back to article Fresh hell for TalkTalk customers: TeamView trap unleashed

TalkTalk customers are getting caught up in the TeamViewer remote-control PC seizure storm. Customers of the ISP with TeamViewer accounts say they are being hit by opportunists trying to seize control of their PCs. Faced with this fresh assault on their long-suffering customers’ privacy, TalkTalk’s board will discuss the …

  1. Paul Woodhouse

    damn... need more popcorn...

    1. VinceH Silver badge

      I doubt if there will ever be enough popcorn for this.

      1. Anonymous Coward
        Anonymous Coward

        Complete Bunch of

        Didos.

  2. Anonymous Coward
    Anonymous Coward

    What would be helpful...

    ...would be publishing the 0345 so people know to block / ignore it.

    1. Mark 85 Silver badge

      Re: What would be helpful...

      If the miscreants are working like the others (MS Tech, etc.), since they're using VOIP they will just roll another number. Minor headache for them. Big headache for those being called.

  3. GreggS

    Still, look on the bright side.

    I'm told they're cheap.

    1. Danny 14 Silver badge

      Re: Still, look on the bright side.

      so is morrisons vodka. Still wouldn't touch either. Unless ive been glossing and need to clean the brushes - it is more effective than white spirit and not much more expensive.

      1. I ain't Spartacus Gold badge
        Happy

        Re: Still, look on the bright side.

        Personally I prefer to drink white spirit, as it's much more effective. But each to their own...

  4. Gordon 10 Silver badge

    This is interesting

    No evidence to suggest whether its TeamViewer or Talk Talk whether the ultimate fault lies. (Or possibly both).

    Its entirely possible that the spike is just due to the number of Talk Talk consumers who have needed remote support, making them a stastically significant part of the TeamViewer attack.

    Its also possible its due to an existing or new leakage from Talk Talk or a union with thier dataset and what ever is the source of the TeamViewer dataset.

    Glad I un-installed TeamViewer a few months back due to its persistent nagging behaviour.

    1. Dabooka Silver badge

      Re: This is interesting

      I'm going out on a limb here, but TalkTalk gets my vote.

      No obvious reaosn to assume it's them, but I've got this nagging feeling at the back of my mind....

      1. Dan Wilkie

        Re: This is interesting

        In fairness to TalkTalk (that stuck in the back of my throat a bit) - I've had 6 phone call attempts to "assist me with issues using TeamViewer" and 11 email attempts asking to add such and such a person on TeamViewer - I've never been a TalkTalk customer and the emails have come through Hotmail.

        So I don't think it's just confined to them.

        The emails generally go like this:

        Hello,

        UORetribution would like to add you as a contact in his/her TeamViewer contacts list.

        To accept UORetribution as a contact please click the following link.

        <URL removed just in case someone is that daft...>

        1. VinceH Silver badge

          Re: This is interesting

          "In fairness to TalkTalk (that stuck in the back of my throat a bit) - I've had 6 phone call attempts to "assist me with issues using TeamViewer" and 11 email attempts asking to add such and such a person on TeamViewer - I've never been a TalkTalk customer and the emails have come through Hotmail.

          So I don't think it's just confined to them."

          Well, in fairness to your poor suffering throat, the TeamViewer problem that's been in the news recently doesn't start with phishing emails that try (from the sounds of what you describe) to get you using it or whatever. That problem is people that already have TeamViewer installed, and someone manages to access it remotely - no phishing necessary.

          So I think you're commenting on a different (if slightly related) issue.

        2. tr1ck5t3r

          Re: This is interesting

          The TalkTalk webmail access was using a SSLv3 cert for a period of time, but I dont think it would have been picked up by an automated PCI-DSS scan based on what I have logged PCI-DSS scanners doing in the past.

    2. Anonymous Coward
      Anonymous Coward

      Re: This is interesting

      "No evidence to suggest whether its TeamViewer or Talk Talk whether the ultimate fault lies. (Or possibly both)."

      Or possibly neither. Just because a bunch of idiots manage to generate some self-reinforcing hysteria about something on the internet doesn't necessarily mean it's real. Here we have scammers phoning up pretending to be TalkTalk technical support, and you have some TalkTalk customers falling for it. There's no particular reason to think it goes further than that, particularly since TalkTalk customers aren't the brightest (otherwise they wouldn't be TalkTalk customers).

