Over the past week there have been reports of attackers taking control of computers via TeamViewer and then using the victim's PayPal account to steal money or make online purchases. To make matters worse, some of these victims claim that these attacks occurred even when they were using 2-Factor authentication, which should prevent these types of attacks.
During this same period, TeamViewer had a major service outage that left people unable to use their service. Taken together, many people think that TeamViewer has been hacked and have gone as far as creating a list of incidents where people claim to have been hacked using this software.
TeamViewers' Response
Though TeamViewer is adamant that they have not been compromised in any way, they do apologize for how they handled the concerns of their users. When people started reporting that their computers were hacked using TeamViewer, TeamViewer issued a press release stating that "Careless use of account credentials remains to be a key problem for all internet services.". The careless use of the word "careless" caused quite an uproar from affected TeamViewer victims who felt like TeamViewer was trying to push the blame on them.
When I spoke to TeamViewer's public relation manager, Axel Schmidt, over the weekend he strongly apologized for TeamViewer using the word "careless" in the press release. Though they feel that the recent hacks through TeamViewer are caused by stolen password credentials and the Backdoor.Teamviewer malware, Axel feels that their initial response could have been worded better.
One thing that Axel emphasized, though, is that anyone who has been hacked should send their logs to TeamViewer for analysis. According to Axel, TeamViewer wants to work with their users to try and determine how these attacks are occurring, but not enough victims are submitting logs. Without these logs, it is is making it very difficult for TeamViewer to determine how the attacks are happening.
Update 6/7/16:
Axel notified me that as of this morning there were still no logs submitted that showed a compromise for victim's using 2-Factor Authorization. Without these logs, there is no way for TeamViewer to confirm whether or not hackers bypassed 2-Factor authorization in any way. So if you are using 2FA and have been hacked using TeamViewer, please submit your logs to them.
So how are computer's being hacked using TeamViewer?
When examining the reports from hacked victims, out of the 129 reported cases 72% of them stated that they were listed in some sort of leaked account dump, but only 35% stated they reused passwords. For those 35%, it does then make sense that attackers are simply downloading these dumps, decrypting the passwords, and then trying them on TeamViewer.
Yet, on the other hand we have many victims who stated they are using unique passwords or 2-Factor Authentication, which would make password reuse not a factor in their situation. This makes the whole controversy a big mess with TeamViewer on one side saying that they were not hacked and victim's calling them liars.
One common theme, though, is that many people report the attackers as originating from a Chinese IP address. The attack scenario people are reporting is that an attacker takes control of the computer via TeamViewer, visits http://ip.cn, and then tries to visit sites like PayPal, Ebay, etc in the hopes that the account login information is saved and that they can login. Once the attacker is able to login, they use the funds to purchase gift cards or make PayPal transfers.
Reports of Chinese TeamViewer hackers are not new, though, so it does not appear that this recent outage is in any way related to them. Furthermore, TeamViewer feels that these Chinese attacks are caused by the Backdoor.Teamviewer malware, but as we show in the next section, this backdoor attackers appear to be from Russia.
Does the Backdoor.TeamViewer malware really explain these connections from China?
TeamViewer felt that the reports of Chinese attackers could have been from the Backdoor.TeamViewer malware. When analyzing it, I found that it is Russian actors most likely behind this malware.
The BackDoor.Teamviewer Trojan masquerades as a Adobe Flash Player installer, but instead will install a copy of TeamViewer on the infected computer. The Trojan will then contact a server with information on how the attackers can connect to and take over the infected computer through TeamViewer.
The IP address for the server the malware connects to is located in the USA, but its hostname, multigoupdate.pw, is a Russian domain registration. Is it possible it is still Chinese based actors behind this? Yes, it's possible, but I personally feel, that these Chinese TeamViewer hacks are from account credentials from hacked sites that are the same on TeamViewer.com.
So unfortunately at this time there is still no answer as to how so many TeamViewer users are being hacked. Is it a compromised user database, flaw in the program, or something else? Only time will tell.
Comments
Jman005 - 8 years ago
Interesting; is is possible some of the people that were hacked were actually victims of tech support scammers and they had TeamViewer information that they could use if the victim shuts down TeamViewer and finds out their service is a scam?
Lawrence Abrams - 8 years ago
Anything is possible. There are also plenty of tech support scam programs that download and install crapware that bundle teamviewer.
TheTripleDeuce - 8 years ago
most of the tech support scammers seem to use citrix or go to assist from what ive seen maybe 15% have teamviewer installed
DeimosChaos - 8 years ago
With all the major data dumps that have been going on the past couple weeks or so (we are looking at you LinkedIn) its not far fetched to assume people are trying passwords/usernames on things like TeamViewer. Though I remember seeing this type of TeamViewer hack a few months ago. So I feel like this has been going on for a bit. Hopefully TeamViewer figures out exactly how they are gaining access to accounts and figure out a way to block it.
Ron_ - 8 years ago
'Blame it on marketing'
ScathEnfys - 8 years ago
What do you mean by that?
Lawrence Abrams - 8 years ago
I find the claims of 2FA being bypassed interesting as TeamViewer has stated that as of this morning they still have had no logs submitted to show this.
ScathEnfys - 8 years ago
It all boils down to someone lying. Either butthurt users or a company scared of loosing face.
ScathEnfys - 8 years ago
I don't get why people let teamviewer listen in the background anyway. Remote-access software should never be running unless assistance is being given at that very moment.
DeimosChaos - 8 years ago
There are some good reasons to let it run in the background. I let mine run on my Linux server because I don't have a monitor hooked to it. Makes it easier to access. I haven't seen any weird activity on it either. People that are getting theirs hacked are probably using weak passwords no doubt.
ScathEnfys - 8 years ago
There are better options for remote admin though.
DeimosChaos - 8 years ago
Not gonna argue there. I think ease of use is why people use it. Not gonna lie, its why I did it. Remote X session login hates Ubuntu for some reason... so its why I used it.
ScathEnfys - 8 years ago
I personally prefer good ole SSH. No GUI= less latency
DeimosChaos - 8 years ago
There are some things you need a GUI for (though you can do SSH -X to pass X through it)... and Linux isn't used a ton in the Business world for end users. So for a lot of things SSH just isn't an option, unfortunately.
DodoIso - 8 years ago
I agree that GUI is useful too. Teamviewer is very popular in the Windows world so it can't be ignored. For peer-to-peer under Unix, I like SSH and VNC over SSH. There's a little interactive lag, but it kind of reminds me of the good-old 300 bauds modem days.
xrobwx - 8 years ago
Apologizing for telling the truth. Sad. "but not enough victims are submitting logs." Makes one go hmmmm. Pics or it didn't happen senario?
DodoIso - 8 years ago
Something I don't understand about the log request from Teamviewer, why do they need them exactly? You have to go through Teamviewer's servers to connect to another computer. They have everything they need on their servers, IMO.
ScathEnfys - 8 years ago
Servers only have so many resources. What with TV's popularity, I can see plenty of reasons for not logging everything server-side.