Eleven sure signs you've been hacked

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.macworld.com.au/blogs/eleven-sure-signs-youve-been-hacked-118475/#.UvFA671X_Ww

In today's threatscape, antivirus software provides little peace of mind.
In fact, anti-malware scanners on the whole are horrifically inaccurate,
especially with exploits less than 24 hours old. After all, malicious
hackers and malware can change their tactics at will. Swap a few bytes
around, and a previously recognised malware program becomes unrecognisable.

To combat this, many anti-malware programs monitor program behaviours,
often called heuristics, to catch previously unrecognised malware. Other
programs use virtualised environments, system monitoring, network traffic
detection, and all of the above at once in order to be more accurate. And
still they fail us on a regular basis.

Here are 11 sure signs you've been hacked and what to do in the event of
compromise. Note that in all cases, the No. 1 recommendation is to
completely restore your system to a known good state before proceeding. In
the early days, this meant formatting the computer and restoring all
programs and data. Today, depending on your operating system, it might
simply mean clicking on a Restore button. Either way, a compromised
computer can never be fully trusted again. The recovery steps listed in
each category below are the recommendations to follow if you don't want to
do a full restore -- but again, a full restore is always a better option,
risk-wise.

Sure sign of system compromise No. 1: Fake antivirus messages

In slight decline these days, fake antivirus warning messages are among the
surest signs that your system has been compromised. What most people don't
realise is that by the time they see the fake antivirus warning, the damage
has been done. Clicking No or Cancel to stop the fake virus scan is too
little, too late. The malicious software has already made use of unpatched
software, often the Java Runtime Environment or an Adobe product, to
completely exploit your system.

Why does the malicious program bother with the 'antivirus warning'? This is
because the fake scan, which always finds tons of 'viruses', is a lure to
buy their product. Clicking on the provided link sends you to a
professional-looking website, complete with glowing letters of
recommendation. There, they ask you for your credit card number and billing
information. You'd be surprised how many people get tricked into providing
personal financial information. The bad guys gain complete control of your
system and get your credit card or banking information. For bad guys, it's
the Holy Grail of hacking.

What to do. As soon as you notice the fake antivirus warning message, power
down your computer. (Note: this requires knowing what your legitimate
antivirus program's warning looks like.) If you need to save anything and
can do it, do so. But the sooner you power off your computer, the better.
Boot up the computer system in Safe Mode, No Networking, and try to
uninstall the newly installed software (oftentimes it can be uninstalled
like a regular program).

Either way, follow up by trying to restore your system to a state previous
to the exploitation. If successful, test the computer in regular mode and
make sure that the fake antivirus warnings are gone. Then follow up with a
complete antivirus scan. Oftentimes, the scanner will find other sneak
remnants left behind.

Sure sign of system compromise No. 2: Unwanted browser toolbars

This is probably the second most common sign of exploitation. Your browser
has multiple new toolbars with names that seem to indicate the toolbar is
supposed to help you. Unless you recognise the toolbar as coming from a
very well-known vendor, it's time to dump the bogus toolbar.

What to do. Most browsers allow you to review installed and active
toolbars. Remove any you didn't absolutely want to install. When in doubt,
remove it. If the bogus toolbar isn't listed there or you can't easily
remove it, see if your browser has an option to reset the browser back to
its default settings. If this doesn't work, follow the instructions listed
above for fake antivirus messages. You can usually avoid malicious toolbars
by making sure that all your software is fully patched and by being on the
lookout for free software that installs these tool bars. Hint: read the
licensing agreement. Toolbar installs are often pointed out in the
licensing agreements that most people don't read.

Sure sign of system compromise No. 3: Redirected internet searches

Many hackers make their living by redirecting your browser somewhere other
than where you want to go. The hacker gets paid by getting your clicks to
appear on someone else's website, often those who don't know that the
clicks to their site are from malicious redirection.

You can often spot this type of malware by typing a few related, very
common words (for example, 'puppy' or 'goldfish') into internet search
engines and checking to see whether the same websites appear in the results
- almost always with no actual relevance to your terms. Unfortunately, many
of today's redirected internet searches are well hidden from the user
through use of additional proxies, so the bogus results are never returned
to alert the user. In general, if you have bogus toolbar programs, you're
also being redirected. Technical users who really want to confirm can sniff
their own browser or network traffic. The traffic sent and returned will
always be distinctly different on a compromised computer versus an
uncompromised computer.

What to do. Follow the same instructions as above. Usually removing the
bogus toolbars and programs is enough to get rid of malicious redirection.