    3. Anonymous Coward
      Anonymous Coward

      Re: This is interesting

      The whole TalkTalk + Teamviewer thing has been running for about a year now. We've been getting up to half a dozen calls a day from scammers using our old TalkTalk account details and suggesting they could help solve our technical problems - we only have to browse to "Teamviewer"...etc.

  5. wolfetone Silver badge
    Holmes

    Bilderberg

    Ah ha! Now we know why Dido attended it, this is all part of the New World Order's plot to take over the world!

    By screwing over the already screwed TalkTalk customer.

    1. Mpeler
      Paris Hilton

      Re: Bilderberg

      Ahhh, Dido... Gets them in the Aeneas every time.....

    2. Mike Richards

      Re: Bilderberg

      Perhaps Dido's making the calls to try and recoup some of TalkTalk's losses?

      1. FidotheFrightful

        Re: Bilderberg

        I've voted with my feet and left this dodo. The clowns include your full acount no. in their e-mailed bill notification to show its come from them despite the fact that the scammers have got it and quote it as proof that is TalkTalk making a phone call to you. The final straw was the daly calls from BT? , my ISP? etc. trying to get me to install TeamViewer. The blighters have obviously got your age/dob from the last of the 3 data losses by TalkTalk and work on the old and purportedly vunerable aged punters Their enthusiasum didoed somewhat when I told them I was using a laptop with BeOS and Net Positive installed on the laptop by my son. TeamViewer works in Mac, Windows and Linux enviroments but not BeOS. The guy went into orbit when I told him, operating system:BeOS., internet browser :NetPositve. TT are still having probs with their website today, infact its been funny for the last few days. Thank heavens I'm leaving these dodos behind!

  6. adam payne Silver badge

    "Valentino installed TeamViewer at the request of a TalkTalk customer service representative who was attempting to fix problems with her PC in late 2015."

    TeamViewer login details on one of the databases perhaps?

    At this point who would believe anything TalkTalk say?

    1. I ain't Spartacus Gold badge
      Unhappy

      I thought TeamViewer generated a new password each time, even if TalkTalk had saved the ID number (that doesn't change). Certainly that's how it's worked when I've used it, even when you have to reboot it (unless you use a particular setting) it restarts with a new password.

      I'm pretty sure it is from a data leak on TalkTalk though. As my Mum got a call on her mobile, from people who knew her address and that she was with TalkTalk. In their case it was to fix her YouView box, which really was playing up at the time. There was a story that their call-out engineer database had also been breached.

      Caller had a strong Indian accent, but then TalkTalk themselves use call centres out there - and many of their own staff don't have the finest english skills. This person manage to persuade her to download TeamViewer, but only in order to take her to the Western Union website to do a money transfer. I spent a while checking the PC, and that seemed to be all they did when in control of it, and she turned it off and called me when that came up, because nobody legitimate uses Western Union transfers and TalkTalk obviously already have her bank account details.

      She's since been getting several calls a day to her mobile - so she used TalkTalk's withheld number blocking service. Which promptly blocked all the NHS calls to sort out her sister's cancer treatment, because the NHS annoyingly blocks caller ID. So the fuckers have done real harm - although I'd say that's equally the fault of the NHS (for that policy) and TalkTalk for not warning of the obvious consequence of their blocking. Also for not even allowing withheld numbers to go to voicemail - given that scammers and spammers rarely leave messages. What a fucking mess!

      I'm a dutiful son. I did warn her not to use TalkTalk. But it was a couple of quid cheaper. I have quietly suggested she move away, but I think that was interpreted as an "I told you so", even though I was very careful to not even imply that I had.

      Oh and I think TalkTalk must have got hold of some old 386 processors for their YouView boxes. The software's not actually that bad, but the fucking thing takes 60 seconds to boot, and sometimes 15 seconds just to load the EPG. Utterly crap company.

  7. Anonymous Coward
    Anonymous Coward

    Something doesn't add up

    A teamviewer session ID only last for maybe 4 days at the most, certainly it won't be the same ID unless they have a full / host installed in which case they may have already been compromised.

