Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

TeamViewer Bolsters Security After Account Takeovers

Fraudsters Raid Computers for PayPal, Amazon and eBay Accounts
TeamViewer Bolsters Security After Account Takeovers

TeamViewer is strengthening the security of its remote access application after an uptick in account takeovers that the company says is the result of hackers reusing account credentials from recent data breaches.

See Also: Considerations for Choosing an ATO (Account Takeover) Security Solution

The issue appears to primarily affect consumer accounts, although TeamViewer has a robust enterprise business: 90 percent of Fortune 500 companies use its application for remote support and access.

The vast majority of support queries TeamViewer has received concerning the attacks have been from consumers, says Axel Schmidt, a company spokesman. That's because enterprises have generally followed TeamViewer's security recommendations to protect their accounts.

"Very often what we find is that they [consumers] used the same account credentials across multiple internet accounts," Schmidt says.

Numerous victims have contributed their stories to a long Reddit thread. Fraudsters have used the compromised TeamViewer credentials to remotely access computers and hunt for other credentials stored in web browsers for services such as PayPal, eBay and Amazon.

Fallout From Big Breaches

The TeamViewer situation falls in line with what many security experts have predicted in the wake the release of more than 630 million credentials in May alone from years-ago hacks, including LinkedIn and MySpace (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

Even if login credentials are several years old, many people continue to use the same ones across several services. A compromise of one provider supplies hackers with a fresh batch of logins that can be tried again against many other services. Password managers can help solve the problem, but are generally only used by more tech-savvy users.

On June 1, a statement from TeamViewer put it bluntly: "Careless use of account credentials remains to be a key problem for all internet services."

'Something Is Going Wrong'

An alternative explanation for the uptick in account compromises is that computers running TeamViewer have been infected with malware. The company advises people to avoid downloading adware bundles, to only download TeamViewer through legitimate outlets and to run security software.

Schmidt says TeamViewer has conducted internal audits since the account takeovers spiked and has found no evidence that it has been breached. Account passwords are hashed and salted, he said.

But Troy Hunt, who runs the breach notification service Have I Been Pwned, says the company may need to move forward with a deeper forensic analysis.

"Something is definitely going wrong somewhere," Hunt says. "They really need an independent party in at this time to get to the bottom of it and explain what's going on."

The company's security improvements will make it easier for users to see if their account is being targeted. A feature called Trusted Devices will send an email if there is a login attempt from a new device. Users can then decide whether to grant authorization to access TeamViewer from the device, according to a June 3 statement.

TeamViewer's second improvement, Data Integrity, involves more vigilant monitoring of the location of login attempts. If unusual activity is detected, a TeamViewer account may be tagged for a mandatory password reset, with users receiving an email alert.

The features are being rolled out globally. TeamViewer says "users may experience minor inconveniences" due to the rollout. Schmidt said TeamViewer had planned to introduce the features later this year but opted to speed up the rollout, which means some functions may not work as expected.

Users who think they could be affected by these attacks should immediately change their passwords. Also, TeamViewer offers two-factor authentication, which requires users to enter a time-based one-time passcode to gain access. The company supports eight two-factor apps for Android, iOS, Windows Phone and BlackBerry.

TeamViewer also has blacklisting and whitelisting options, which can restrict what machines are allowed to perform a remote access session.

View of an Attack

Nick Bradley, a practice leader within the Threat Research Group at IBM, described a harrowing account of how he watched a TeamViewer intrusion unfold at his house the night of June 3.

"In the middle of my gaming session, I lose control of my mouse and TeamViewer window pops up in the bottom right corner of my screen," Bradley writes. "As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!"

He ran downstairs to another computer running TeamViewer, only to see the application's window pop up.

"Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page," he writes. "As soon as I reach the machine, I revoke control and close the app."

Many others haven't been so lucky. The Reddit thread chronicles many users who reported the attackers went on shopping sprees with PayPal funds and tried to buy gift cards on Amazon and eBay.

One Reddit poster attributed a TeamViewer hack that occurred on June 1 to the reuse of MySpace credentials, which were leaked last month in one of the largest data breaches of all time.

"Nabbed $260 from PayPal," the user wrote. "PayPal almost instantly refunded the money to my account. Now working to shore up the gaping hole in my security."

Schmidt says that anyone who suspects their account has been compromised should contact TeamViewer's support and submit log files. He also advised that they report the incident to police. The reason, he says, is that TeamViewer as well as other companies are subject to strict data privacy regulations and can't release certain information to the public.

"We need to get authorities involved," he says.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.