I am concerned that I'm somehow being actively hacked

"ttyymmnn" (ttyymmnn)
02/26/2019 at 21:59 • Filed to: None

Here’s the story. It’s a bit long, but hang in there.

I have four computers in my house. My iMac, and three PCs that my boys use for gaming. All the computers are hardwired to a router.

A couple of weeks ago, we started getting emails from one of my boy’s games (Epic/Fortnite, I think) that somebody was trying to change his password. These messages were addressed to his email address [Dear XX@XX.com] instead of his screen name [Dear Gamer]. Since we weren’t trying to change the password, and the email said as much, we ignored them. No, we didn’t change his password. Yet.

He also got a few emails (I monitor his email account) from what looked like a gaming company called Gaijin, again about changing passwords. The message was addressed to his gamer tag. My son has never had an account with this company, and did not recognize any of the games. I then got messages that said somebody had logged into his Gaijin account first in Russia, then in Missouri.

On Sunday, I started getting emails addressed to my Gmail (with an extra period added in the name part) that said that I had opened an account with a company in India called Freecharge, which sells prepaid phone cards. I got a rapid series of emails saying that they had recharged some cards. So I went to look at my credit card accounts. One of them had four charges (two each) from tourism companies, one in Canada and one in Europe. The charges were for $0.00. We called the CC company and had the card canceled.

We changed the passwords on my son’s games on Sunday, and by Monday we got another email that somebody was changing his password again, seemingly almost right after I changed it. The only way this would/could be possible, as far as I know , is if somebody were monitoring his email and getting the reset codes. So I changed the password AND email in the game , then called my ISP to cancel my son’s email address. When I tried to log into the master email account (which I have never used to send or receive mail) it was locked. I called Spectrum, and they said that they noticed unusual activity on it recently and locked it. Once we reset, there was no mail activity on it, but they couldn’t tell me what sort of unusual activity was occurring. Perhaps somebody was trying to access it unsuccessfully.

After changing ALL email passwords and ditching my son’s compromised account, things were pretty quiet today. Until this evening, when my wife got an email from a different CC company alerting a possible fraudulent charge. Sure enough, somebody used our other card, the one that had NEVER been stolen, to buy chicken in California. So we called, canceled, and will be getting new cards.

This could be a coincidence. But all of this happening so close together makes it hard to imagine that it could be. A few weeks ago we went through and made sure that none of the CC information was stored on the game servers. As far as I know, we don’t have any CCs saved anywhere, though it could have been stolen ages ago . The PCs are running Win 7, and I have run a full MSE scan on them and found nothing . I downloaded a free virus scan for my Mac (Avira) and ran that. Nothing.

So, my question is: Could this possibly be a coincidence? Could the latest CC theft just come from some card stripper somewhere? Could somebody have gotten into my computer through the networked PCs? And, even if they did, there’s nothing there. I keep a passwords document on the computer, but it is a password-protected MSWord doc, and doesn’t even have the CC numbers on it, though it does have email credentials. At this point, I don’t really know what to do. It’s practically impossible to stay ahead of these people, as they are always more savvy than I am.

Which is why I’m asking you fine people. Any suggestions on how to move forward?

DISCUSSION (47)

gmporschenut also a fan of hondas > ttyymmnn
02/26/2019 at 22:04

I’m assuming you use norton or other top malware protection?

lone_liberal > ttyymmnn
02/26/2019 at 22:09

Do a MalwareBytes scan to augment MSE as that was not all that great.

His Stigness > ttyymmnn
02/26/2019 at 22:13

Have Malwarebytes on every computer.

Also consider using a VPN router as the only access point in the house.

H ave all your credit cards reissued.

Use 2FA authentication on any service that allows it.

And finally start using LastPass to store your passwords, generate new incredibly long ones and use hardware backed 2FA on LastPass with a Yubikey 5. Hopefully you're using Gmail as your main email account which allows you to secure your account with a Yubikey.

ttyymmnn > gmporschenut also a fan of hondas
02/26/2019 at 22:15

No.