    I had my account lifted despite unique account details, but where it went pear shaped was some (not all) of my hosts had the password saved under my account. Once in my account, they went into the 'password saved' hosts and changed the TV passwords. Fortunatly all but 3 hosts are on domains so they couldn't get further, but the 3 were computers used to run 'information screen's. Looking through the logs they have been trying to regain access, but i'm now whitelisted and passwords cranked up to 10 as it looks like they are brut forcing the known ID.

    Reason the passwords were saved are down to the way TV adds new host IDs to your account, so I will remember to remove the password after settings them up.

    1. Cynic_999 Silver badge

      Re: Something doesn't add up

      "

      A teamviewer session ID only last for maybe 4 days at the most, certainly it won't be the same ID unless they have a full / host installed in which case they may have already been compromised.

      "

      Huh? I have the freebie TeamViewer and it still has same partner ID that it was issued with when I installed it 18 months ago.

      1. Anonymous Coward
        Anonymous Coward

        Re: Something doesn't add up

        "Huh? I have the freebie TeamViewer and it still has same partner ID that it was issued with when I installed it 18 months ago."

        Thats because you installed it. it's the quick support / session IDs that I was refering to.

  8. Adam JC

    Teamviewer at fault or Talktalk?

    "According to Valentino, very few people know her new number, although it is known to TalkTalk. It would appear that the scammers are catching up to her based on the fact she has a TeamViewer account."

    Sounds to me like the scammers were routing through a TALKTALK leaked information list and Teamviewer was merely the remote support tool of choice. I know Teamviewer have had a hard time recently, but the fact these guys were cold calling armed with information I would be inclined to believe TT are at fault and not Teamviewer. The story is lacking details such as whether the PC was attached to someones Teamviewer account and there are some strange points, namely where Valentino says she refused to give them access to her computer but they 'did it anyway'.

    1. Anonymous Coward
      Anonymous Coward

      Re: Teamviewer at fault or Talktalk?

      *rooting

  9. Anonymous Coward
    Anonymous Coward

    My favorite

    Is the "Hello, I'm calling from Microsoft's Support Desk..."

    My response is usually, "No you're not you lying piece of beep, now f-off you beep beep beep..."

    1. Lotaresco

      Re: My favorite

      I've played along with a scammer, trying to do everything he asked me to do. I didn't tell him I was using a Linux box, with no internet access, it took about an hour before he finally twigged that he was being taken for a ride.

      1. VinceH Silver badge

        Re: My favorite

        "I've played along with a scammer, trying to do everything he asked me to do. I didn't tell him I was using a Linux box, with no internet access, it took about an hour before he finally twigged that he was being taken for a ride."

        The one time I tried that it didn't work very well. I was at my parents place when I answered the phone, and when I started acting a bit dim the guy spoke to me by name: But not my name, my youngest brothers' name, which caught me off guard and ruined the whole thing.

        And it's only now that I've put two and two together: My brother was a TalkTalk customer at one point.

        (He often gives my parents' number as a contact number due to his mental health issues).

        I wish I could remember exactly how long ago it was so I could correlate it to the TalkTalk HackHack - but the truth is while I'm thinking earlier this year, it may be that the timing of events in the news may be affecting my recollection.

      2. Anonymous Coward
        Anonymous Coward

        Re: My favorite

        "I've played along with a scammer, trying to do everything he asked me to do."

        I've done this, except I was doing it with a virtual Win98SE box running in my memory, not on an actual computer. I was also being overly obtuse and obstructive in a combination of the worst users I have been subjected to whilst doing support.

        He made slow progress through getting me to upgrade from IE4 to a later web browser (at arbitarily assigned dial up speeds) He gave up when after he'd got a version of the remote access software that would work on 98SE, uninstalled the AV, configured the fictional firewall it then caused a fatal exception of OE.

        The poor bloke hung up at this point. My record is just shy of 45 minutes with having the first tech screaming and shouting and me and getting a transfer to his "manager".

        1. Paul 129
          Angel

          Re: My favorite

          Was a client of mine, about four years ago now, she was completely gullible fell for it all hook line and sinker. Had them going for 4 hours.

          She is a sweet old dear, 36K dialup is all the nonsense broadband she ever wants, and refuses to upgrade. Could they talk her through a net install of teamviewer.... Not a chance! XD

    2. John McCallum

      Re: My favorite

      That is usually my response only I don't say beep, beep more like eat shite and die now f... off no patience at all with them.

