Pinterest Stumbleupon Whatsapp
Ads by Google

This week has seen serious hacking allegations swirling around extremely popular remote access tool TeamViewer 11 Tips For Using Team Viewer - The Best Free Remote Desktop Connection Manager 11 Tips For Using Team Viewer - The Best Free Remote Desktop Connection Manager Whenever you're in need of a free remote desktop client with advanced features, TeamViewer should be your first choice. Let us highlight its unique features. Read More . The reports, which began at the end of May, have largely pointed the finger at an ongoing man-in-the-middle attack which has exposed TeamViewer users personal accounts.

Amongst the numerous reports of bank accounts and PayPal accounts being emptied or used to make unauthorized purchases, TeamViewer are holding firm, maintaining that any fraudulent or malicious activity is likely the fault of the user. Amid the chaos, TeamViewer have found time to release new features designed to enhance user data protection, and I’m sure the irony is not lost on those counting their absent pennies.

What exactly is going on at TeamViewer? Is it merely coincidence that so many accounts have seemingly been hit concurrently? Have users had their account details compromised in another breach Is Your Gmail Account Among 42 Million Leaked Credentials? Is Your Gmail Account Among 42 Million Leaked Credentials? Read More and now find those credentials used against them? Or is something else afoot?

“Protecting your personal data is at the very core of everything we do” — but are they protecting themselves first? Let’s examine what we know.

What Is Going On?

TeamViewer find themselves in the midst of a very angry user base. The barrage relates to a supposed security vulnerability present somewhere in the TeamViewer software which is allowing as-yet unnamed and unknown malefactors to access personal user accounts via a remote session.

The vast majority of users claim their accounts have been hacked. Once access is gained, the hackers move through a list of targets attempting to spend or transfer money. Some commonly accessed accounts include:

Ads by Google
  • PayPal
  • eBay
  • Amazon
  • Yahoo!
  • Walmart

Some users have reported losing thousands of dollars, while others have seen numerous eGift cards sent to various locations around the world. Purchases made online usually had gibberish shipping names, being sent to a variety of locations around the globe with a significant number of users reporting attempted logons from Chinese or Taiwanese IP addresses How to Trace an IP Address to a PC & How to Find Your Own How to Trace an IP Address to a PC & How to Find Your Own Read More .

Fuel was added to the fire when TeamViewer experienced a service outage. It was caused by a denial-of-service (DoS) attack What Exactly is a DDoS Attack and How Does it Happen? What Exactly is a DDoS Attack and How Does it Happen? Do you know what a DDoS attack does? Personally, I had no idea until I read this infographic. Read More aimed at disrupting the companies’ DNS (Domain Name System) Servers, but TeamViewer maintain there is “no evidence” linking the attack to the compromised user accounts.

User Account Security

A large number of accounts have been affected, though there is certainly no solid number to report. However, it appears that a majority of affected TeamViewer users were not using two-factor authentication. That said, the alleged attackers appear to have used the correct password to enter the account and instigate a remote session. While the login would have triggered the 2FA process, the remote session logon would not.

Some users were actively using their system, noticed the attempted remote session logon and were able to cancel the request. Others came back to find a completed remote session, while others still only realized when their email accounts were suddenly full of purchase receipts from eBay, Amazon, and PayPal.

Nick Bradley, a practice leader inside IBM’s Threat Research Group detailed his discovery:

“In the middle of my gaming session, I lose control of my mouse and the TeamViewer window pops up in the bottom right corner of my screen. As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!

I run downstairs where another computer is still up and running. Low and behold, the TeamViewer window shows up. Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page. As soon as I reach the machine, I revoke control and close the app. I immediately go to the TeamViewer website and change my password while also enabling two-factor authentication.

Lucky for me, those were the only two machines that were still powered on with TeamViewer installed. Also lucky for me is the fact that I was there when it occurred. Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak.”

The Response

The TeamViewer response has been resolute and constant:

“There is no security breach at TeamViewer”

This is the company line, echoed through multiple PR statements released throughout the past few days:

“TeamViewer experienced a service outage on Wednesday, June 1, 2016. The outage was caused by a denial-of-service attack (DoS) aimed at the TeamViewer DNS-Server infrastructure. TeamViewer immediately responded to fix the issue to bring all services back up.