Sure sign of system compromise No. 4: Frequent random pop-ups

This popular sign that you've been hacked is also one of the more annoying
ones. When you're getting random browser pop-ups from websites that don't
normally generate them, your system has been compromised. I'm constantly
amazed about which websites, legitimate and otherwise, can bypass your
browser's anti-pop-up mechanisms. It's like battling email spam, but worse.

What to do. Not to sound like a broken record, but typically random pop-ups
are generated by one of the three previous malicious mechanisms noted
above. You'll need to get rid of bogus toolbars and other programs if you
even hope to get rid of the pop-ups.

Sure sign of system compromise No. 5: Your friends receive fake emails from
your email account

This is the one scenario where you may be OK. It's fairly common for our
email friends to receive malicious emails from us. A decade ago, when email
attachment viruses were all the rage, it was very common for malware
programs to survey your email address book and send malicious emails to
everyone in it.

These days, it's more common for malicious emails to be sent to some of
your friends, but not everyone in your email address book. If it's just a
few friends and not everyone in your email list, then more than likely your
computer hasn't been compromised (at least with an email address-hunting
malware program).

These days, malware programs and hackers often pull email addresses and
contact lists from social media sites, but doing so means obtaining a very
incomplete list of your contacts' email addresses. Although not always the
case, the bogus emails they send to your friends often don't have your
email address as the sender. It may have your name, but not your correct
email address. If this is the case, then usually your computer is safe.

What to do. If one or more friends reports receiving bogus emails claiming
to be from you, do your due diligence and run a complete antivirus scan on
your computer, followed by looking for unwanted installed programs and
toolbars. Often it's nothing to worry about, but it can't hurt to do a
little health check when this happens.

Sure sign of system compromise No. 6: Your online passwords suddenly change

If one or more of your online passwords suddenly change, you've more than
likely been hacked - or at least that online service has been hacked. In
this particular scenario, usually what has happened is that the victim
responded to an authentic-looking phish email that purportedly claimed to
be from the service that ends up with the changed password. The bad guy
collects the logon information, logs on, changes the password (and other
information to complicate recovery), and uses the service to steal money
from the victim or the victim's acquaintances (while pretending to be the
victim).

What to do. If the scam is widespread and many acquaintances you know are
being reached out to, immediately notify all your contacts about your
compromised account. Do this to minimise the damage being done to others by
your mistake. Second, contact the online service to report the compromised
account. Most online services are used to this sort of maliciousness and
can quickly get the account back under your control with a new password in
a few minutes.

Some services even have the whole process automated. A few services even
have a 'My friend's been hacked!' button that lets your friends start the
process. This is helpful, because your friends often know your account has
been compromised before you do.

If the compromised logon information is used on other websites, immediately
change those passwords. And be more careful next time. Websites rarely send
emails asking you to provide your logon information. When in doubt, go to
the website directly (don't use the links sent to you in email) and see if
the same information is being requested when you log on using the
legitimate method. You can also call the service via their phone line or
email them to report the received phish email or to confirm its validity.
Lastly, consider using online services that provide two-factor
authentication. It makes your account much harder to steal.

Sure sign of system compromise No. 7: Unexpected software installs

Unwanted and unexpected software installs are a big sign that your computer
system has likely been hacked.

In the early days of malware, most programs were computer viruses, which
work by modifying other legitimate programs. They did this to better hide
themselves. For whatever reason, most malware programs these days are
Trojans and worms, and they typically install themselves like legitimate
programs. This may be because their creators are trying to walk a very thin
line when the courts catch up to them. They can attempt to say something
like, "But we are a legitimate software company." Oftentimes the unwanted
software is legally installed by other programs, so read your licence
agreements. Frequently, I'll read licence agreements that plainly state
that they will be installing one or more other programs. Sometimes you can
opt out of these other installed programs; other times you can't.

What to do. There are many free programs that show you all your installed
programs and let you selectively disable them. My favourite for Windows is
Autoruns. It doesn't show you every program installed, but will tell you
the ones that automatically start themselves when your PC is restarted.
Most malware programs can be found here. The hard part is determining what
is and what isn't legitimate. When in doubt, disable the unrecognised
program, reboot the PC, and reenable the program only if some needed
functionality is no longer working.

Sure sign of system compromise No. 8: Your mouse moves between programs and
makes correct selections

If your mouse pointer moves itself while making selections that work,
you've definitely been hacked. Mouse pointers often move randomly, usually
due to hardware problems. But if the movements involve making the correct
choices to run particular programs, malicious humans are somewhere involved.

