11 sure signs you've been hacked
In today's threatscape, antivirus software provides little piece of mind. In
fact, antimalware scanners on the whole are horrifically inaccurate, especially
with exploits less than 24 hours old. After all, malicious hackers and malware
can change their tactics at will. Swap a few bytes around, and a previously
recognized malware program becomes unrecognizable.
To combat this, many antimalware programs monitor program behaviors, often
called heuristics, to catch previously unrecognized malware. Other programs use
virtualized environments, system monitoring, network traffic detection, and all
of the above at once in order to be more accurate. And still they fail us on a
regular basis.
[ Verse yourself in the 7 sneak attacks used by today's most devious hackers, 14
dirty IT security consultant tricks, 9 popular IT security practices that just
don't work, and 10 crazy security tricks that do. | Learn how to secure your
systems with the Web Browser Deep Dive PDF special report and Security Central
newsletter, both from InfoWorld. ]
Here are 11 sure signs you've been hacked and what to do in the event of
compromise. Note that in all cases, the No. 1 recommendation is to completely
restore your system to a known good state before proceeding. In the early days,
this meant formatting the computer and restoring all programs and data. Today,
depending on your operating system, it might simply mean clicking on a Restore
button. Either way, a compromised computer can never be fully trusted again. The
recovery steps listed in each category below are the recommendations to follow
if you don't want to do a full restore -- but again, a full restore is always a
better option, risk-wise.
Sure sign of system compromise No. 1: Fake antivirus messages
In slight decline these days, fake antivirus warning messages are among the
surest signs that your system has been compromised. What most people don't
realize is that by the time they see the fake antivirus warning, the damage has
been done. Clicking No or Cancel to stop the fake virus scan is too little, too
late. The malicious software has already made use of unpatched software, often
the Java Runtime Environment or an Adobe product, to completely exploit your
system.
Why does the malicious program bother with the "antivirus warning"? This is
because the fake scan, which always finds tons of "viruses," is a lure to buy
their product. Clicking on the provided link sends you to a professional-looking
website, complete with glowing letters of recommendation. There, they ask you
for your credit card number and billing information. You'd be surprised how many
people get tricked into providing personal financial information. The bad guys
gain complete control of your system and get your credit card or banking
information. For bad guys, it's the Holy Grail of hacking.
What to do: As soon as you notice the fake antivirus warning message, power down
your computer. (Note: This requires knowing what your legitimate antivirus
program's warning looks like.) If you need to save anything and can do it, do
so. But the sooner you power off your computer, the better. Boot up the computer
system in Safe Mode, No Networking, and try to uninstall the newly installed
software (oftentimes it can be uninstalled like a regular program). Either way,
follow up by trying to restore your system to a state previous to the
exploitation. If successful, test the computer in regular mode and make sure
that the fake antivirus warnings are gone. Then follow up with a complete
antivirus scan. Oftentimes, the scanner will find other sneak remnants left
behind.
Sure sign of system compromise No. 2: Unwanted browser toolbars
This is probably the second most common sign of exploitation: Your browser has
multiple new toolbars with names that seem to indicate the toolbar is supposed
to help you. Unless you recognize the toolbar as coming from a very well-known
vendor, it's time to dump the bogus toolbar.
What to do: Most browsers allow you to review installed and active toolbars.
Remove any you didn't absolutely want to install. When in doubt, remove it. If
the bogus toolbar isn't listed there or you can't easily remove it, see if your
browser has an option to reset the browser back to its default settings. If this
doesn't work, follow the instructions listed above for fake antivirus messages.
You can usually avoid malicious toolbars by making sure that all your software
is fully patched and by being on the lookout for free software that installs
these tool bars. Hint: Read the licensing agreement. Toolbar installs are often
pointed out in the licensing agreements that most people don't read.
Sure sign of system compromise No. 3: Redirected Internet searches
Many hackers make their living by redirecting your browser somewhere other than
you want to go. The hacker gets paid by getting your clicks to appear on someone
else's website, often those who don't know that the clicks to their site are
from malicious redirection.
You can often spot this type of malware by typing a few related, very common
words (for example, "puppy" or "goldfish") into Internet search engines and
checking to see whether the same websites appear in the results -- almost always
with no actual relevance to your terms. Unfortunately, many of today's
redirected Internet searches are well hidden from the user through use of
additional proxies, so the bogus results are never returned to alert the user.
In general, if you have bogus toolbar programs, you're also being redirected.
Technical users who really want to confirm can sniff their own browser or
network traffic. The traffic sent and returned will always be distinctly
different on a compromised computer vs. an uncompromised computer.
