Saw My Computer Being Hacked Right Now!

Ulysses31 on 28/07/2024 - 15:15
Last edited 28/07/2024 - 16:53 by 1 other user

Hi guys, major panic.

Fastest & most effective way to stem damage?

Walked up to my PC being hacked online. I took over the mouse while they were trying to buy G2A gift cards with PayPal (on my phone and PC it auto approve), it appears. I couldn't think fast enough on WTF was happening, just shut the PC down. Now on phone

What now? I'm a scatter brain where to start changing, locking, resetting. PayPal, CommBank, Bitwarden…reset or lock the lot? Nothing looks spent.

I thought I was very good with security. 30+ years never hacked.

But of course, it HAS to be a dodgy program I just grabbed from Usenet a couple of hours ago. Didn't work, tried again. Tried again, gave up. ONE idiot mistake is all it takes. Should ran in sandbox, if I needed it that much.

Everything is 2FA (phone, email, authy), fingerprint on phone and I use Bitwarden with a very complex master.

Internet

Comments

      • [Deactivated] on 31/07/2024 - 13:21

        Usenet is super dooper active, I would say at least 50%+ of people hosting plex servers are using usenet (and torrents as a back up)

    • Ademos on 30/07/2024 - 08:58

      "Brothel VM".

      Now….that could catch on. Google says this is the first use of the term. Ever. Bravo, my good man.

      • skillet on 30/07/2024 - 09:34

        You need to practice Cyber Hygiene. Schools never teach this.

  • SpicyStew on 29/07/2024 - 09:32
    -1

    I thought I was very good with security.

    Said the Windows user

  • Darude Sandstorm on 29/07/2024 - 09:34
    -4

    Update from XP…

    Just realised this was a troll.

  • johninmelb on 29/07/2024 - 09:39

    I use Last Pass and have it set to close when I log off each night. However I have it running in my chrome browser during the day. Should I keep it closed and only log in when I need to use it? It would be a pain to have to log in each time when I want to download email, use Chrome, and other password protected software. Moreso as my LP password is 24 characters!

    My PC is also has a pin to reactivate when it goes to sleep. One thing I have been remiss with is not closing my google account each night when I log off. I also use 2FA for Ebay, Paypal, Dropbox, Qantas etc, and also my genealogy databases like Ancestry. After 23andMe was hacked genealogists were advised to protect their DNA results with 2FA or one time codes each time they logged in.

    I am sure there is more I can do as I know there is no room for complacency here, it's not a matter of if I will be hacked, but when. I do try to avoid trouble by being very cautious.

    • neoleo on 29/07/2024 - 15:14

      I guess many people will agree that Last Pass is worst than Authy … Got more breaches. Can you limit only approved devices can access your account? I use Authy and alient devices cannot access my Authy account without my approval within my own devices.

      But 24 characters is incredible … Need much better quantum computer to crack that … I wonder if quantum computer could access my Authy account someday as alient devices are not approved devices in my Authy setting.

    • Hardly Normal on 29/07/2024 - 22:37

      The most common thing to get hit with is a stealer. Most stealers have keyloggers. If there is a decent dwell time (time from the initial compromise to when it was detected) it likely doesn't matter as your master password would be logged a bunch.

      But generally, it is better to have it not logged in constantly.

  • gromit on 29/07/2024 - 09:39

    Everything in bitwarden should be considered compromised, you don't know how long they have been on and monitoring your machine. most hacks come from somethign you downloaded/installed and usually they sit dormant for a few months. consider your machine toast, anyone tells you it can be repaired you should ignore as you can't know for sure what else they have installed, configured etc that could allow them back in, reinstall and change every password in bitwarden, it is one of the huge single points of failure of password safes sadly.

  • H4nd0 on 29/07/2024 - 10:04
    +3

    Make sure you call IDCARE. They have great case workers available to guide you professionally in the event of breach and corresponding identity theft. https://www.idcare.org/. Assume you are in a total loss scenario and work from there. Secure you financials first. For you ultra sensitive items (i.e. internet banking, MyGov, etc.) get a second phone + SIM, separate email address, and then run a separate password manager for those items. Also, ensure MFA/TOTP or Passkeys for all accounts. Avoid passwords where possible.