    3. Stuart Halliday
      Angel

      Re: My favorite

      I like to remind them that their mother would be ashamed of them....

      1. Inventor of the Marmite Laser Silver badge

        Re: My favorite

        They don't have mothers.

  10. Anonymous Coward
    Anonymous Coward

    Translation

    "Valentino said she said “no” to his use of TeamViewer, but said that he took over control of her PC regardless."

    Translation: "Valentino gave him the TeamViewer ID and password, and he took over control of her PC. Upon realising how gullible she had been, she said "Oh no! Can I blame this on somebody else? TalkTalk? Hackers? Dog ate my homework?"

    1. psychonaut

      Re: Translation

      absolutely spot on

    2. Sandtitz Silver badge
      Boffin

      Re: Translation

      I don't know how Talk Talk has conducted their Teamviewer connections in the past, but here's an example how the intruder might have gained access.

      Normally, upon installation Teamviewer creates a unique ID and a 4 digit password that changes every time the TV application is restarted. (The ID can't be easily changed by the end user since it is generated from a MAC address)

      If Talk Talk has a) customized the Teamviewer application to never randomize the password and b) enabled the host module to start at boot, and c) Talk Talk customer support has written down the ID and the password in the breached customer records then it is trivial for the hackers to invade computers without any user action.

      The above is dependent on several conditions but I've seen worse decisions when managers are contemplating between ease of use and security. Is it possible that someone at TT has made those decisions? Yes.

      1. psychonaut

        Re: Translation

        i still dont get why then the miscreants bothered to phone the customers, seeing as they could simply remote control their pc's anytime they liked

      2. Anonymous Coward
        Anonymous Coward

        Re: Translation

        The phone call would be redundant if they could do that. So the likelihood is that they need some additional piece of information or action from the customer before they can gain access. That would be the TeamViewer credentials.

        1. psychonaut

          Re: Translation

          additonal peices of information like the teamviewer id and password?

          yes. exactly, so its just people being gullible.

          someone random phones you up and you give them all your bank account details, passwords, date of birth and mothers maiden name. same thing.

          this hasnt got anything to do with teamviewer. you may as well blame the telephone system for enabling the "hackers" to be able to phone them up or the internet for letting them be able to access their machines.

          the claim in the article that the "hackers" remote controlled their pc without them telling them anything is bullshit

  11. Lotaresco

    Blame the customer

    I don't normally appreciate customer blaming. However TalkTalk customers are probably fair game for blaming now. They have had their personal data compromised and the CEO subsequently demonstrated an astonishing level of complacency, ignorance of basic security and even ignorance of the Data Protection Act. Yet at the last count many of the customers affected have stayed with TalkTalk. What sort of a hint do they need to drop TalkTalk and go elsewhere?

    1. paulf Silver badge
      Pirate

      Re: Blame the customer

      And how many of them did want to leave but the TalkTalk shyster they spoke to told them it would be £200/£500/think of a number to break their contract mid term and just didn't have the energy/knowledge/gumption to tell LieLie to do one. Even if they did push on with leaving they would have risked ShitShit wrecking their credit history in revenge.

      To put it another way: I agree with you but only in respect of people who've joined or renewed their contract with ShitShit since the most recent and high profile data breach (or they didn't leave as soon as their existing contract commitment ended after that breach).

      I especially agree with you in respect of those who said "It didn't happen to me and they're cheap so it's a lot of fuss over nothing."

      1. joshimitsu

        Re: Blame the customer

        I've had a broadband company put an account default notice on me, after I forced them to close the contract.

        I was able to make them cancel the debt collection and remove the note from my credit history as well - their excuse was that one part of the company did not get the update.

        But yes, it is a bit of a hassle.

    2. TheProf

      Re: Blame the customer

      Unfortunately for people on a low income TalkTalk are good value for money.

      My elderly parents are with TalkTalk and after last year's bad news stories they looked for an alternate supplier of phone/broadband. They mainly need international and domestic calls and a bit of web browsing. They didn't find one that offered what they currently get for the money they pay.

      Would paying more to a different company protect them from the data breaches that affected TalkTalk? It's nice to think it would but I doubt it.

