Articles
Now Reading
“Hello. Team of TeamViewer is calling you… “. An anthology of the attack.
0

“Hello. Team of TeamViewer is calling you… “. An anthology of the attack.

by Igor Mikhaylov2017-04-18

The systems of protecting computers and networks are becoming more perfect every day. It’s harder for hackers to find a way to access data on someone else’s computer. A man remains the weakest link in cyber security. Not without reason 95 attacks on computer systems and networks begin with phishing ones. An example of such an attack observed in the last few months is mass mailings of infected Office documents. Thus, hackers try to intercept control on Windows and MacOS computers.

 

 

But this article will tell you about another type of attack. The specialists of Digital Forensic Corp. investigated several similar incidents. Subsequently, the collected evidence was given to the police to detain hackers.

 

The attack began quite unusually. There was a call in our client’s apartment on early Saturday morning and a voice in the receiver said: “Hello. Team of TeamViewer is calling you … “.

 

 

Team Viewer is commonly used as remote access software often utilized for Internet-based remote control, file transfer and technical support. TeamViewer software can connect to any PC or server for remote control of the machine as if the user is sitting directly in front of the workstation.

 

 

Then a touching story was told that TeamViewer company had stopped its work and partially returned the money spent on the purchase of TeamViewer services.

 

 

After that the client was asked for the details of the account to which the company could return the money. After a while, a voice in the receiver said: “Ooops. We have transferred you more than it is necessary. Let’s check.” Our client gave the intruder the remote access to his computer on TeamViewer and opened the online banking page. And they made sure together that he had received more than   $ 2000 to his account. After that, the intruder offered our client to return some of the money. Our client went to the bank to put money on the intruder’s account. The intruder was left alone with the client’s computer. When our client returned, he found out that there was no more money on his bank account.

 

What had happened?

What was the caller doing on the client’s computer  while he was away?

What kind of information was stolen from the computer?

 

 

To answer this question our client sent his iMac to Digital Forensic Corp. where it was studied by specialists of cyber security and incident response.

 

 

TeamViewer’s log files were analyzed, the History of the Web Browser and some other artifacts were studied. The description of what had happened was made based on the analysis.

 

 

LIST OF ACTIVITIES DURING THE ATACK

Action Time
Web History: teamviewer – Google Search 09:21
Web History:  TeamViewer Remote Support, Remote Access, Service Desk, Online Collaboration and Meetings 09:21
Attempt to initiate TeamViewer session with ID of the intruder #1 09:30
Attempt to initiate TeamViewer session with of the intruder #1 09:31
Web History: The World’s Fastest Remote Desktop Application – AnyDesk 09:44
Web History: Download – AnyDesk 09:44
Attempt to initiate TeamViewer session with of the intruder #1 09:52
THE ATTACK STARTED
Cache is reset and disabled. 09:59
The intruder #2  is added to TeamViewer session with device name “INTRUDER’S_PC” 09:59
1 file is transferred. 09:59
TeamViewer Settings were changed to allow REMOTE CONTROL ACCESS, FILE TRANSFER and SWITCH SIDES (allows to change the direction of control). 09:59
Screenshot of the desktop is made. 09:59
Web History: Western Union | Send money to 200 countries and territories in 130 currencies | Trusted for 145 Years 10:00
Web History: Sign in – Google Accounts 10:10
Web History: Sign in – Google Accounts 10:13
Web History: My Account 10:15
Web History: Gmail 10:16
Web History: Western Union: verify your email – xxxxxxxxx@gmail.com – Gmail 10:17
Web History: Pending Verification | Western Union 10:27
Web History: Logged Out | Western Union 10:43
Web History: The Bank’s site 10:46
Web History: The Bank’s site 10:46
Web History: The Bank’s site 10:48
Web History: chrome download – Google Search 10:49
Web History: Chrome for Desktop 10:50
Continuous attempts were made to change TeamViewer visibility settings:  However, due to special security settings of the Apple manufactured devices all attempts were unsuccessful. 12:16
Web History: Inbox (4) – xxxxxxxxx @gmail.com – Gmail 13:43
Web History: The Bank’s site – Google Search 14:11
Web History: Online Banking – Online Savings & Checking Accounts – The Bank 14:11
Web History: The Bank Sign On to View Your Accounts 14:13
Web History: The Bank  Sign On to View Your Accounts 14:13
Access to file #1 15:10
Access to file #2 15:10
Access to file #3 15:35
TeamViewer session ended. 18:10
THE ATTACK FINISHED

 

 

As soon as the intruder #1 gained access to the client’s computer, he gave a command to disable logging immediately. Then he gave the intruder # 2 remote access to this computer.

 

 

Then TeamViewer was set up to ensure that the intruders had the opportunity to connect to this computer at any time. Although the attackers did not have access to the computer’s camera, they heard all the sounds in the room through the microphone.

 

 

The intruders got access to the client’s bank account and e-mail using a computer. They also looked through several files. Probably the intruders searched for confidential information or passwords.

 

 

In addition, in the attack process, the intruders repeatedly tried to delete the log files, and attempts were made to install a remote control application that would work in the hidden mode. However, these attempts were unsuccessful.

 

 

Conclusion

In this article we considered an example of an attack when a well-protected computer system could not prevent the theft of money from its owner. TeamViewer and its employees are not involved in this attack. The intruders could use the names of other well-known companies and social networks instead of TeamViewer. And such cases are also known to us.

 

 

To prevent theft of funds and some information that can be later used by intruders for extortion don’t allow strangers any remote access. Don’t give them service codes, credit card numbers, ID numbers.

 

Authors:

Igor Mikhaylov & Oleg Skulkin

Leave a Response


Please enter the result of the calculation above.