This is not as common as some of the other attacks. It involves hackers
breaking into a computer, waiting for it to be idle for a long time (like
after midnight), then trying to steal your money. Hackers will break into
bank accounts and transfer money, trade your stocks, and do all sorts of
rogue actions, all designed to lighten your cash load.

What to do. If your computer 'comes alive' one night, take a minute before
turning it off to determine what the intruders are interested in. Don't let
them rob you, but it will be useful to see what things they are looking at
and trying to compromise. If you have a mobile phone handy, take a few
pictures to document their tasks. When it makes sense, power off the
computer. Unhook it from the network (or disable the wireless router) and
call in the professionals. This is the one time that you're going to need
expert help.

Using another known good computer, immediately change all your other logon
names and passwords. Check your bank account transaction histories, stock
accounts and so on. Consider paying for a credit-monitoring service. If
you've been a victim of this attack, you have to take it seriously. A
complete restore of the computer is the only option you should choose for
recovery. But if you've lost any money, make sure to let the forensics team
make a copy first. If you've suffered a loss, call law enforcement and file
a case. You'll need this information to best recover your real money
losses, if any.

Sure sign of system compromise No. 9: Your anti-malware software, Task
Manager or Registry Editor is disabled and can't be restarted

This is a huge sign of malicious compromise. If you notice that your
anti-malware software is disabled and you didn't do it, you're probably
exploited - especially if you try to start Task Manager or Registry Editor
and they won't start, start and disappear, or start in a reduced state.
This is very common for malware to do.

What to do. You should really perform a complete restore because there is
no telling what has happened. But if you want to try something less drastic
first, research the many methods on how to restore the lost functionality
(any internet search engine will return lots of results), then restart your
computer in Safe Mode and start the hard work. I say 'hard work' because
usually it isn't easy or quick. Often, I have to try a handful of different
methods to find one that works. Precede restoring your software by getting
rid of the malware program, using the methods listed above.

Sure sign of system compromise No. 10: Your bank account is missing money

I mean lots of money. Online bad guys don't usually steal a little money.
They like to transfer everything or nearly everything, often to a foreign
exchange or bank. Usually it begins by your computer being compromised or
from you responding to a fake phish from your bank. In any case, the bad
guys log on to your bank, change your contact information and transfer
large sums of money to themselves.

What to do. In most cases, you are in luck because most financial
institutions will replace the stolen funds (especially if they can stop the
transaction before the damage is truly done). However, there have been many
cases where the courts have ruled it was the customer's responsibility to
not be hacked, and it's up to the financial institution to decide whether
or not they will make restitution to you.

If you're trying to prevent this from happening in the first place, turn on
transaction alerts that send text alerts to you when something unusual is
happening. Many financial institutions allow you to set thresholds on
transaction amounts and, if the threshold is exceeded or it goes to a
foreign country, you'll be warned. Unfortunately, many times the bad guys
reset the alerts or your contact information before they steal your money.
So make sure your financial institution sends you alerts anytime your
contact information or alerting choices are changed.

Sure sign of system compromise No. 11: You get calls from stores about
non-payment of shipped goods

In this case, hackers have compromised one of your accounts, made a
purchase and had it shipped to someplace other than your house. Oftentimes,
the bad guys will order tons of merchandise at the same time, making each
business entity think you have enough funds at the beginning, but as each
transaction finally pushes through you end up with insufficient funds.

What to do. This is a bad one. First, try to think of how your account was
compromised. If it was one of the methods above, follow those
recommendations. Either way, change all your logon names and passwords (not
just the one related to the single compromised account), call law
enforcement, get a case going, and start monitoring your credit. You'll
probably spend months trying to clear up all the bogus transactions
committed in your name, but you should be able to undo most, if not all, of
the damage.

Years ago you could be left with a negative credit history that would
impact your life for a decade. These days, companies and the credit
reporting agencies are more used to cyber crime, and they deal with it
better. Still, be aggressive and make sure you follow every bit of advice
given to you by law enforcement, the creditors and the credit-rating
agencies (there are three major ones).

Malware vector trifecta to avoid

The hope of an anti-malware program that can perfectly detect malware and
malicious hacking is pure folly. Keep an eye out for the common signs and
symptoms of your computer being hacked as outlined above. And if you are
risk-adverse, as I am, always perform a complete computer restore with the
event of a breach. Because, once your computer has been compromised, the
bad guys can do anything and hide anywhere. It's best to just start from
scratch.

Most malicious hacking originates from one of three vectors: unpatched
software, running Trojan horse programs and responding to fake phishing
emails. Do better at preventing these three things, and you'll be less
likely to have to rely on your antimalware software's accuracy - and luck.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!