Saw My Computer Being Hacked Right Now!

Ulysses31 on 28/07/2024 - 15:15
Last edited 28/07/2024 - 16:53 by 1 other user

Hi guys, major panic.

Fastest & most effective way to stem damage?

Walked up to my PC being hacked online. I took over the mouse while they were trying to buy G2A gift cards with PayPal (on my phone and PC it auto approve), it appears. I couldn't think fast enough on WTF was happening, just shut the PC down. Now on phone

What now? I'm a scatter brain where to start changing, locking, resetting. PayPal, CommBank, Bitwarden…reset or lock the lot? Nothing looks spent.

I thought I was very good with security. 30+ years never hacked.

But of course, it HAS to be a dodgy program I just grabbed from Usenet a couple of hours ago. Didn't work, tried again. Tried again, gave up. ONE idiot mistake is all it takes. Should ran in sandbox, if I needed it that much.

Everything is 2FA (phone, email, authy), fingerprint on phone and I use Bitwarden with a very complex master.

Internet

Comments

  • Ulysses31 on 28/07/2024 - 15:16
    +2

    All these years, I never planned for WHEN someone/something will eventually breach.

  • MaKa on 28/07/2024 - 15:23
    +24

    Isolate your computer from the internet, restart it and run a virus scanner

    • Ulysses31 on 28/07/2024 - 15:31

      Thanks.
      I'm wondering about safe mode without networking (is that still a thing) or boot it, and immediately turn wifi off.
      At the moment, I'm trying to reset as many passwords as I can to banking etc.
      They had an email tab open, searching for the word crypto, and found coinjar.

      I know PayPal has limited function on mobile, which isn't helping me right now

      • Kail on 28/07/2024 - 15:33
        +20

        If you unplug your modem, your PC can't connect to Wifi on boot.

        • MaKa on 28/07/2024 - 15:36

          This

        • Ulysses31 on 28/07/2024 - 15:41
          +7

          Thanks. Classic simple advice, but my brain is dumb right now. Panic

          I've disconnected NBN (FTTP).

      • mantra on 28/07/2024 - 15:38

        some motherboards bios let you switch off wifi before windows can do anything
        either that or switch off wifi router then switch off wifi in windows and/or disable it in device manager
        safe mode without networking is also still a thing but is awkward to get into without first booting into windows

  • Axelstrife on 28/07/2024 - 15:32
    +12

    Pull ethernet cable or turn router off.

    Start cancelling cards and changing all passwords.

    Turn PC on (without internet) and copy important files then wipe and reinstall windows (if using windows)
    Virus scan those files aswell.

    • Ulysses31 on 28/07/2024 - 15:49

      Back in the day, we'd remove the main drive & virus scan with a clean PC. Is that still a thing, I wonder. And that's only the main drive. This machine has 2 internal SSD, and 12 externals

      • Axelstrife on 28/07/2024 - 17:05
        +2

        Im sure you can but personally im a big fan of not risking it, wipe and reinstall fixes it.

  • freefall101 on 28/07/2024 - 15:44
    +2

    Was your password manager locked at the time they were using it? Doesn't matter how good the password is on your vault if it wasn't locked, they can just open it and copy any passwords

    If you use gmail, make sure you log out of all gmail instances and reset the password on that. Whatever your phone account is (apple/google) reset that. Reset any Microsoft programs.

    And for future, for gods sake don't download applications off usenet if you're not 100% sure on them and don't trade security for convenience. Paypal should require 2FA every time, it takes 2 seconds. Don't assume this was one mistake, how many other applications have you downloaded off usenet? They were all risky, this is just the time you were caught out.

    • Ulysses31 on 28/07/2024 - 15:54
      +1

      Solid advice, thank you.

      By memory, bitwarden in Firefox is always open (why haven't I twigged??) But chrome it needs master every single view.

      PayPal on my PC and phone always says "we recognise you", based on IP and other factors, I'm guessing. I wonder if I can force them to ask. I mustn't have 2FA on that, or I've allowed them to bypass if they deem fit.

      Only other software I've grabbed off Usenet was a keygen, ran in a sandbox.

      Resetting passwords regarding emails, vaults, phone accounts etc is probably a strategic art, knowing what one needs to be first.

      • freefall101 on 28/07/2024 - 16:03
        +1

        I'd do email first. It's very unlikely they have your vault password.

        Bitwarden has a variety of settings on when it auto locks, it sounds like you've set Firefox to "never"

        • Ulysses31 on 28/07/2024 - 16:16
          +1

          Hmm, found this on PayPal, when checking 2FA:
          "You've chosen to skip 2-step verification on 9 devices and browsers you trust. You can revoke this permission any time."