      1. I ain't Spartacus Gold badge

        Re: Blame the customer

        TalkTalk are not good value for money. They're cheap. There's a huge difference. I've not looked into it for a while, so don't know how much more you'd have to pay to get something better - and obviously if they're the cheapest, and money is tight, then you may be stuck with them.

        But as well as costing less, they're also much less reliable. Certainly given the number of times I've had to go over to Mum's house and sort things out, and she's had engineers out 3 times in the last year or so - including a new router and YouView box. Their routers seem to be worse than the usual ISP crap, and their YouView box seems to have a 386 processor. Or possibly an abacus...

  12. Mr_Pitiful
    Paris Hilton

    Teamviewer

    I've read the reports on Teamviewer being hacked and then this today about TalkTalk

    I reckon it's coincidense, the phone scammers always try and use TV in my experiance

    It has to be related to a phone scam, in some way or how are the 'hackers' getting IDs & PWs?

    I use TV in relation to work and have over 400 customers, none have reported anything odd

    Sounds more like TalkTalk customers are recieving phone calls from scammers and with a bit of luck already have TV installed.

    1. Mr_Pitiful

      Re: Teamviewer

      In the final paragraph of the article, TalkTalk state that team viewer is installed on its customers PCs

      " the spokesperson said, adding the firm is aware that TeamViewer is installed on the PCs of its customers."

      Is the TV Database stored on a central server at TalkTalk and that equipment has been compromised?

      I don't use this feature, but it would be useful if I needed unattended access, I suppose

      Maybe that's the way it's been done!

      1. psychonaut

        Re: Teamviewer

        talk talk definately DO NOT install tv on EVERY customers machine by default. this is bullshit.

        they might use it for remote support if customer has a problem, so some of them might have it installed, im pretty sure they would use one time remote support though, rather than the hosted module or the full version.

        this article makes no sense at all.

  13. Rod 6

    Left these guys when they got broken into last time. It was well past the end of my contract, so should have been easy matter to cancel. The call center operator spoke really poor English - not quite enough to do his job. He tried to convince me to stay, even though I had told him I defiantly wanted to leave. After a while on the phone, he told me everything had been candled and I would only pay one more months bill. Then they kept billing me for three months despite phone calls and complaints. It was only when I threatened to report them to offcom that they actually stopped taking money. I would never go anywhere near these people again - real pain in the back side.

  14. Crisp Silver badge

    "TalkTalk’s board will discuss the matter at a meeting this week"

    I'm sure their customers feel safer already.

  15. Anonymous Coward
    Anonymous Coward

    Fighting back

    Had some scumbag call me, claiming to be from TalkTalk and saying my PC was having problems, yadda yadda. Tried to get me to download a remote access client so I feigned all sorts of problems (404 not found for one and his backup I claimed was "resource unavailable" or somesuch.)

    Conned him into believing he may have a problem at his end and suggested he check the Device Exception Log.

    Of course, he hadn't a clue so I talked him thru how to run it. It boiled down to:

    Open the Command prompt and type "DEL C:\*.*

    DEL meaning Device Exception Log, naturally :-)

    Dunno if it worked but it was the only ting I could think of.

    Does anyone know a simple command one could obfuscate that would screw up (preferably permanently) a scumbag's PC without having Windows blocking it?

    1. psychonaut

      Re: Fighting back

      <install> -win10 /y

    2. highdiver_2000

      Re: Fighting back

      A bit old school

      zztop.exe

    3. Peter2 Silver badge

      Re: Fighting back

      DEL C:\*.* wouldn't work, even if the user had admin privilages it'd only wipe out files on the root directory of C and not subdirectories. Five stars for effort though and a very good effort off the cuff.

      "DEL C:\*.* /S /Q" might work, though it'd take ages and be prone to being stopped. My first thought when it comes to quickly causing total disaster is getting them to go into regedit and delete HKLM/Software.

      Does anybody have a easily restored Win7 VM they don't mind nuking a few times to find the best way of killing a scammers computer quickly?

  16. psychonaut

    i call bullshit

    this doesnt make any sense.

    1) if the miscreants ALREADY had your teamviewer id and passcode why would they bother to phone you up?

    2) if TV has been breached (which i dont believe, more like crap passwords, reuse of passwords, 4 digit passcode enabled on TV instead of 10 digit) and they had access to your machine, why would they bother to phone you up?

    if, on the other hand, they phoned you up and you are a gullible twat and gave them your temaviewer id and passcode, it all makes sense.