Thomas Donohue > ttyymmnn
02/26/2019 at 22:16

What kind of router do you have? Make sure you change the password on that, and make sure none of the settings have been changed (i.e. holes in the NAT firewall, assuming that’s what setup you have).

Do a ‘whoami’ IP lookup, note the public address on your router, and then reboot the router. You should get a new IP address, if not contact your ISP and have them change it.

Lastly, not sure what gaming servers, etc you are running, but many of them listen to certain ports and allow incoming traffic....so maybe do an extra scan and make sure all the software is up to date for everything....Windows update, browsers, games, video drivers, etc.

Lots of things to check, but old software can have holes.

ttyymmnn > Thomas Donohue
02/26/2019 at 22:21

Brand new router, installed a week or so ago. New password from old router.

No idea what a NAT firewall is. Like I said, not that savvy.

jminer > ttyymmnn
02/26/2019 at 22:23

There’s a lot to unpack there. Two things jump out at me though.

Yes if one computer on the network is comprised then they all easily could be.

Protecti ng a word doc by password means nothing. Go ahead and Google something like ‘lost password to word doc’ and you’ll see there are numerous tools around to crack it.

It sounds like all your machines may need a wipe and reload along with changing all of your passwords.

ttyymmnn > jminer
02/26/2019 at 22:24

Not the end of the world, but not what I want to do, obviously.

RallyDarkstrike - Fan of 2-cyl FIATs, Eastern Bloc & Kei cars > ttyymmnn
02/26/2019 at 22:30

New password as in the WIFI password? Because if the router’s admin password to access it’s settings is still the default, somebody could hack into that.

RallyDarkstrike - Fan of 2-cyl FIATs, Eastern Bloc & Kei cars > lone_liberal
02/26/2019 at 22:31

Also run a Hitmanpro scan as well to augment Malwarebytes. Malwarebytes gets a lot, Hitmanpro will get anything left over. Hitmanpro is paid, but their free trial works to do a scan and delete repeatedly as many times as you need for up to one month per computer before the 30 day trial runs out - it works very well.

ttyymmnn > RallyDarkstrike - Fan of 2-cyl FIATs, Eastern Bloc & Kei cars
02/26/2019 at 22:36

It came with a factory password, but I changed that.

ttyymmnn > jminer
02/26/2019 at 22:40

I ran a malwarebytes scan on one of the PCs, the one used by my son, and it came up with three things: 2 PUP.Optional.Ins tallCore and one Adware thing. I quarantined and deleted them both. I’ll scan the other two shortly.

ttyymmnn > lone_liberal
02/26/2019 at 22:41

I ran a malwarebytes scan on one of the PCs, the one used by my son, and it came up with three things: 2 PUP.Optional.InstallCore and one Adware thing. I quarantined and deleted them both. I’ll scan the other two shortly.

ttyymmnn > His Stigness
02/26/2019 at 22:43

I am adding Malwarbytes and scanning now. My son’s PC came up with three things: 2 PUP.Optional.InstallCore and one Adware thing. These don’t seem particularly malicious. I quarantined and deleted them . I’ll scan the other two shortly.

No idea how to set up a VPN.

CCs have been reissued.

2FA was activated for most important things a couple of weeks ago.

How is using Lastpass or some other aggregator safer?

dumpsterfire! > ttyymmnn
02/26/2019 at 22:46

N othing like reading these comments to realize how much of an ignoramus i am with software.

DucST3-Red-1Liter-Standing-By > ttyymmnn
02/26/2019 at 22:50

Ditto on the last pass. Use it to generate individual passwords for each site so that if one gets compromised, other accounts are still safe. Then secure last pass with a hardware two factor key. My method and pretty much as safe as it gets right now

ttyymmnn > dumpsterfire!
02/26/2019 at 22:55

You are in good company.

ttyymmnn > DucST3-Red-1Liter-Standing-By
02/26/2019 at 22:59

So you use LP to generate new passwords, then have one password in your brain to run it? Or is that what the hardware key is for? And what happens if you lose the key?