          Yeah, that's revoked now. And I deleted bank accounts & cards attached

          I have 5 email addresses (old practice, moving acrotto 1 proton & 1 personal domain), and they're all reset & sessions cancelled, devices untrusted now. 1 was missed in my annual checkup, hadn't been changed in 3 years

      • noz on 28/07/2024 - 17:42
        +2

        Sometimes PayPal will auto-trust a browser, and then tell me about it afterwards. I would need keep going in to PayPal settings to un-trust the browser. Whoever at PayPal thought this was a good idea really needs an upper-cut. Admittedly, I haven't seen it happen for some months now.

  • Tee Rex Arms on 28/07/2024 - 15:46

    Some flop hacked my Facebook and instagram and I can’t access either. Pretty annoying.

    • Muzeeb on 28/07/2024 - 19:10
      +11

      No loss really.

    • Cave Fire on 28/07/2024 - 20:59

      …… lost my twitter account from 2011 this way. the hacker also placed a fake auction for a steam deck on my user…

    • JIMB0 on 29/07/2024 - 09:05

      I'm sure there's plenty of other sources for pointless videos.

      • Tee Rex Arms on 29/07/2024 - 10:24

        I don’t care about the videos, more so the family pictures etc from Facebook 15 years ago

  • bargaino on 28/07/2024 - 15:52

    Unplugging from the internet will stop banking hacks, but not ransomware.

    If your computer is compromised, better to pull the power. Do not reboot! Either boot from an external drive, or remove the hard drive and attach to another computer.
    Then you can attempt to recover your data, before reformatting and re-installing Windows (if you must).

    Though if you could see them manipulating your desktop, it sounds like a very crude remote desktop attack. A more sophisticated approach, even by script kiddies, and you'd never know it was happening.

    • Ulysses31 on 28/07/2024 - 16:21

      That's exactly what I thought. I saw remote desktop behaviour, but didn't recognise the icon bottom RHS.

      I was trying to right click & close, they were trying to complete a purchase up high on the screen. I continued the rug of war long enough to shut the computer down

      • bargaino on 28/07/2024 - 16:23

        Pull the plug! Not the time to worry about an orderly shutdown.
        Damn these laptops with wifi and non-removable batteries. Holding the power button for a few seconds should force it.

        Advice for the future: I'm normally a desktop/laptop guy, only use phone if no PC handy. But online banking is only on my phone as it is a bit more secure.
        My bank uses SMS for 2FA, which I do not trust. Too easy to port a mobile number.

        Are you saying they got access to your phone??

        • Ulysses31 on 28/07/2024 - 16:41

          Couldn't reach a cable quick, but I could find the button - while eyes were glued to the screen. Total of my seeing activity, realising, to killing the power was less than 10sec.

          Phone is fine. I'm using that to reset everything. I had a memory that PayPal didn't allow password resets via mobile (even mobile browser) - incorrect. Maybe CommBank (doing now).

          I agree with the SMS (even email) 2FA thing. I use authy. Was google, but I'm almost entirely off that nipple

  • 7ekn00 on 28/07/2024 - 16:44
    +1

    When using those sort of things from Usenet you can't rely on Defender alone :/

    Look into BitDefender or Kaspersky (KIS has a sandbox with detection for those sort of things) …

    First thing to do is take your HDD out, salvage any data needed (by plugging it into another device, just to read) and wipe the drive …
    (can be done with a Linux Live distro like Mint that can be run from USB if you don't have a 2nd system to read the HDD)

    Then re-install windows and apps :/ It is likely that if you boot back into that windows install (to do "virus scans"), all sorts of crapware may be launched!

    • Ulysses31 on 28/07/2024 - 20:29
      +1

      Thanks.

      I've opened by browser history, wondering if I can do anything with it (as the URLs have codes/account details? in them)

      They opened gmail, searched for BTC, then for crypto. Opened my coinjar account, couldn't get it. Then opened Paypal, then G2A (looks like unique URL has their details?), then got paypal linked, and were about to purchase US$200 iTunes card when I caught them.

      • 7ekn00 on 28/07/2024 - 20:31
        +1

        Doesn't matter what they did, what matters is the malware / RAT is still active on your system …

        Which means on re-connection more malware could be downloaded or more RAT access …

  • neoleo on 28/07/2024 - 17:08

    I only use my phone for online shopping and online banking. I only put cards that can be disabled for online payment feature in Paypal and other online shopping. We don't do online shopping with card every day, right? When I want to shop online, then I'll enable online payment feature in my bank apps or Wise app.