  17. CJ_C

    Talktalk Phishing?

    Talktalk say may details have not been compromised, but I still get fake calls to my ex-directory number saying I am a customer. Is this just phishing or are Talktalk being economical with the truth?

    It does mean that I have pissed off apparently genuine Talktalk callers by accusing them of being fake...

  18. Drone Pilot

    and still it's a good idea for the ISPs to store all our browsing data.

    cue Indian accent

    Hallow, this is Ragesh from Amazon. You were looking at our product yesterday...All I need is your card and pin and mother's maiden name

  19. hellwig Silver badge

    Is TeamViewer Common for ISPs?

    I've never had an ISP ask to take control of my computer here in the US. If they can't fix the problem on their end or in the modem/router, they better send out a tech. What is my computer going to allow the ISP to do to fix the problem? That assumes I'm even using a computer and not a smart phone, smart TV, etc...

    1. Mark 85 Silver badge

      Re: Is TeamViewer Common for ISPs?

      I had that happen only once, many moons ago here in the States. We installed TV, they found the issue (it really was with them and not me but it took a bit of buggering around to sort it out) and then had me uninstall it afterwards. I would have anyway, but they apparently did this for anyone that required a TV session.

      ISP's are stupid if they do install it, to make sure it's uninstalled when they are finished.

  20. Walter Bishop Silver badge
    Linux

    TalkTalk customers and TeamViewer

    Once you connect your 'computer' to the Internet then you're on your own as far as your ISP is concerned. These remote control apps are toxic, there's no way the makers can guarantee your PC won't get hacked. you're just opening up a window of opportunity onto your computer. Your safest way to go online with the current state of 'computer' security is to boot from a portable usb device that comes with physical write protection.

    Boot and run Linux from a USB flash memory stick

  21. MR J

    At least their Email is secure.

    They don't use that SSL stuff as it's broken. They use some sort of Clear Text security, works a charm.

  22. tr1ck5t3r

    I've been reporting this and other problems since Jan '15 to TalkTalk (numerous times), ActionFraud 3 or 4 times and GCHQ last year 3 days before it was announced in the news TalkTalk were hacked.

    Some of the problems seen on TalkTalk, trying to call DVLA, 3 times the number would not connect (last Aug) so off to Google searching for a different DVLA number tried a number coming 3rd in the results and that was just a number which just gave you a short message to say it was connecting you before you got a 2nd dial tone that put you through to DVLA. I hung up at this point tried the DVLA number and it then worked. I suspect it recorded the call to harvest your personal details you gave out to TalkTalk. Reported to ActionFraud.

    When phoning one bank, everytime I mentioned GCHQ the line went dead forcing me to recall the bank. Twice this happened.

    When trying to access some of the highstreet banks online, not only were SSLv3 certs showing up in the browser which we know is now compromised (poodle iirc), but this could have been a MITM attack somewhere in the infrastructure as the banks certs were showing up as sslv3 in the browser even when running from a linux distro as a live CD (ie not installed) but these could have been compromised distro's with matching hashes if the TalkTalk DNS and/or switches have been compromised to reroute you to fake look-a-likey linux distro download sites.

    Running Vlans at home for every device with default block and some reject rules to outgoing traffic ie total lockdown of all ports & traffic, I've created rules to allow a device access to things like dns, anything going out to a website or for an internal device to talk to another internal device. Everything logged.

    Reason for doing this, is that when running NoScript to ad block, traffic is sent back to google and I had set the system up to block traffic to Google as this extra reporting of your web activity to google is what improves the results.

    I've caught the TalkTalk TV box trying to connect to a W7 machine when there is no reason for doing so but suspect its tied in with a hidden W7 partition and series record for some tv programs being deleted. I've seen MITM attacks on forums like pfsense and UK media outlets with fake news stories with attacks coming from the DailyMail.co.uk and the Akami network which are picked up and blocked by Snort.

    I've seen numerous times various W7 CD's direct from MS and other outlets installing a hidden partition which I cant find anything about which can be remotely deleted using the UEFI bios. I even have a few photos of a phone showing an unknown number which called and then deleted the partition at the time it was being examined in the hex editor on an old partition magic live cd as this is what you can do now with UEFI bios and Intel/AMD cpu's with out of band access/Wake on Lan.