NKato > His Stigness
02/26/2019 at 23:03

I Don't recommend using a password storage system. Let's put everything we manage into a single point of failure that, if compromised, the company managing the system will notify us 3 months after the breach and by then everything will be fucked.

NKato > ttyymmnn
02/26/2019 at 23:11

As a note: Epic’s security is complete garbage. Consider any accounts and emails associated with them to be potentially compromised, and play Fortnite with that in mind. Always assume someone can see the database, especially since Epic now has Chinese shareholders.

ttyymmnn > NKato
02/26/2019 at 23:14

So, in other words, play the game with a junk email address that you don’t mind losing, change passwords weekly, and never store a credit card on their servers.

His Stigness > NKato
02/26/2019 at 23:22

Security professionals the world over recommend and use reputable password managers like LastPass. All of the information in encrypted and they don’t actually store your master password. Plus, I told him to use hardware backed 2FA, so there is no way for someone to hack into that account.

His Stigness > ttyymmnn
02/26/2019 at 23:31

Look up Private Internet Access for a good VPN client you can install and run on each computer. But you can buy a VPN router and sign in once and then all your home traffic goes through a VPN. But PIA makes it incredibly simple to use on the computer.

In regards to LastPass, yes, you have one master password to access all your other ones. The main reason to use LastPass is that for each site you log into you can generate the longest password they allow. Most sites are capped at 16, so that’s what I use, but for all my financial stuff I have 32 character passwords. LastPass doesn’t store your master password, but if you’re using hardware backed 2FA (the Yubikey 5) there is no way to get into your account without having your physical key in hand. I also secure my Gmail account with the Yubikey.

Security professionals all recommend using LastPass, or some other service that locks their shit down and allows hardware backed 2FA.

And in regards to losing your Yubikey, I am actually not sure if you can set more than one key up on each account. But you can attach it to your car key ring, and hopefully, you are not in the habit of losing those. But you can have LastPass remember your key on a computer for 30 days, so if you lose your key you can log in from your computer and revoke the key and just order another one.

jminer > ttyymmnn
02/26/2019 at 23:31

Looks like somebody’s got into your network. That’s definitely shitty, but the only way to be safe is to assume nothing you have digitally is safe now. That includes phones, tablets and so on. Change EVERY password and default EVERY device you don’t know 100% is clean if you want to be sure you’re done.

It sucks for sure. You can skimp out, but it’ll hurt more in the end.

facw > ttyymmnn
02/27/2019 at 01:30

The big advantage of some sort of password vault is that you won’t be tempted to use weak password or to reuse passwords (or to reuse weak passwords). As NKato notes, there is a definite weakness in using them, but there’s really no way you are going to be able to remember secure passwords for the vast multitude of services. I feel better about using a vault, but recognize that two factor should be used anywhere it is supported.

facw > ttyymmnn
02/27/2019 at 01:35

You should definitely change your password there to something that’s not the same as what you had on the old router. Both for router admin and for wifi. Especially important is making sure you are secure is to disable remote administration if it is on (it should be off, but if you are compromised it may have been switched on). Also, while I think people are overly alarmist about it, in your situation, I’d turn off U PnP on your router. This has implications for gaming and filesharing, but it’s too dangerous to have on when there’s a good chance you have malware within your network.

facw > ttyymmnn
02/27/2019 at 01:36

MSE really isn’t significantly worse than Norton.

facw > ttyymmnn
02/27/2019 at 01:46

Worrying about the security of your machines internally is good, but from the symptoms I’d guess passwords were compromised and they’ve been able to log in as you elsewhere.

