7 comments

[ 4.5 ms ] story [ 22.8 ms ] thread
I haven't seen any concrete evidence yet, but it's slightly terrifying.
The stories in the reddit thread do not support this conclusion and seem to largely originate from security illiterates hyping up a DDoS attack.

Lets take the first comment for example:

>Holy fucking shit. That's how I got hacked. 5/25/2016 and 5/28/2016, they logged into one of my computers at 3:24AM both days and used my PayPal, Microsoft account, eBay account, to buy tons of codes for different online stores. I just checked my browser history on that computer and sure enough, all those sites were visited. My bank took care of everything, so did PayPal and Microsoft. It was fucking teamviewer. I enabled TFA for the time being and turned off all computers connected to teamviewer.

This is ridiculous, if someone had in fact hacked teamviewer they wouldn't be wasting their precious time by stealing a couple of bucks from this guys paypal account. (Paypal accounts are essentially worthless, you can buy them by the thousand on various forums)

A far more credible theory is that some bot is either grabbing teamviewer credentials, and those are now being sold on fraud forums.

TeamViewer is used to manage literal fucktons of PoS infrastructure it being compromised would be a far bigger deal than the Target breach.

I agree, this is most likely a case of someone using the same email and password on multiple sites (like the 100 million account leak from LinkedIn)
Probably not, that type of compromise tends to be common in targeted attacks. Not as much in generic fraud like this, as just the credentials wouldn't have been enough to easily automatically identify this guy as a good target.

He probably had some bot on his computer that recorded him using paypal and what not, and because paypal has some seriously impressive fraud detection mechanisms the attacker opted to take over teamviewer (if teamviewer is at all involved here, could be VNC provided by the malware for all we know) on his computer.

Now, judging by the way these things generally work the guy running the bots and the guy running remote desktop on his computer are hardly ever the same person.

Streisand effect begins...

Edit: what I mean by this is that they're running absolutely shit PR on this and it's basically convincing everyone that they're at fault, despite somewhat limited evidence to that effect.

I don't think they're even running particularly bad PR, they've just confirmed a DDoS attack and clarified that there's been no breach despite some ridiculously bad "journalism".

People are misinterpreting them so badly you start to wonder if it's perhaps intentional?

A colleague noticed about 2 weeks ago that instead of 10 or so hosts in his list on the teamviewer website had suddenly grown to 600+ hosts - I witnessed this, and told him he should contact teamviewer. Shortly after this someone tried to take control of his brother's machine.

We use teamviewer host and haven't seen anyone trying to log in, but I'd rather not take the chance and have removed the software from all our machines. If we need to remote assist someone, they can run the software manually.

Having the ability to remote connect and repair problems is great, but when there is the remotest (pun intended) chance that it can be used nefariously then I'd rather limit the threat.