Teamviewer hacked

Popular remote login software, Teamviewer has been hacked. According to users on Reddit, hackers are using Teamviewer to connect to user's computer, and are stealing important information, which includes PayPal information, Bank accounts, while some make purchases from your computer to their shipping address.

Users have headed to the internet frontpage, Reddit, and talk about how Teamviewer was used to access their computer and an unknown person trying to make purchases. Nobody knows the current situation, but Teamviewer have acknowledged the error and in response implemented two new security features, Trusted Devices and Data Integrity. 

               

The trusted device will allow users approve of a another computer logging into their computer. Users can add the user to a trusted device, and will also confirm the device via email associated with the teamviewer.

Data integrity is an intelligent method of analysing the user behaviour and also check if the IP of the user have been reported previously. The logged user will be logged out, and the Teamviewer account will reset, until the real owner gets back, and can reset their password again.

A user also said that teamviewer users should look for a sunlogin.exe software as this was another software the hackers seems to install into your computer after using teamviewer. Your antivirus is likely to miss it, so it is wise to search for a software with sunlogin and remove it immediately. Sunlogin seems to be from China, and most of the hacks are originating from China, according to Reddit users.

If you feel you have been hacked, this is a guide on what you should do:

Check your active sessions. This will show if any unauthorized locations currently have an active session/connection to your account.

  1. Sign in to Login.Teamviewer.com/LogOn.
  2. Click your account name in the upper-right corner
  3. Click "Edit profile"
  4. Click "Active logins"
  5. Check for unauthorized sessions, disconnect any by clicking the "X"

        

Someone who knows what they're doing should have cleared these, but other have shown that they have (historically) left them intact.

Windows Users

Click Start

Click Run

To parse your logs to find the IP of logins, paste the following into command prompt:

cd "C:\Program Files (x86)\TeamViewer"

C:\Program Files (x86)\TeamViewer>findstr "GWT.CmdUDPPing.UDPMasterReply |findstr GWT.CmdUDPPing.PunchReceived" *.log >> %userprofile%\Desktop\TeamViewerIPs.txt       

  1. Wait ~10 minutes for this process to complete. You will not be notified upon completion. A file will be saved to your desktop called "TeamViewerIPs.txt"

 

  1. You can cross reference the data found in the parsed log by checking IPLocation.net

Mac Users

Open Finder

Navigate to ~/Library/Logs/TeamViewer/

Search for the strings:

GWT.CmdUDPPing.UDPMasterReply

GWT.CmdUDPPing.PunchReceived

Linux Users

Open Terminal

 

Type the following

     sudo teamviewer –ziplog

Search for the strings:

GWT.CmdUDPPing.UDPMasterReply

GWT.CmdUDPPing.PunchReceived

With the logs, you'll get a better idea of figuring out if you were breached by looking up the geographical location of the IPs. To do this, you'll first need to know what your own is (to exclude it), as well as the IP of any location which you often access your machine from.+

Find your own IP by Clicking this link. Any address in your logs starting with 10.x.x.x, 172.16.x.x, or 192.168.x.x can be disregarded, as those are IP addresses on your own network.

What you should do before continuing to use TV

Change your password: Click here

This is the first thing you should do, regardless if you have been breached or not.

Enabled Two-Factor Authentication (TFA): Click here

This is the next thing you should do. An added layer of security to confirm your identity prior to logging in.

That being said, this is the end. Good luck to all, and hopefully we will get some transparent answers soon.