TalkTalk TeamViewer users in remote-control hijack 'PC seizure'

TalkTalk confirms that firm does not use TeamViewer, while TeamViewer confirms position of innocence -- problem still exists, move your mouse if you're in a panic.

TalkTalk, the UK ISP which has 150,000 customer details swiped and lost £60m in October 2015
TalkTalk, the UK ISP which has 150,000 customer details swiped and lost £60m in October 2015

A number of TalkTalk customers have experienced a remote-control ‘PC seizure' attack channelled through the TeamViewer desktop sharing platform. TeamViewer is intended to provide helpful remote control support, desktop and file sharing, plus web conferencing for online meetings.

The current malicious social engineering attack arises when some TalkTalk customers who are also TeamViewer users attempt to use the sharing services provided by the platform while on the TalkTalk Internet Service Provider (ISP) pipes. So-called ‘opportunists' are said to be taking control of users' PCs.

TalkTalk's UK home page (which redirects automatically to the sales-centric https://sales.talktalk.co.uk/) shows no user alerts in relation to this hack at the time of writing -- although user information action has been promised.

Users themselves however have reported unusual and worrying behaviour when using TeamViewer on TalkTalk as well as receiving unsolicited phone calls. TeamViewer's corporate communications department got in touch with SCMagazineUK.com to say that, “[The presence of these phone calls] is why we recommend to be extremely sceptical about unsolicited calls. Usually, no support team of any provider will reach out to customers pro-actively by phone.”

One user has written on the TalkTalk community pages saying that he/she received a telephone call from what appeared to be in Windows (as in, the voice came from the PC) pointing out that they have been getting a number of errors on the PC being used. 

They (the human caller with an Indian accent) then talked the user through number of screens, which appeared to show what these errors were followed by what appeared to be a free download of a fix -- the site address being freeviewer dot com.

“When this opened there was an ID followed by the correct IP address. As I looked at the home screen for this site I became suspicious as it said the program was Windows compatible. At the same time McAfee flashed up a warning that I was trying to connect to a ‘suspicious site' so I told the caller of this and he then tried to rubbish McAfee and get me to ignore the warning,” writes the user.

TalkTalk: we don't use TeamViewer

Users might typically install remote access software at the request of TalkTalk customer service representatives in order for the ISP to help with customer support issues. Speaking to SCMagazineUK.com directly this week, TalkTalk corporate communications made it clear that TeamViewer is NOT a default remote control service recommended by TalkTalk -- nor does TalkTalk actually use TeamViewer.

Regardless, it appears, this year has seen an upswing in TeamViewer users saying their PC's have been hijacked. While TalkTalk is no stranger to serious breach activity in the past itself, TeamViewer has stated that it has suffered no malicious hack to date.

Isobel Bradshaw, head of corporate communications at TalkTalk Group told to SCMagazineUK.com that her firm is aware that scammers are contacting TeamViewer account holders. These account holders include customers of various ISPs, including TalkTalk customers.

Bradshaw pointed us to more facts. TeamViewer last week acknowledged that a number of their accounts had been compromised, due to :“unprecedented large scale data thefts on popular social media platforms and other web service providers” (as reported by the BBC: http://www.bbc.co.uk/news/technology-36459015). 

In other words, no security vulnerability was found in TeamViewer, the account compromises were occurring due to users using the same passwords for multiple websites, which allowed attackers to gain access to their TeamViewer account. 

“[To restate our position], TalkTalk does not use TeamViewer software when we help customers remotely and so we simply could not have been in a position to compromise these account holders' information. Anyone claiming to be from TalkTalk asking customers to download TeamViewer is a scammer. However, we will be posting an alert on our help page to warn customers about this scam,” she said.

Last week TalkTalk launched its nationwide Beat the Scammers campaign, along with the TalkTalk Nevers, so that customers can help keep themselves safe. The company says that this campaign includes a significant communications drive to all of its four million customers as well as advice from industry experts and new tools to help consumers.

“The TalkTalk Nevers are also the first set of guidelines in the telco industry to outline the information we will never ask customers for – and we're sharing this our customers by email, letters, leaflets and on our IVR when customers call,” added Bradshaw.

The word from TeamViewer

TeamViewer's corporate communications department spoke again to SCMagazineUK.com to say that “We look at each case that is brought to our attention. If we find grounds for an act of cyber-crime we will certainly block the TeamViewer ID in question so that this ID can no longer be used.”

TeamViewer continues, “However, two things are critical when users have reason to assume they were the target of a crime. Firstly, they should contact our support and submit their log files. Secondly, they should report their case to the police. We are a German company and need to adhere to extremely strict data privacy regulations. Therefore we cannot release all the information we have to unauthorised individuals.”  

“There are some additional steps our users can take to be safe,” the TeamViewer spokesperson adds. “When you have somebody providing remote support via TeamViewer you might want to stay around while they are doing that. TeamViewer lets you revoke control effortlessly.”

“All you need to do is move your mouse, and the control comes back to you immediately. When in doubt you can also shut down the software entirely by right-clicking on exit at the TeamViewer icon in the systray on the low right hand corner of the screen." A TeamViewer spokesperson explained, "Furthermore users can set up a white-list on their machines in order to precisely determine who can access their machines.”

Bharat Mistry, cybersecurity consultant at Trend Micro spoke to SCMagazineUK.com to say that this is a tricky situation as TalkTalk wants to help customers with any connectivity issues they are facing and the best way to do this is to view or see it from the customer's device and take the appropriate actions, rather than having to rely on verbal instructions, which may lead to other problems such as misinterpretation or the customer or the support engineer losing their cool.

“Having remote support gets around these issues and can lead to faster resolution time. However, the downside is that the remote user will have complete control to access the computer such as look at files stored on the hard drive, browser settings, visit websites and download ANY software they choose which could be malicious. When remote control is given, customers need to be 100% sure that the person they are giving access to is a legitimate support engineer from the ISP and certain checks must be carried out to validate the authenticity of the person making the request for remote access,” said Mistry.

Trend Micro's Mistry went on to explain that cyber criminals are increasingly using this spurious personal phone calls tactic, often saying to potential victims that they are from Microsoft and the version of Windows they are using is either pirate copy or that their computer is infected with viruses and that immediate action needs to be taken.

People are usually the problem

David Gibson, VP of strategy and market development at Varonis spoke to SC saying that whether it is unsuspecting end-users giving access via remote control, or a more high-profile example like Fortelus Capital Management LLC (FCM), people (i.e. users) are usually the problem.

“FCM, a UK based hedge fund, lost over £742,000 in a Friday afternoon scam. The CFO was called late on a Friday by someone who impersonated an employee of the bank, Coutts. Ultimately he was convinced to transfer the money and subsequently lost his job,” said Gibson.

“If account information from TalkTalk was compromised, despite its contrary reports, someone taking remote-control of your PC may end up being a relatively small concern. Did they also acquire customer data, financial data, user behaviour (browsing) information? Transparency and swift communication by your ISP is critical to raise awareness in social engineering attacks. However, it has been reported that TalkTalk hasn't been communicating clearly or quickly with customers to warn them of possible danger,” added the Varonis VP.

Gibson's opinion is that right now, the typical hacker is launching remote desktop attacks against the customer base using social engineering tricks, but it seems ‘a bit suspect' that weak passwords alone would be the sole cause of the situation.