Appelman2, Balint Tahi
So earlier in the week Ali contacted me about some weird shit on her computer. When she turned on the screen she saw a message from Teamviewer, the software I use to remotely access her computer when needed. It was the normal dialogue box that is displayed once a remote control session is terminated. I would not remote control her computer without letting her know so she asked if I had been in there recently. I told her I had not. I used the same remote control to get into her computer and run a couple different scans on it which found only minor issues. When I checked the local Teamviewer connection logs the last connection I saw prior to my own was back in 2014. I left it with her to let me know if anything else weird happens. Well yesterday morning it was more than weird, it was a full scale freak out.
Ali sent me a screenshot of a program called “WebBrowserPassView” that was left open on her computer along with another Teamviewer session termination dialogue. This program had every website username and password that Ali ever had the browser save in a huge comprehensive list. As you would expect Ali was freaked out and so was I to be honest. Apparently the Teamviewer connection the other day wasn’t some sort of fluke, somehow ill intending cyber criminals had managed to gain access to the connection. In the recent connection list for Teamviewer were two names that were unknown, “Appelman2” and “Balint Tahi”.
I told Ali of course the first thing that had to be done was changing passwords on any site connected with her finances in any way. I started to try to determine how the fck this could happen. I had Teamviewer configured for unattended remote access but only via my account. I started to worry that somehow the hackers had my Teamviewer credentials which seemed unlikely but I immediately changed my password. I also saw that Ali was running Teamviewer 9, which is two full versions behind current so I upgraded that as well. I ran TDSSKILLER which is a program used to detect trojans/root kits. It’s scan came up clean in both normal and safe mode scans. I had Ali create her own Teamviewer account and had her log on using that instead of my account to further isolate her from the possibility it was related to my account info. Finally I configured Teamviewer so it only runs on demand instead of round the clock.
The incident was eye opening on several levels. My blind trust in Teamviewer security was obviously shaken. In the future I won’t just accept the “Start with Windows” default choice. I also had no idea that web site passwords stored in the browser were so ridiculously easy to retrieve. I would obviously advise anybody that uses the built in password functionality of browsers to reconsider and use something else to store their passwords. Personally I have used Lastpass.com for a number of years. It has been great and is much more secure since the password information is encrypted.
Ali is overdue for a new computer anyway so she is going to get a new one and I will help her migrate to it. I feel partly responsible since I am the one that hooked her system up with Teamviewer in the first place.