    I have seen various Linux distro's get hacked even when running from a linux live cd, only Ubuntu 14.04.3 32bit was the only one to complain about the 64MB malware that was on a usb stick as it popped up the terminal window in the gui complaining of a core OS problem before crashing it, ubuntu mate, linux mint, & tails didnt even complain neither did windows. 64MB is small enough to sit in most hard drive cache controllers, so when you boot up, it can be loaded from disk, sit in the cache to avoid detection and then write it self back to disk when you shutdown.

    The 64MB malware on the usb stick was an unknown file system, and even I didnt recognise it when looking at it in a hex editor. I suspect this might have been dooqoo2 as I saw some references to it on the pfsense forums at the time when I was frequenting the pfsense forums.

    Perhaps the hackers were confident they wouldnt get caught?

    One of these hacks means you cant burn anything to CD from a live cd or even windows. So if you attempt to burn anything from an infected windows or linux machine as evidence, you cant.

    Backups have been trashed so I now only burn to DVD and bluray ie read only media.

    I've seen what was the latest versions of pfsense (middle of last year) install a virtual network interface called "nk0]" which gives you a backdoor into pfsense. I've seen pfsense ignoring block rules letting traffic through.

    Have photo's of the screens and various firewall logs taken on an old digital camera after the evidence I was burning was not being burnt.

    Windows updates were being interfered with and because windows wants to download updates one by one unlike linux apt-get update && upgrade, not only were windows updates being stalled, but when using a talktalk line to ask for a video camera to be record the screen of the affected Windows machines, the windows updates mysteriously started working again!

    I now from professional contacts there is a UK phone company that uses Windows to do its billing software which suggests a windows machine is hooked up to BT openreach for itemised billing.

    When these hackers have called the talktalk line, if you dont answer it but ring the number back, it plays a message saying the call can not accept incoming calls, but even those who are ex-directory will get a call back from the hackers within an hour or so which suggests the billing system of TalkTalk is still compromised even today. Again all reported to TalkTalk and action fraud.

    On the point of the advice being given out by computer crime agencies, they want you to contact them by email, but if a business hosts their own email or web and have been hacked, then you dont have any way to get in touch as they dont/didnt have a phone number to call which is what prompted me to call GCHQ last year before it was announced TalkTalk was hacked. The Police couldnt investigate anything encrypted, even when spotting unknown encrypted traffic heading to Argentine servers.

    Banks using local rate numbers for telephone banking must give out a normal UK number for overseas callers, but some of these are well hidden so the banks can claw back a few pence for customers calling them. Since then at least one bank has switched over to an 0800 freephone number as customers looking for the UK number for overseas callers were seeing the wrong number when using google to search for it.

    I've seen rsyslog dropping syslog messages which is a bug so unless you have tested it by sending it your own messages to stress test it, you wouldnt know you are not getting all the syslog messages.

    So all in all, when you add these all up, if connected then someone/group has been planning these hacks for at least a few years quite possibly in retaliation for Snowden and the Five Eyes.

    In a way peoples lazyiness has been exploited, because unless you go the effort of logging and blocking everything leaving your systems, whilst checking images and storage devices frequently even if running read only filesystems, you wouldnt know you have been hacked, much like Lizard squads attack.

    No AV has to date reported anything on windows but then if this hidden partition I have found is some sort of virtualisation software loading before windows, then windows AV will never find it. Interesting even a phone call to Kasperksy to sell them a copy of the malware I have caught didnt go anywhere, but then if the TalkTalk phone system has been hacked, how do you know you arent talking to the hackers (or spooks) if you are never spoken to the person at the call centre before?

    Interesting times!

    1. dotty

      interesting

      nice detail I did find the mad number of partitions on the TV box when I ditched talktalk after a couple of days the box committed suicide so I pulled the disk and checked it and thinking about it if a "agency" could export a large number of remotes into a fair proportion of the countries homes it would be very useful, I suppose the only issue is the useless talktalk themselves, they could not organise it so it must be someone else

  23. Anonymous Coward
    Anonymous Coward

    Teamview

    Excuse my ignorance but do talk talk ask customers to install software that allows remote access to their PCs?