    I have Authy 2FA also and disable access other than my own devices. I do sometimes install softwares outside official Windows store or official websites or use portable version of the softwares. I have NextDNS in all my devices and also Adguard app in my phone too. Remote access is disabled in my computer.

    For unofficial apps that I installed in my phone, usually only apps that I trust or know. Many apps that I think do not need access to internet, I block the internet access to that apps. For example, I block internet access for Adobe reader, file manager app, gcam apps etc. in the app setting and also use Adguard app as firewall to block internet access for apps that I think don't need access to internet.

    My phone number cannot be ported, even if anyone have access to the pin code sms. Porting will fail. Secret reason for this.

    • Typical16-bitEnjoyer on 28/07/2024 - 18:47

      Ditch Authy, they got hacked recently. 2FAS or Bitwarden are the best alternatives.

      • neoleo on 28/07/2024 - 19:37
        +1

        More effort to ditch it. I know about the Authy bad news. But I don't have to worry as only approved devices can access my account. I put the limit.

        • VW-Kombi on 29/07/2024 - 08:40

          Same here - I have a few pages of authy's now - and I remember the pain when I had google authenticator with a third of that amount, phone died while O/S, no backup capability. Now authy is on three phones. The authy hack was only phone numbers of accounts I believe - I saw too much effort to replace - and only time before the replacement will be hacked too - its never ending it seems.

      • Ulysses31 on 28/07/2024 - 20:53
        +2

        I had Google, but I'm trying to stop being a product. Did a heap of searches & came-up with Authy for obvious reasons at the time. But I'm absolutely open to change. Thanks for the suggestions. A 2 sec search mentioned products & brands I'd never heard of getting SOLID reviews.

  • c64 on 28/07/2024 - 17:09
    +2

    I couldn't think fast enough on WTF was happening, just shut the PC down

    what! you didn't introduce yourself first and say hello?

    • Ulysses31 on 28/07/2024 - 20:49
      +1

      Felt like i was in a cheap movie. I kept whizzing the mouse around to mess with what they were doing, dying to know WTF they were doing, while also knowing I had to stop it NOW

  • GordonD on 28/07/2024 - 17:20

    Some of the advice being given here about installing a new version of Windows and checking your drives no longer works, as of Windows 11 Pro, and in some cases Windows 10 Pro.

    Windows Pro now encrypts drives by default. And you don't even know its doing it, or has done it, until you need to read a drive on another PC or after re-installing Windows. You can end up in the situation where doing what used to be the right thing makes your data unrecoverable.

    Not only does that reduce the speed of SSDs by up to 45%, because it does it in software using the CPU, even if the drive has its own hardware encryption capability, it makes recovery after a malware attack more difficult. As a lot of businesses found out after the CrowdStrike debacle where the security software itself was the problem.

    • Ulysses31 on 28/07/2024 - 20:47

      Interesting info - thanks.
      I've got 2 quality SSDs in the PC. One is purely OS & games, the other is "downloads" and disposable crap. Like a working drive.
      I keep everything important on external drives, duplicated 3,2,1. Including cloud, but I'm uneasy about constant costs & it's "out there"

    • xylarr on 29/07/2024 - 07:36
      +1

      I thought even with the speed of SSDs, decrypting and encrypting is still orders of magnitude faster than the underlying drive. Yes, decryption and encryption isn't free, but it doesn't slow down your drive access. You just get a little spike in CPU.

    • 2025 on 29/07/2024 - 09:13

      By default, it won’t encrypt the drive until it saves the recovery keys somewhere, either to a personal MS account, AD, or whatever

      It’s not just windows pro, standard windows will enable device encryption on qualifying PCs, it has been a thing since windows 8 logo program, think Surface Pro etc. not sure why all the shock now when it’s been around for atleast a decade lmao I guess it’s the current bandwagon to get angry about because IT procurement did not see the value in vPro before the events from a few Fridays ago.

      So the advice about wiping or connecting to another PC is valid, the drive can be read on any other PC when you get the recovery key from IT team or your MS account. The bitlocker partition can be deleted without the recovery keys. If you manually enabled bitlocker, you’ll have the txt file somewhere that the wizard forces you to save.

      Also OP, a virus scan might not detect the tool that they are using for remote access, because quite often it is a legitimate tool used for nefarious purposes.

      All security comes at a cost, even the lock on your front door slows you down when you have your hands full and need to reach for the keys with bags full of groceries.
      Encryption protects your personal data from physical theft of the drive, and in many cases the data is worth more than the drive that it sits on.