What to do: Follow the same instructions as above. Usually removing the bogus
toolbars and programs is enough to get rid of malicious redirection.
Sure sign of system compromise No. 4: Frequent random popups
This popular sign that you've been hacked is also one of the more annoying ones.
When you're getting random browser pop-ups from websites that don't normally
generate them, your system has been compromised. I'm constantly amazed about
which websites, legitimate and otherwise, can bypass your browser's anti-pop-up
mechanisms. It's like battling email spam, but worse.
What to do: Not to sound like a broken record, but typically random pop-ups are
generated by one of the three previous malicious mechanisms noted above. You'll
need to get rid of bogus toolbars and other programs if you even hope to get rid
of the pop-ups.
Sure sign of system compromise No. 5: Your friends receive fake emails from
your email account
This is the one scenario where you might be OK. It's fairly common for our email
friends to receive malicious emails from us. A decade ago, when email attachment
viruses were all the rage, it was very common for malware programs to survey
your email address book and send malicious emails to everyone in it.
These days it's more common for malicious emails to be sent to some of your
friends, but not everyone in your email address book. If it's just a few friends
and not everyone in your email list, then more than likely your computer hasn't
been compromised (at least with an email address-hunting malware program). These
days malware programs and hackers often pull email addresses and contact lists
from social media sites, but doing so means obtaining a very incomplete list of
your contacts' email addresses. Although not always the case, the bogus emails
they send to your friends often don't have your email address as the sender. It
may have your name, but not your correct email address. If this is the case,
then usually your computer is safe.
What to do: If one or more friends reports receiving bogus emails claiming to be
from you, do your due diligence and run a complete antivirus scan on your
computer, followed by looking for unwanted installed programs and toolbars.
Often it's nothing to worry about, but it can't hurt to do a little health check
when this happens.
Sure sign of system compromise No. 6: Your online passwords suddenly change
If one or more of your online passwords suddenly change, you've more than likely
been hacked -- or at least that online service has been hacked. In this
particular scenario, usually what has happened is that the victim responded to
an authentic-looking phish email that purportedly claimed to be from the service
that ends up with the changed password. The bad guy collects the logon
information, logs on, changes the password (and other information to complicate
recovery), and uses the service to steal money from the victim or the victim's
acquaintances (while pretending to be the victim).
What to do: If the scam is widespread and many acquaintances you know are being
reached out to, immediately notify all your contacts about your compromised
account. Do this to minimize the damage being done to others by your mistake.
Second, contact the online service to report the compromised account. Most
online services are used to this sort of maliciousness and can quickly get the
account back under your control with a new password in a few minutes. Some
services even have the whole process automated. A few services even have a "My
friend's been hacked!" button that lets your friends start the process. This is
helpful, because your friends often know your account has been compromised
before you do.
If the compromised logon information is used on other websites, immediately
change those passwords. And be more careful next time. Websites rarely send
emails asking you to provide your logon information. When in doubt, go to the
website directly (don't use the links sent to you in email) and see if the same
information is being requested when you log on using the legitimate method. You
can also call the service via their phone line or email them to report the
received phish email or to confirm its validity. Lastly, consider using online
services that provide two-factor authentication. It makes your account much
harder to steal.
Sure sign of system compromise No. 7: Unexpected software installs
Unwanted and unexpected software installs are a big sign that your computer
system has likely been hacked.
In the early days of malware, most programs were computer viruses, which work by
modifying other legitimate programs. They did this to better hide themselves.
For whatever reason, most malware programs these days are Trojans and worms, and
they typically install themselves like legitimate programs. This may be because
their creators are trying to walk a very thin line when the courts catch up to
them. They can attempt to say something like, "But we are a legitimate software
company." Oftentimes the unwanted software is legally installed by other
programs, so read your license agreements. Frequently, I'll read license
agreements that plainly state that they will be installing one or more other
programs. Sometimes you can opt out of these other installed programs; other
times you can't.
What to do: There are many free programs that show you all your installed
programs and let you selectively disable them. My favorite for Windows is
Autoruns. It doesn't show you every program installed but will tell you the ones
that automatically start themselves when your PC is restarted. Most malware
programs can be found here. The hard part is determining what is and what isn't
legitimate. When in doubt, disable the unrecognized program, reboot the PC, and
reenable the program only if some needed functionality is no longer working.
Sure sign of system compromise No. 8: Your mouse moves between programs and
makes correct selections
If your mouse pointer moves itself while making selections that work, you've
definitely been hacked. Mouse pointers often move randomly, usually due to
hardware problems. But if the movements involve making the correct choices to
run particular programs, malicious humans are somewhere involved.