  • souljah on 29/07/2024 - 10:19
    +3

    Got no advice that hasn't already been covered but instead just a well done and thank you for starting the thread.

    Many people are too vain or prideful to post something like this through fear of ridicule until it is too late. Hurting themselves more and losing the chance to help others as well.

    Sounds like you are more careful and knowledgeable than the average person too which is a good reminder of how easy (and scary) this can all be.

  • ReaperX22 on 29/07/2024 - 10:27

    I had something similar when I got tricked by a very basic sponsored ad link when I tried to download some Logitech software. Was the top, sponsored link in google, but was actually a fraudulent link, and the agent gained access to some of my gmail items etc. (I double clicked an exe file that then promptly disappeared, which was the first sign) - didn't take over the computer but I basically changed all my passwords, full computer reformat, etc. They did manage to get into my Gmail accounts and launch some web advertising things that did cost me some money (<100) that I tried to argue with google as they themselves confirmed it was fraudulent activity, but was unsuccessful in getting a refund.

    Pretty cheap lesson learned for me, though. I've got a pihole running (2 really) so sponsored links don't work anymore anyway!

  • jonkvh on 29/07/2024 - 11:06

    If you want to use hacked software, use 'portable' software. Just for those that can't help themselves.

  • overthinking on 29/07/2024 - 11:10

    Sobering.

  • pformag on 29/07/2024 - 11:59

    Turn on 2FA for Paypal

  • Lockieasy on 29/07/2024 - 13:20

    I had a similar 'in real-time' thing occur only my case I was woken up by the banking app on my phone notifying me of purchases being made at a phone store in Venezuela.

    Turns out my debit card had been skimmed somewhere. I was quick to disable the card via the app before not too much damage was done and got it replaced.

    • neoleo on 29/07/2024 - 14:50

      Google wallet/Apple Pay is more secure as merchants cannot see our real card numbers.

    • OzBarAnon on 29/07/2024 - 16:35

      Same happened to me recently. Noticed a few transactions on my bank account that I didn't recognise. All using my card, all for the same amount, making purchases from Amazon US for identical values. The amounts were pretty high, so I'm surprised that I wasn't sent 2FA codes on my bank app.

      • neoleo on 29/07/2024 - 16:49
        +1

        Maybe your payment limit in the bank app is higher than the transactions?

        Could you disable online payment for your card? I do this and only enable the online payment feature when I want to shop online with the card.

        At least you have reported to the bank to get a new card replacement, right?

        • OzBarAnon on 29/07/2024 - 17:33

          I'd have to double check the limit, but I swear I've been sent one-time codes for lower value transactions before. I contacted the bank immediately and have a refund in the pipeline. Card cancelled. Fortunately, that card was already near expiration, and I had already received the replacement so I won't have any time without access to a card.

          • m2000 on 30/07/2024 - 09:45

            @OzBarAnon: wouldn't you want to get a whole new card with new no.s as that card will only have the expiry year (& month) different. (usually just 2024 +3 or..)

            • OzBarAnon on 30/07/2024 - 11:32

              @m2000: No, number and security code are both different from the old one

  • zombie hunter on 29/07/2024 - 13:24
    +3

    Turn off internet to Nigeria and India would reduce the scamming.

  • Sammy Boi on 29/07/2024 - 17:59

    If your computer is already backed up fresh install if it isn't disable the Internet back up everything necessary and fresh install

  • Sammy Boi on 29/07/2024 - 17:59

    By the way you were a victim of a rat a.k.a. remote Administration tool.
    very common

    • serpserpserp on 29/07/2024 - 18:25

      Downloaded too many warez

  • serpserpserp on 29/07/2024 - 18:24
    -2

    Works suggest throwing your PC in the bin. Apply for a whole new identity while you're at it.