      • GordonD on 29/07/2024 - 09:56

        the drive can be read on any other PC when you get the recovery key from IT team or your MS account

        If you have an IT team.

        Or an MS account.

        My computer is MY computer inside MY house where it is safe from theft courtesy of the locks on MY front door.. Microsoft imposing the security against drive theft that might well be important to a corporate-owned laptop with commercially valuable information on it is oppressive and annoying. Let them do what their IT experts think they need, and let me not have to do it because I don't. Can't Microsoft understand that?

      • CodeXD on 29/07/2024 - 10:03

        What happens if you try to connect it to another PC? Do you get an "uninitialised" error? I've literally lost an entire 1tb ssd when I upgraded it thinking I can just use an enclosure and hook it up to get all my data back. I've never seen any recovery key on my MS account.

        I even tried to repair windows using usb bootable drive and it said no windows found. There was never any prompt to enter the recovery key either. I proceeded to install windows and saw that the partition had 931gb free space out of 931gb. At minimum it should have recognised windows partitions.

        EDIT: I googled it and said recovery keys are stored here https://account.microsoft.com/devices/recoverykey

        for me

        You don't have any BitLocker recovery keys uploaded to your Microsoft account.

  • Shifter0183 on 28/07/2024 - 17:42
    +2

    Don't forget to revoke all sessions for your email accounts even after changing your password. Sometimes it won't force you to re-login until the cookie expires unless you explicitly have revoked them and if they extracted your browser cookies, they may still have access.

  • thatonethere on 28/07/2024 - 17:54

    Ive spent a fair time over the last year shifting sms 2fa to a secondary esim. Als making sure no browser had any permissions to bypass 2fa for services.

  • TEER3X on 28/07/2024 - 19:06

    Hope you get it all fixed.

    Would a malware scan of the dodgy usenet program/app some prevented this from happening?

  • Muzeeb on 28/07/2024 - 19:11
    +1

    I would perform a fresh os install with a wiped drive.

    • pharkurnell on 28/07/2024 - 19:51
      +1

      agree

    • Ulysses31 on 28/07/2024 - 20:30

      Completely agree. IMO, wiping windows every few years is a must.

  • Mumbles on 28/07/2024 - 20:09
    +2

    For your future setup I'd recommend not using Windows apps to access Usenet. The Windows operating system attracts the most viruses and spyware. I'd recommend running a Linux OS as its way more secure.

    When I last accessed Usenet a decade ago I did it from a Linux operating system on a dual boot setup. I'd use Linux for everything internet related and only run Windows for games or apps that Linux doesn't have (eg. Adobe Lightroom).

    Running Linux also addresses all the other fears mentioned above eg. recovering data from HDD, ransomware and other apps being auto installed on restart, etc.

    • Ulysses31 on 28/07/2024 - 20:44

      I'm just your average dude, but 30-35 years daily experience of messing with hardware & software. I do everything I can with the limited time & zero formal IT education I have.
      My commonsense radar got me into using a password vault & 2FA, getting off google, disposable accounts with useless info. Separating private from internet contacts. Even my firefox has some extra settings, along with uBlock Origin etc. I'm trying to be a speck of dust.

      And I honestly buy the software I use. Pay for all subscription services etc. My steam account is no-joke. But-yes, I love collecting high quality nostalgia, and torrents aren't always the way. One went 0-byte on me, and I tried downloading a random software to try recover it. FAIL.

  • boomramada on 28/07/2024 - 20:18

    Saw My Computer Being Hacked Right Now!

    How did you manage to achieve that? Did you click on the hot-bum-crack.jpg.bat attachment?

    • Ulysses31 on 28/07/2024 - 20:33

      My PC is running 24/7. I walked passed it (after 3 hours of no use), and saw the screen awake, strange. Walked closer & saw a strange website I know i didn't visit. Looked closer, and sat down… that's when I saw the mouse active… someone was accessing remotely.

      The garbage exploit I enabled was from a .bat file I'd ran 3.5 hours earlier… and was dumb-enough not to read it first. Looking-now, it's jam-packed full of dodgy/weird code, with @ echo off (hide from user) written first).

      • boomramada on 28/07/2024 - 20:59
        +1

        That's what I thought, PCs aren't that easy to hack these days unless you activate an exploit.

      • Shifter0183 on 28/07/2024 - 21:32
        +2

        I would hazard a guess the payload is likely either encoded via base64, compressed using a compression function or uses inline encryption/decryption to hide what it does to a casual viewer of the batch file.

        If you still have the batch file, you could upload it to virustotal and it should spit out a report on it. Or if you want you can even upload the contents to pastebin and I could reverse engineer it and explain what it actually did to your computer.

