enabled.[/quote<] I haven't seen any evidence of exploitation at all. Doesn't mean it isn't happening. [quote="article"<]There's a fly in TeamViewer's ointment, though. Some users that reported break-ins had the service's two-factor authentication enabled, which should have prevented unauthorized access even if the attacker was holding the correct credentials.[/quote<] Seems the author has reports that 2FA enabled accounts are not immune. You should talk to the author directly first if you are uncertain as to the validity of his sources.

        • Den1
        • 3 years ago

        I wonder if its their 2FA enabled accounts that are the vulnerability. If they were to be able to install a separate instance of teamviewer through some other exploit unrelated to teamviewer, then whether you have teamviewer or not would be irrelevant (as well as the security of the Teamviewer account’s security).

        Seems there are people who have very few things installed on OSes installed about a week before the breach. That and the hackers seem to be going the path of least resistance – any signs of someone realizing what’s going on at the other end and they just quit to move onto the next one – sounds like they’re quite confident that they’ll be in another session pretty quick, so I’d think there’s a legit security flaw in TV (including the most recent versions) and no amount of security settings will help.

      • morphine
      • 3 years ago

      Actually there are tales of 2FA-enabled machines being broken into, as reported in the article. It’s possible those break-ins in particular happened because of the Windows trojan.

    • GrimDanfango
    • 3 years ago

    Alarming to see Horselicious appears to have been hit in spite of being more meticulous with password security than I am. I’ve been feeling more content with my security efforts since switching everything over to KeePass and being fairly meticulous in only handling the database and master password strictly offline. I suppose I should still consider that I’m never immune from having a nasty little keylogger get in or such.
    That said, Horselicious’ example does smack a little of “Paypal will say any bullcrap they can to cover their own asses and avoid refunding anyone”, and well, I’ve experienced *that* before.

    One thing is clear – it gets damn hard real quick to work out where a breach has even originated when we log into so many different co-existing services these days.

    Edit: Ah, continued reading the full story, and it seems he confirmed it was indeed a Teamviewer breach and not PayPal lying. Doesn’t help that PayPal always muddy the waters by being so utterly uncooperative though.

      • morphine
      • 3 years ago

      You’re on point with HorseIicious being careful with his setup. I’m ashamed to admit he had his network set up tighter than mine.

      • Den1
      • 3 years ago

      In one of his more recent posts in the thread, he mentions he realized that the username/password wasn’t secure – it was a re-use from somewhere else. He thought he had an additional stronger password required, it turns out that password was for something else. Still, many people with issues do have good security measures in place.

    • Rageypoo
    • 3 years ago

    “The company recommends that users contact law enforcement”

    That means you’re never getting that money back.

    • albundy
    • 3 years ago

    no idea why this is doubleposting.

    • albundy
    • 3 years ago

    Hodor!

    • Oriflamme
    • 3 years ago

    So, is this for people that have it installed period or people that have it installed and are ACTIVELY running it?

    This distinction is very important.

    details man, I need details.

      • maxxcool
      • 3 years ago

      The client app needs to be running and set to accept mixed or RV sourced only connections. Aka it was in the systraycawaitibg connections.

    • CScottG
    • 3 years ago

    ..

      • UberGerbil
      • 3 years ago

      Yes, as was already noted (and linked) in the last paragraph of the article.

        • CScottG
        • 3 years ago

        My bad.

    • w76
    • 3 years ago

    Okay, so much for my go-to method of working remotely and remotely helping family. Anyone with suggestions?

      • Anovoca
      • 3 years ago

      run without installing.

      • jihadjoe
      • 3 years ago

      VPN and good ‘ol Remote Desktop?

        • w76
        • 3 years ago

        For the business use, we all moved to TV because our corporate network is set up in such a way as to make it a coin toss on any given day if you’ll be able to connect the VPN. TV has never once failed to work. But valid point.

        For helping family, doesn’t the VPN add some complexity?