  • Hardly Normal on 29/07/2024 - 22:05
    +6

    Hey mate,

    The remote desktop access you observed was likely fairly late into the attack chain. Generally, these things start with a stealer variant embedded into a legitimate program. The Medibank data breach's initial access was through an employee who downloaded a cracked Adobe product. What was amusing was the person claimed to be running 4 anti-virus programs when they ran it.

    At this point assume anything related to your browser(s) (cookies, form history (auto-fills), saved credentials (including cards), browsing history and password manager contents (if it doesn't require auth every single time)) was taken. Expand that list to include any software crypto wallets, FTP clients, instant messaging (of any kind) and mail clients. Include any files in a common location (Documents, Downloads, Desktop & popular cloud locations). The file part is a bit more dynamic as there will be an automatic collection list and then a more general enumeration list which the actor chooses from.

    All the above would have been the first stage and largely automated. My running theory is they installed a remote support tool to bypass 2FA requirements on stuff they found during the initial stage and for common financial websites. Not the most elegant solution, but it is effective enough. Short explainer: When you use 2FA, the system ties some form of authentication data to your device (IP and/or Hardware/Software information) through a short-lived cookie. This cookie prevents the need for reauthentication for a period if all the artifacts still match. The implementation and length depend on the website.

    Fortunately, the actor appeared to be financially motivated, and you identified the first order stuff early. The bad news is your data and credentials are very likely going to be sold, so prepare for very targeted phishing attacks and attempts at identity theft.

    Before anything else, rotate all of your credentials, even if they have 2FA enabled and particularly if there are common patterns. Start with things you care about and business-related accounts before working down. Do it on a device you trust. Look at the recovery options for each account and ensure that they are not linked to information that the threat actor could have got.

    Second, if you had identity documents, bills, etc (anything that can prove identity) on the computer, put a hold on your credit and start looking at what you need to do to get new identity documents. It differs from state to state.

    Third, recover your computer:
    - If you are tech savvy, live boot from a Linux USB, install NTFS support, mount the disks and save any files you want to another USB.
    - If you aren't, you should be alright to disconnect your computer from the internet (unplug your router) and boot into Safe Mode to do the same thing. This has additional risks, such as allowing staged ransomware to execute alongside USB propagation vectors.

    Finally, reinstall Windows to the infected hard drive. If you don't have the license tied to a Microsoft account, make sure you grab the product key as well. You shouldn't need to bin your device, although if you are a medium-high profile public/business figure, definitely consider it. Nothing you described sounds that advanced or specifically targeted.

    In the future, if you are going to download programs from Usenet/Torrents, install it within a virtual machine. VirtualBox is free.

    • Hardly Normal on 29/07/2024 - 22:10
      +1

      Forgot to add that stealers usually have keyloggers built in. So rotate your master password for your password manager as well.

      Disk encryption will also be a factor for how to recover you data. There are ways around Bitlocker (like sniffing the TPM) if you don't have the key material but at that point either do the safe boot method or take it to someone who knows what they are doing.

      Revoke any web service sessions that were active/authenticated on your computer as well. Anything that uses JWTs you may be up the creek for.

      • ReaperX22 on 30/07/2024 - 08:50

        Everything this guy said, but also make sure any password changes are done on an entirely different device, maybe even on a different network just to be safe…

    • skillet on 30/07/2024 - 09:42
      +1

      If you wish to bin your device, remove the internal storage. If it's soldered, identify the flash chips then use a hammer generously.

    • Bidet Mate on 30/07/2024 - 10:09
      +3

      prepare for very targeted phishing attacks and attempts at identity theft.

      Hey sorry to hijack but you seem way more versed than what I can find on google.

      I have a question about identity theft and documents. I'm getting worried with how widespread it's becoming to have to send my passport and driver's license for things like bank, loan and rental applications. Even just job applications in my field require passport copies now via email which makes my skin crawl. Likewise, when traveling it seems everyone needs a photo copy of passports. This all adds up to a LOT of people having copies of our ID docs, and most of them being extremely careless/clueless sorts. Eg if our telcos, major health insurances etc can't keep our data without constant breaches, I have zero faith in local real-estate agents or foreign hotels/checkpoints.
      Even just job applications in

      So, are we cooked? Is it just luck and a matter of time before we start getting identity thefts?