Some online media outlets falsely linked the incident with past claims by users that their accounts have been hacked and theories about would-be security breaches at TeamViewer. We have no evidence that these issues are related.

The truth of the matter is:

  1. TeamViewer experienced network issues because of the DoS-attack to DNS servers and fixed them.
  2. There is no security breach at TeamViewer.
  3. Regardless of the incident, TeamViewer continuously works to ensure the highest possible level of data and user protection.”

Furthermore, TeamViewer have turned the tables on their users, stating that as there was no company breach, it is entirely likely the user details were stolen during one of the other recent large data breaches and used to log in to the TeamViewer accounts.

Trusted Devices and Data Integrity

In the midst of the swirling rumors, TeamViewer announced the launch of their Trusted Devices and Data Integrity programs, “two new security features to further enhance data protection.” I have tried reaching out to TeamViewer to ascertain if these features were pre-planned, or as a direct response to the alleged hack, but as yet have received no response.

Trusted Devices will ensure any attempts to sign onto any given device for the first time will be met with an authorization challenge before access is granted, while Data Integrity will enforce an immediate password reset if an account displays suspicious activity.

Which Brings Us To…

All this has lead to a very strange standoff between TeamViewer users and the company itself.

TeamViewer are all-too aware that something is very amiss:

“Protecting your personal data is at the very core of everything we do.

We highly appreciate the trust you place in us and respect the responsibility we have to ensure your privacy. This is why we always feel a strong need to take all necessary steps to safeguard your data.

As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.

We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.”

It is possible the swathe of compromised accounts and fraudulent activity could have all taken place on the back of the recent MySpace data breach. When combined with other large breaches, such as the accounts added to the LinkedIn breach What You Need To Know About the Massive LinkedIn Accounts Leak What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More , and the “old” Adobe breach several years ago, there are certainly a significant number of user credentials up for grabs to the highest bidder.

But that explanation doesn’t quite cut the mustard. While a huge number of users were not following best data protection practices by using 2FA and strong, random, single-use passwords 6 Tips For Creating An Unbreakable Password That You Can Remember 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More , there were also a huge number who were — and their accounts were also compromised. Similarly, a number of users had indeed been potentially compromised through previous data breaches, and found an active remote session, but there were also a high number of users whose details were private.

Checking Your Account

If you’d like to immediately check if your account has been accessed, or access has been attempted by anyone other than yourself, head to the TeamViewer Management Console website. Once you’ve logged into your account head to the top-right corner and click on your username, followed by Edit Profile. Then select Active Logins. This will list every device and location that has access your account within the last year.

You can also check your TeamViewer logs for any unscheduled activity. The logs can be found here:

  • C:\Program Files\TeamViewer\TeamViewerXX_Logfile.txt
  • C:\Program Files\TeamViewer\TeamViewerXX_Logfile_OLD.txt

Head to your log and give it a read through. Check for any irregular IP addresses. Search the log for “webbrowserpassview.exe” and if you get a positive hit, immediately change all of your passwords.

No, I’m not joking. This application essentially reveals and exports all of your currently saved browser passwords into an easily readable plaintext file. It also sidesteps master passwords set in Chrome and Firefox. This isn’t a super hacking tool. It is openly available, but can be extremely dangerous in the wrong hands.

You should also head over to haveibeenpwned.com to check if any of your accounts have been compromised without your knowledge.

Time to Take TeamViewer Security Seriously

If you have a TeamViewer account, immediately change the password and enable two-factor authentication. If you’re unhappy, simply uninstall TeamViewer until this debacle comes to an end.

Check your eBay, Amazon, PayPal, and Apple Store purchases, and take a good look at your outgoing bank transactions for the past week. If anything is afoot, directly contact the vendor, explain what has happened, and mention TeamViewer. It should help your affairs return to normality. Oh, absolutely read this detailed list of TeamViewer Best Practices by Redditor and TeamViewer user chubbysumo.

This is a difficult situation to gauge. One could understand the viewpoint of TeamViewer. According to them, their servers remain intact. They can still offer their remote access services as normal. A majority of users can still access their accounts, and use the service as is.