          • jihadjoe
          • 3 years ago

          Doesn’t DD-WRT run on most routers these days? I’d implement VPN (and DDNS, if their IP isn’t static) at the router so they don’t have to fiddle with it.

        • nerdrage
        • 3 years ago

        Unfortunately, I’d imagine most family computers are running the Home version of Windows which unhelpfully does not support Remote Desktop Server (only the client).

          • Deanjo
          • 3 years ago

          It does have windows assistant. There is also an open source solution that enables full Remote Desktop on even home editions (RDP wrapper).

      • Waco
      • 3 years ago

      Chrome remote desktop is pretty awesome.

        • brucethemoose
        • 3 years ago

        When I tried it, it only worked within Chrome. I couldn’t click on anything outside the browser Window.

          • Waco
          • 3 years ago

          I’ve used it to fix issues remotely, but not in the past 6 months. Sometimes just seeing the screen is all you need, so I tend to walk people though things using it.

      • Ifalna
      • 3 years ago

      Don’t run TV unsupervised.

      I use TV all the time (meeting mode) in order to stream screen data.

    • Acidicheartburn
    • 3 years ago

    I always figured this kind of thing could happen with TeamViewer, but it’s still pretty unsettling to see it actually occur. Yet another example of why not to use auto-login features on websites and services tied to purchasing anything and to make sure payment information is NOT stored on such places. It’s tough with places like Amazon which insist on keeping your card on file.

      • maxxcool
      • 3 years ago

      ^ this.

      -Delete all CC’s off all accounts. Only add them back for purchases. then delete after purchase (been doing this for years)

      -Don’t store passwords in the browser, or other apps for that matter.

      -Have different passwords.. at least use a different password and 2FA for your email, and different ones for your favorite online store(s). If they can’t get at the mail box password recovery scams are harder to run.

      -Set up your email recovery questions and recovery email address.. don’t be lazy.

      -Have a completely separate email box for purchasing from your personal mail. you will get almost ALL your password breach attempts on your PERSONAL account from compromised friends. Don’t use the purchasing email box for any emailing at all.

      -For TeamViewer, enable 2fa, whitelist by account, and for gods sake turn off easy access

      -Change the ‘cached’ password you will find on each machine in TV by right clicking the machine, gear-icon > properties. type a pile of gibberish in the password box. This will FORCE a typed login response every time you remote to a box.

      -Log OUT of your machine, and TURN OFF Teamviewer logon using windows credentials.

      -Set TeamViewer to log off devices on exit.

      edit :: carriage returns

    • deputy dawg
    • 3 years ago

    This happened in our office. One of our employees had TeamViewer installed to access his personal computer at home. He also had the owner’s credentials for eBay and PayPal saved in his browser and we ended up seeing a mysterious $150 iTunes gift card purchase. It definitely could have been much, much worse, and we have implemented a “no more TeamViewer ever” policy in the office.

      • davidbowser
      • 3 years ago

      I used to work for a company that was a big TeamViewer user. Desktop support used it and would even have people install it on their home machines if they called in with a problem accessing a company web-app. That always rubbed me the wrong way because of how TeamViewer worked with a listener on someones home computer.

      • chischis
      • 3 years ago

      I use TeamViewer with clients over the phone. Every time I instruct them to download and run the software I ask them to use the “run only” option. Single use, less possibility of problems such as those in this article. I’ve never felt comfortable with the idea of such software being installed permanently.

        • drfish
        • 3 years ago

        That’s what I do too.

      • jihadjoe
      • 3 years ago

      Something similar happened almost a decade ago now at an office I worked at. A co-worker installed TeamViewer to collaborate on some documents with a client. The next day he comes to work and finds his computer already nuked and everyone wondering how much info may have been leaked. He had a strong password, and none of the easy-mode features were turned on.

      No more TeamViewer since then.

    • DrDominodog51
    • 3 years ago

    Dupe

    • DrDominodog51
    • 3 years ago

    This is why to have bad memory that causes BSODs in your systems folks.

      • HorseIicious
      • 3 years ago

      Indeed.

Pin It on Pinterest

Share This