      • Hardly Normal on 30/07/2024 - 17:27
        +2

        An astute observation and it is a valid concern.

        There is a move towards data minimisation in the industry (only keeping what you need post verification) to reduce the potential damage of cyber attacks. This is mainly driven by cyber insurance premiums increasing by large amounts.

        Higher tier financially motivated threats tend to go after larger targets at the moment for better return on investment. Essentially there is some security through obscurity.

    • Homr on 30/07/2024 - 13:02

      Thank you for the informative post. But wow, that is scary how easy it is to get hacked these days. Could a anti-virus prevented it?

      • Hardly Normal on 30/07/2024 - 17:48

        If it manages to get past Windows Defender (the default AV), generally not. Each company has their own secret sauce but AVs are only really effective after a campaign has been identified and detections engineered. There are plenty of resources out there on how to bypass AVs if someone has the skills and time.

        System behaviour detection is in the realm of EDR/XDR.

        TL;dr: If the campaign is large, has been identified and a detection engineered… yes. However, threat actors monitor their own campaigns and re-tool them as required so it is essentially a cat and mouse game.

  • Froogal on 30/07/2024 - 09:55

    Some really useful and detailed advice in this thread in a Windows environment. What would one do in the case of a similar remote hack on a Mac?

    • gromit on 30/07/2024 - 13:19

      exactly the same, the majority of the advise is not OS dependent. Any device compromised be it windows/linux/mac should be wiped, any passwords changed especially any stored in password safes on the device, Data that you need should be restored from backup or if necessary recovered by attaching the drive to another computer and scanning the data for malware before copying it across.

    • Zondor on 30/07/2024 - 15:07

      Disconnect from internet, backup your data key, then factory reset.

    • Hardly Normal on 30/07/2024 - 17:56

      Pretty much the same. The Mac equivalent for TPM (T2 chip) has been around longer and is more widely adopted within their closed ecosystem.

      Generally you will struggle to access the data from a cold state (MacOS not running).

      • gromit on 30/07/2024 - 18:49
        +1

        ummm the mac t2 chip came nearly a decade after TPM and TPM 2 also predates it.

        • Hardly Normal on 30/07/2024 - 22:34

          My bad there. You are right that TPM has been around longer. To clarify my mistake:

          T2 has been adopted since 2018 with disk encryption on SSDs as the default.

          TPM and disk encryption has been off by default until some version Windows 11 in 2021.

          The timelines mean most Apple devices will have disk encryption at this point where Windows is still a mixed bag.

          • gromit on 31/07/2024 - 10:07

            @Hardly Normal: TPM until about 2016 was really mostly business focused, Azure joined machines got automatic disk encryption but yes you are right consumers would have to specifically choose to do it. Personally my machines for both work and home have been bitlockered since about 2010.

  • H3R34TH4C0MM3NTS on 30/07/2024 - 14:11
    -2

    Get a cheap Mac (or iPad) and do your basic computing on those ie all your emails and personal admin like bills and government services. I find Macs easier to backup and restore ( Yes I do use both Mac and Windows as well so no fanboyisms). If you don't use any fancy programs you can Virtualise Windows in your Mac even on the M Series Macs (VMWare is free now for personal use). This will mitigate (not eliminate) some of the vulnerabilities and risks with ransomware on windows

  • Zondor on 30/07/2024 - 15:07

    Disconnect from internet, backup your data key, then factory reset.

    Only way to be sure.

  • Widget on 31/07/2024 - 04:58

    What's 'UseNet'? Is that like MiRC ?

    Is it wrong to save passwords in browser? I have 2FA via Authy for a couple of sites but based on a couple of comments, I may look at BirWarden

  • buffalo bill on 31/07/2024 - 14:16
    -1

    Linux

    • Yola on 08/11/2024 - 08:47
      +1

      Spam.

Login or Join to leave a comment
Login Join