    If so that's seriously fucked from a security perspective. Are they 100% sure that it can't be either breached or subject to phishing?

    Answer = no

  24. Phil Kingston Silver badge

    Surely they didn't

    ...think it was OK to install remote access software on customer's PCs, fix something, then fail to uninstall it?

    Their lawyers gonna be busy.

  25. Anonymous Coward
    Anonymous Coward

    Easy to fix...

    1. Uninstall Teamviewer

    2. Leave TalkTalk

    1. psychonaut

      Re: Easy to fix...

      easy fix - dont give people that you dont know information like your teamviewer id and password, particularly if they have just phoned you up out the blue and have an indian accent

  26. IanW

    Caught the source of these support calls

    One of these calls got through to the elderly (gullible) father of a friend of mine. He ended up giving access (they come in via TeamViewer, whether it's installed before or not) and paid them for the 'service' on a continuous authority debit card billing. Particularly dangerous, as those go though even if you change bank accounts - they just follow the leader to the new one.

    In this case, the company was hiding behind a .co.uk domain name that had been set to be anonymous from a Whois point of view (something that should only be available to private individuals). I complained to Nominet, who then exposed the Whois data. Maps back to one of two directors who have 12 companies registered at Companies House in Coventry, who use a UK Barclays account to receive funds and who have 600 telephone based staff in a call Centre in Kolkata, India. Then worked with Stevenage Trading Standards on the result.

    There is little Talk Talk can do - they hop across multiple caller IDs (about 12,000 complaints down to two specific ones). If Talk Talks voice hardware can knock out calls based on the private Caller IDs (not the editable public ones), that would be a useful service to offer. Outside of that, it's awareness campaigns (as these support calls come from one of multiple pretend sources) and working with trading standards; the Stevenage ones have been brilliant in our case.

  27. dotty

    as a former talktalk customer they are disorganised and cash driven the support seems intent on closing the call and denying anything

    I am not surprised they are in such trouble, and teamviewer is an open hole in your security

    dotty

  28. Aodhhan Bronze badge

    GEESH.

    Okay, so dump both.

    Makes me want to install and start using these to see if I get a request to "fix" my computer. Then tell them I really need to run a small VPN program (but it's really malware) to do my job, but it wont work, and see if I can get them to download and run it. Then turn the tide, since I know what services they will have available.

  29. Inventor of the Marmite Laser Silver badge

    Just noticed WankWank's site is down

    "For maintenance"

    Maybe someone went in with a remote session........................

  30. Keith 12

    TT being the ISP that everybody seems to hate

    TT being the ISP that everybody seems to hate. I've had lots of calls from customers who "get the call", from the guy with a strange accent offering to fix your PC, BT customers more often than not.

    Fairly easy to identify customers with a TT ip and / or Teamviewer installed - have to question how they knew the password to logon with though, and why it was left installed in the first place?

    6 years at home with TT, 80/20 Fibre for some years which in reality equates to 84/17 with less than 1 days outage over that period and a very happy customer.

    TT network issues? - try taking a look at BT service status sometime...

    Yup, I hate BT, nope, I don't work for TT.

    Downvotes ahoy! - like a give a sh*t...

  31. croftlea1975

    TALKTALK DO NOTHING WHEN INFORMED OF ANY SCAM!!!

    I have received upto 5 telephone calls per day, for several weeks from Indian sounding caller telling me that I have a problem with my router. I am asked to turn on my computer and press various keys. I have barred the many different numbers. I have informed talktalk many times.......they do nothing, The latest 5 calls today were from unavailable telephone numbers, alas unable to bar them (notwithheld) I answered and once again asked who the account holder was.........they had the correct name also my account number this was also correct............I gave no more information.

    Talktalk were again informed after 30 minutes of them not listened and doing nothing I gave up. No surprise that there is yet again an issue with their security.

  32. mrbigfeet

    It's still happening!

    Today I had a call from a John Gabriel at 02031290910 claiming to be from TalkTalk and then Open Reach trying to get me to install Teamviewer. He knew my name, address, postcode, account number at Talktalk. When I refused he got angry and said I was wasting his time. I put the phone down and reported it to Talktalk.

    Talktalk previously specifically stated that my details had not been hacked. How did this guy get them then?

    It is worrying.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019