“Hello. Team of TeamViewer is calling you… “. An anthology of the attack.

The systems of protecting computers and networks are becoming more perfect every day. It’s harder for hackers to find a way to access data on someone else’s computer. A man remains the weakest link in cyber security. Not without reason 95 attacks on computer systems and networks begin with phishing ones. An example of such an attack observed in the last few months is mass mailings of infected Office documents. Thus, hackers try to intercept control on Windows and MacOS computers.

But this article will tell you about another type of attack. The specialists of Digital Forensic Corp. investigated several similar incidents. Subsequently, the collected evidence was given to the police to detain hackers.

The attack began quite unusually. There was a call in our client’s apartment on early Saturday morning and a voice in the receiver said: “Hello. Team of TeamViewer is calling you … “.

Then a touching story was told that TeamViewer company had stopped its work and partially returned the money spent on the purchase of TeamViewer services.

After that the client was asked for the details of the account to which the company could return the money. After a while, a voice in the receiver said: “Ooops. We have transferred you more than it is necessary. Let’s check.” Our client gave the intruder the remote access to his computer on TeamViewer and opened the online banking page. And they made sure together that he had received more than   $ 2000 to his account. After that, the intruder offered our client to return some of the money. Our client went to the bank to put money on the intruder’s account. The intruder was left alone with the client’s computer. When our client returned, he found out that there was no more money on his bank account.

What had happened?

What was the caller doing on the client’s computer  while he was away?

What kind of information was stolen from the computer?

To answer this question our client sent his iMac to Digital Forensic Corp. where it was studied by specialists of cyber security and incident response.

TeamViewer’s log files were analyzed, the History of the Web Browser and some other artifacts were studied. The description of what had happened was made based on the analysis.

LIST OF ACTIVITIES DURING THE ATACK

As soon as the intruder #1 gained access to the client’s computer, he gave a command to disable logging immediately. Then he gave the intruder # 2 remote access to this computer.

Then TeamViewer was set up to ensure that the intruders had the opportunity to connect to this computer at any time. Although the attackers did not have access to the computer’s camera, they heard all the sounds in the room through the microphone.

The intruders got access to the client’s bank account and e-mail using a computer. They also looked through several files. Probably the intruders searched for confidential information or passwords.

In addition, in the attack process, the intruders repeatedly tried to delete the log files, and attempts were made to install a remote control application that would work in the hidden mode. However, these attempts were unsuccessful.

Conclusion

In this article we considered an example of an attack when a well-protected computer system could not prevent the theft of money from its owner. TeamViewer and its employees are not involved in this attack. The intruders could use the names of other well-known companies and social networks instead of TeamViewer. And such cases are also known to us.

To prevent theft of funds and some information that can be later used by intruders for extortion don’t allow strangers any remote access. Don’t give them service codes, credit card numbers, ID numbers.

Authors:

Igor Mikhaylov & Oleg Skulkin