      • Homr on 29/07/2024 - 09:27

        Will Eset anti-virus stop that hack?

        with @ echo off (hide from user) written first).

        What is that?

        • boomramada on 29/07/2024 - 10:11

          I can't comment on that and these days I don't even have an anti-virus installed. It is best not to click on .bat./.exe or anything that comes form of file attachments in emails or USBs that you don't know.

          If you still can't trust yourself, create a non-admin user account and use that. They might help.

  • bazingaa on 28/07/2024 - 21:17

    it HAS to be a dodgy program I just grabbed from Usenet a couple of hours ago.

    OMG! This gave me PTSD vibes from KAzaa days

    • May4th on 29/07/2024 - 07:49

      good old days with kazaa. I'm sure I've had every virus downloaded to my pc. too bad for hackers the only thing they could get off me was my nintendo GBA roms

  • hopper on 29/07/2024 - 07:56

    Live like John Connor

  • numloxx on 29/07/2024 - 08:21

    This reminds me of when my late mother thought someone was in her computer moving the mouse. I tried to explain to her that she wasn't using the mouse pad I bought for her, and she was using her mouse on the shiny surface of her desk and the mouse was skipping.

  • skillet on 29/07/2024 - 09:21

    If you want to use your PC for unknown USENET or 'cracked' programs whatever on Windows, get on the HyperV and do it on a VM. You can learn this quickly or a few hours(if cpu 80286) guides all over google, youtube you know the drill. You might think that the rouge software has pass virustotal.com with green colours but hey you never know it could facilitate as a screen recorder or acted as a keyboard logger. You can run all sorts of dirty programs on the brothel VM and you would be enjoying maximum pleasure without any protection unless you are really stupid to also do net banking on the dirty VM. Unlike sandbox, you can create snapshots so you can roll over to the state you like without a clean start.

    Speaking about net banking, these days mobile phones are real cheap, why not buy a special phone just for banking? No need for a sim, WiFi goodenough. You can login to the bank apps on your special banking phone then 2FA to your main daily phone. Just bank apps on the phone nothing else, turn it off when not required.

  • SpicyStew on 29/07/2024 - 09:32

    I thought I was very good with security.

    Said the Windows user

  • Darude Sandstorm on 29/07/2024 - 09:34
    -2

    Update from XP…

    Just realised this was a troll.

  • johninmelb on 29/07/2024 - 09:39

    I use Last Pass and have it set to close when I log off each night. However I have it running in my chrome browser during the day. Should I keep it closed and only log in when I need to use it? It would be a pain to have to log in each time when I want to download email, use Chrome, and other password protected software. Moreso as my LP password is 24 characters!

    My PC is also has a pin to reactivate when it goes to sleep. One thing I have been remiss with is not closing my google account each night when I log off. I also use 2FA for Ebay, Paypal, Dropbox, Qantas etc, and also my genealogy databases like Ancestry. After 23andMe was hacked genealogists were advised to protect their DNA results with 2FA or one time codes each time they logged in.

    I am sure there is more I can do as I know there is no room for complacency here, it's not a matter of if I will be hacked, but when. I do try to avoid trouble by being very cautious.

  • gromit on 29/07/2024 - 09:39

    Everything in bitwarden should be considered compromised, you don't know how long they have been on and monitoring your machine. most hacks come from somethign you downloaded/installed and usually they sit dormant for a few months. consider your machine toast, anyone tells you it can be repaired you should ignore as you can't know for sure what else they have installed, configured etc that could allow them back in, reinstall and change every password in bitwarden, it is one of the huge single points of failure of password safes sadly.

  • H4nd0 on 29/07/2024 - 10:04

    Make sure you call IDCARE. They have great case workers available to guide you professionally in the event of breach and corresponding identity theft. https://www.idcare.org/. Assume you are in a total loss scenario and work from there. Secure you financials first. For you ultra sensitive items (i.e. internet banking, MyGov, etc.) get a second phone + SIM, separate email address, and then run a separate password manager for those items. Also, ensure MFA/TOTP or Passkeys for all accounts. Avoid passwords where possible.

  • souljah on 29/07/2024 - 10:19

    Got no advice that hasn't already been covered but instead just a well done and thank you for starting the thread.

    Many people are too vain or prideful to post something like this through fear of ridicule until it is too late. Hurting themselves more and losing the chance to help others as well.

    Sounds like you are more careful and knowledgeable than the average person too which is a good reminder of how easy (and scary) this can all be.

Login or Join to leave a comment
Login Join