But it doesn’t explain away the huge number of seemingly compromised accounts. Neither does it explain how users with strong, uncompromised single-use passwords have had their accounts hacked in the same manner as those with already-pilfered credentials. It also doesn’t explain why some users are still seeing a huge amount of incoming attempts from Chinese and Taiwanese IP addresses.

The entire situation could have been handled significantly better by TeamViewer, too. To immediately rebuke those with obvious issues relating directly to their remote desktop service is slightly unfair, given the weight in numbers making an extremely similar complaint. But once the ball was rolling, and the canned responses began, TeamViewer limited the scope of their future responses, while undermining their own reputation, devaluing their users’ unfortunate experiences.

I am not entirely convinced it can be the fault of users with lackadaisical security skills. However, I’d like to see some more specific evidence pointing to an actual hack, a specific exploit, or some form of malware that has “allowed” this happen before more potentially unfair stigma is heaped upon TeamViewer.

Update: DLL-Sharing Malware Identified

TeamViewer reached out to me directly on Saturday night (June 4th 2016), making an “unreserved apology” for the ongoing issues, as well as for apportioning “blame” upon their users. They understand how some of the language used in their PR statements could have easily upset the user base.

However, they categorically maintain that there is no underlying vulnerability in their service, as well as emphasizing their ongoing use of the Secure Remote Password protocol. Furthermore, TeamViewer confirmed that their new “security features were indeed brought forwards” to provide their users with extra assistance during a time when their platform is certainly being “abused.”

In the time since this article went live on Saturday afternoon, I’ve also been alerted to a piece of malware using TeamViewer as an attack vector. The BackDoor.TeamViewer49 malware is installed via a malicious Adobe Flash update on already breached computers and could provide a potential backdoor for malefactors. To clarify: this is not a breach of TeamViewer, but a Trojan using a shared TeamViewer DLL as a hook to establish itself on a system.

Have you been affected by the issues at TeamViewer? Did you lose anything? Have you contacted TeamViewer? Let us know your experiences below!

Image Credit: mugger reaching for you by agoxa via Shutterstock

  1. Brenda
    September 28, 2016 at 7:46 am

    Why not offer the true story-- Teamviewer wasn't hacked or compromised. The people who are claiming to have been hacked were using Teamviewer for what 99% of Teamviewer users use it for-- online findom. They let a camgirl or other type of domme use Teamviewer, while they watched and fapped, and willingly let her clean them out. Now that the credit card bill has arrived, and especially if their wives have seen the statements, they're crying fraud and attempting chargebacks. I'd bet my life that there is no issue at Teamviewer. This is just a case of porn buyer's remorse.

  2. Buch
    June 6, 2016 at 1:41 pm

    It's interesting the the team viewer client uses DNS to initiate communication with the team viewer servers. If one wanted to do a man-in-the-middle attack. they would simply have to setup their own rouge DNS server do a DOS attack on the legitimate team viewer server and all the clients reach out to the attacker instead of the real company. no need for password hacks and it bypasses 2 factor authentication methods. We discovered this when we blocked dns request to the team viewer site and as a result none of the clients could work either.

    • Gavin Phillips
      June 9, 2016 at 7:21 pm

      That is partially what was alluded too by some affected users after TV experienced a DoS in the week running up to the account hacks. Seems to have been jolly bad timing, but I can absolutely understand how it looks.

  3. Mark Routledge
    June 5, 2016 at 8:52 pm

    Dear All,

    Long time reader and WOW. Just blown my mind. Back in January I had 4x£100 iTunes vouchers bought from my paypal account. I wondered how they had access to all my accounts, with different passwords (which I keep close to my chest!) But it was like they have complete access to my system. I was running both Avast and CalmWin on my server, but also have been a long time user of TeamViewer. Neither virus killer picked up anything particularly odd. I spoke to Paypal who really didn't care as they implied the purchases came from me (my network and IP address). To be fair to Apple they were far more helpful, they were able to tell me the vouchers, were bought and cashed within minutes. However they were unable to deal with the problem as the fraudulent part was buying them, but not spending them. Back to Paypal. No help. I eventually took it up with my CreditCard Company who dealt with the whole matter and I got a refund. It was enough for me to be scared, more careful and have now moved from Windows to Linux (Just the push I needed!)

