Hacked Around 2FA

On December 29th - I came home to find that someone had remoted onto my PC - I think using team viewer.

Strangely in C:\Program Files (x86)\TeamViewer\Connections_incoming.txt shows no entry for that date.    But I found an entry in C:\Users\username\TeamViewer\TeamViewer13_Logfile.log for the exact time I think they got on my system (around 9:41pm).

What I would like to know is how did they get on my system since I have 2FA installed and you need my cell phone code on my Authy app to launch TV...

 

any ideas?

Comments

  • DesertSweeper
    DesertSweeper Posts: 23 ✭✭

    How do you know someone had remoted into your computer? How do you connect to the internet, behind a NAT router or directly? I very much doubt it would be teamviewer and more unlikely if you use 2FA. If it were, they would have to shut their servers down like yesterday...

  • I came home and caught someone remoting around my bank account on my computer.

    At first I wasn't sure it was TeamViewer that they used to get in - but I can tell from my browser history that they got on the computer around 9:40pm on Dec 29th.

    I did a quick search on my computer for all files modified on Dec 29th and right around 9:40pm the only file that was changed - was a team viewer log was generated.     I have some connections to other PCs on my account - so I thought maybe they came through the other computers to get onto mine...but there is no entry in Connections_incoming.txt for the 29th.   But there is a log file that i found in C:\users\username\Roaming\Teamviewer that was initiated at that exact time.  But I don't know how to read the log file for more information.

    The strange part is - my Teamviewer has two-factor authentication turned on.  You need the 6 digit code from my Authy app to log in.  So how did someone get around that.

  • DesertSweeper
    DesertSweeper Posts: 23 ✭✭

    There are many ways to gain access to a computer remotely, you may have malicious code running on your computer, it could have been remote desktop too. That no inbound connections show in the logs but the user logs was modified suggests to me that they may have opened teamviewer (after the fact of gaining control) in an attempt to see if you have any remotes listed that they could gain control of. You should of course completely isolate this computer immediately and scan it with multiple antivirus applications, and for that matter - all the computers you say you have locally on that network. Additionally you should review your router/gateway to the internet. The only way a foreign entity can gain access to internal hosts is via a malicious stateful outbound connection (malware of some kind) on a compromised host (or device_ on your network, or via a leaky router/gateway/firewall.

  • Scotty
    Scotty Posts: 493 Staff member 🤠

    Hi kellydigital,

    Can you please email us at privacy@teamviewer.com so we can help you investigate this?

    -Scotty

    Senior Moderator
    Did my reply answer your question? Why not accept it as a solution to help others?