Not as common as some of the other attacks, many hackers will break into a
computer, wait for it to be idle for a long time (like after midnight), then try
to steal your money. Hackers will break into bank accounts and transfer money,
trade your stocks, and do all sorts of rogue actions, all designed to lighten
your cash load.
What to do: If your computer "comes alive" one night, take a minute before
turning it off to determine what the intruders are interested in. Don't let them
rob you, but it will be useful to see what things they are looking at and trying
to compromise. If you have a cellphone handy, take a few pictures to document
their tasks. When it makes sense, power off the computer. Unhook it from the
network (or disable the wireless router) and call in the professionals. This is
the one time that you're going to need expert help.
Using another known good computer, immediately change all your other logon names
and passwords. Check your bank account transaction histories, stock accounts,
and so on. Consider paying for a credit-monitoring service. If you've been a
victim of this attack, you have to take it seriously. Complete restore of the
computer is the only option you should choose for recovery. But if you've lost
any money, make sure to let the forensics team make a copy first. If you've
suffered a loss, call law enforcement and file a case. You'll need this
information to best recover your real money losses, if any.
Sure sign of system compromise No. 9: Your antimalware software, Task
Manager, or Registry Editor is disabled and can't be restarted
This is a huge sign of malicious compromise. If you notice that your antimalware
software is disabled and you didn't do it, you're probably exploited --
especially if you try to start Task Manager or Registry Editor and they won't
start, start and disappear, or start in a reduced state. This is very common for
malware to do.
What to do: You should really perform a complete restore because there is no
telling what has happened. But if you want to try something less drastic first,
research the many methods on how to restore the lost functionality (any Internet
search engine will return lots of results), then restart your computer in Safe
Mode and start the hard work. I say "hard work" because usually it isn't easy or
quick. Often, I have to try a handful of different methods to find one that
works. Precede restoring your software by getting rid of the malware program,
using the methods listed above.
Sure sign of system compromise No. 10: Your bank account is missing money
I mean lots of money. Online bad guys don't usually steal a little money. They
like to transfer everything or nearly everything, often to a foreign exchange or
bank. Usually it begins by your computer being compromised or from you
responding to a fake phish from your bank. In any case, the bad guys log on to
your bank, change your contact information, and transfer large sums of money to
themselves.
What to do: In most cases you are in luck because most financial institutions
will replace the stolen funds (especially if they can stop the transaction
before the damage is truly done). However, there have been many cases where the
courts have ruled it was the customer's responsibility to not be hacked, and
it's up to the financial institution to decide whether they will make
restitution to you.
If you're trying to prevent this from happening in the first place, turn on
transaction alerts that send text alerts to you when something unusual is
happening. Many financial institutions allow you to set thresholds on
transaction amounts, and if the threshold is exceeded or it goes to a foreign
country, you'll be warned. Unfortunately, many times the bad guys reset the
alerts or your contact information before they steal your money. So make sure
your financial institution sends you alerts anytime your contact information or
alerting choices are changed.
Sure sign of system compromise No. 11: You get calls from stores about
nonpayment of shipped goods
In this case, hackers have compromised one of your accounts, made a purchase,
and had it shipped to someplace other than your house. Oftentimes, the bad guys
will order tons of merchandise at the same time, making each business entity
think you have enough funds at the beginning, but as each transaction finally
pushes through you end up with insufficient funds.
What to do: This is a bad one. First try to think of how your account was
compromised. If it was one of the methods above, follow those recommendations.
Either way, change all your logon names and passwords (not just the one related
to the single compromised account), call law enforcement, get a case going, and
start monitoring your credit. You'll probably spend months trying to clear up
all the bogus transactions committed in your name, but you should be able to
undo most, if not all, of the damage.
Years ago you could be left with a negative credit history that would impact
your life for a decade. These days, companies and the credit reporting agencies
are more used to cyber crime, and they deal with it better. Still, be aggressive
and make sure you follow every bit of advice given to you by law enforcement,
the creditors, and the credit-rating agencies (there are three major ones).
Malware vector trifecta to avoid
The hope of an antimalware program that can perfectly detect malware and
malicious hacking is pure folly. Keep an eye out for the common signs and
symptoms of your computer being hacked as outlined above. And if you are
risk-adverse, as I am, always perform a complete computer restore with the event
of a breach. Because once your computer has been compromised, the bad guys can
do anything and hide anywhere. It's best to just start from scratch.
Most malicious hacking originates from one of three vectors: unpatched software,
running Trojan horse programs, and responding to fake phishing emails. Do better
at preventing these three things, and you'll be less likely to have to rely on
your antimalware software's accuracy -- and luck.