    I cannot confirm this breach was due to TeamViewer, but after reading this it does lead me to wonder! I won't be using teamviewer again in a hurry.

    • me
      June 7, 2016 at 2:55 pm

      ClamAV and Avast provide very little protection, and on every test I see they offer the lowest detection/protection numbers on the tests.

    • Gavin Phillips
      June 9, 2016 at 7:23 pm

      Hi Mark - that really sucks, but I'm glad the CC company were able to provide a refund even if PayPal refused. It can be excruciating extracting your own money from PayPal at times!

      Just FYI, this issue also affected Linux users, but I'm sure you've already uninstalled.

      Thanks for reading!

      • Mark Routledge
        June 9, 2016 at 9:43 pm

        Until I read your article I was blissfully unaware it was TeamViewer that *may* have been to blame. At one point I was looking on how to install this on a Raspberry Pi. Glad I didn't bother. But a good point well made.

  4. Bruce Epper
    June 4, 2016 at 11:05 pm

    Instead of using the raw log files, it is simpler to just check the connections log. It can be found at C:\Program Files\TeamViewer\connections_incoming.txt on 32-bit Windows and C:\Program Files (x86)\TeamViewer\connections_incoming.txt for 64-bit systems.

    The date/time columns are the connect and disconnect times for the session in UTC. You should also verify that the date/time stamp of this log file closely matches the last session disconnect time (corrected for time zone).

    There is also a file at %APPDATA%\TeamViewer\Connections.txt with the session information for connections FROM your machine to another.

    For Linux machines, these log files should be located in the /var/log/TeamViewer11/ directory. The digits at the end will need to be changed to whatever version of TeamViewer you have installed.

    • Gavin Phillips
      June 9, 2016 at 7:24 pm

      Thank you, Bruce, sage advice as usual!

  5. Sean Smith
    June 4, 2016 at 12:47 pm

    I read in another article that the new security features were pre planned and rolled out early.

    I read on reddit that some people may have installed a compromised TV exe.

    It occurs to me that there may be multiple distinct avenues being used which would confound attempts to find the root causes.

    The jury is out until the dust settles but TV should have forced a password reset for everyone already and they haven't.

    • likefun butnot
      June 4, 2016 at 2:02 pm

      @Sean Smith

      My read on that is if there were a breach that Teamviewer could trace to its portion of the network, the global password change would be the very first thing it did, even if the number of compromised accounts was fairly tiny.

      This also doesn't strike me as a terribly efficient way to attack anyone. Why connect to one individual's desktop and actually manipulate their user interface when someone with the level of sophistication to hack Teamviewer at all would be much better off writing scripts that work invisibly and undetectably, unless sit was a highly directed attack in the first place?

      I don't use Teamviewer myself, but some random IBM employee whining on reddit that his mouse was moving on its own isn't terribly credible.At least make your public communications on the matter through a credible professional organization of some sort (like, say, IBM) if you genuinely think there's a problem. For all we know this could just as easily be his co-workers fooling around on an unlocked machine that shares his Teamviewer credential or an effort to tank the Teamviewer product in favor of some other Remote Control VPN service.

      • Gavin Phillips
        June 9, 2016 at 7:18 pm

        I think you're right to be skeptical, but the sheer volume of people reporting issues within the same time-frame makes me think something is up, even if that thing is user credentials being reused.

        However, I don't believe that the IBM guy should have used a "credible organization" to release his information, so long as the information disseminated could be backed up with evidence, such as his logs etc. I spoke to an affected user on Reddit with the same story, and even saw a video of the mouse supposedly moving - but without a log to corroborate the timings etc, it means very little.

    • Gavin Phillips
      June 9, 2016 at 7:14 pm

      You're right about the password reset. I would have thought in the face of so many claims of compromised accounts it would be the first point of action.

      Some other services in the same sector were hit, but nowhere near as much as TV. Idk if that is just down to market share, or the user-base, or as you suggested, multiple distinct avenues in use.

Leave a Reply

Your email address will not be published. Required fields are marked *