Do all the stuff people are suggesting, but I think changing passwords, and activating 2-factor is the top priority (where you haven’t done it already). Also note that while Comcast problem doesn’t do it, if any of you are using gmail, there’s an account activity screen that will tell you where log ins are coming from.

facw > ttyymmnn
02/27/2019 at 01:47

And yeah, don’t use a Word document, the encryption on those is not strong, and will be more or less useless against hackers.

ttyymmnn > facw
02/27/2019 at 07:54

It is not the same as the old router. I used a new one. I’ll have to look up UPnP.

ttyymmnn > facw
02/27/2019 at 07:56

I spent some time on the phone last night with a Spectrum supervisor who really couldn’t tell me very much. What I did learn is that the ISP offers zero real time alerts, no 2FA, no messages that they have observed odd behavior. I am calling their security people today, but I am also going to migrate all my ancient Spectrum (Roadrunner) emails to gmail and shut them down.

ttyymmnn > facw
02/27/2019 at 07:57

I realize that now. I’ve moved it to a USB stick and deleted it. I’m not convinced that anybody got it, but you never know.

Thomas Donohue > ttyymmnn
02/27/2019 at 08:59

There should be a link on the router admin page to check the firmware. Many routers are shipped from the factory with older firmware, you’ll want to make sure you have the latest version.

Thomas Donohue > His Stigness
02/27/2019 at 09:07

there is no way to get into your account without having your physical key in hand.

I use two-factor for most of my important sites, but haven’t made the leap to hardware based (purchased Titan but haven’t yet activated). I’m comfortable with 2FA text, Google Auth, etc. as being not too hard, not too easy.

What’s the process for a lost or damaged key? I travel a lot, and being stuck away from home without access to anything scares me.

Also, what’s the cost for LastPass/Yubikey?

functionoverfashion > ttyymmnn
02/27/2019 at 09:23

I’ll only add that with LastPass, I use 2-factor authentication but don’t have a Yubikey or anything - it just dings my phone (or my apple watch) and I can hit ‘Verify’ to access my password vault. I change the password to LastPass regularly but even then, with 2FA it’s pretty safe. Using a service like that, you can also keep track of all the sites where you have logins. I have something like 175. Seriously.

I also literally keep a book in a drawer in my office at work, with some important passwords that I don’t save anywhere else. I don’t write down the actual password, anyway but a code that I can decipher (hints that only I will understand).

DucST3-Red-1Liter-Standing-By > ttyymmnn
02/27/2019 at 10:33

Yep exactly, how it works it's you enter your master password to access all your generated ones, but it will also ask you then to insert your key which will then enter a random string on numbers to validate itself against yubikeys servers(it also works offline). You can multiple keys to your account. So I have one on my key ring and one tucked away safely as a back up. You can also remove keys if you loose them, but it's a hassle. I highly recommend them

ttyymmnn > DucST3-Red-1Liter-Standing-By
02/27/2019 at 10:50

Thanks. Looks like it’s time to do all of this. Better late than never, I suppose.

DucST3-Red-1Liter-Standing-By > ttyymmnn
02/27/2019 at 10:52

Good luck! Let us know if you have any questions. The longest part will be remembering all the infrequently visited accounts to change all the old passwords. I’ve used this method for the last couple years, and still find old accounts I totally forgot about, thankfully they didn’t have much in them

His Stigness > Thomas Donohue
02/27/2019 at 11:21

The new Yubikey 5 is $45 on Amazon and LastPass premium is $3 a month.

I just chose to make the leap and don't use any method that can't be hacked on the outside. I still use my Pixel 3 as an authenticator, but like the yubikey you need to be holding it to use it. So for Google that's your way to replace a lost or damaged yubikey. But they're so damn durable you'd never break it. And you can keep it on your key ring so I doubt you'd ever lose it. But I asked someone else and he's pretty sure you can add a second yubikey to your LastPass. I know you cannon Google. I have multiple set up just in case and I have one stashed at home.

McMike > ttyymmnn
02/27/2019 at 12:01

Get off the ISP mail service asap.

Get with Gmail.com, outlook.com,... hell even AOL and Yahoo are better than the shit ISPs serve up.

They don’t keep up with newer mail protocols, they don’t keep up with security, they don’t give you as much space (email size limits, too) as the ones I listed above.

You also can’t take the email addresses with you if you ever leave Spectrum. These ISP email address offer you nothing.

Did I read this right? You have an email address “ Tyy mmm@ spectrum.com” and you recieved an email from a “ tyy.mmm@spectrum.com” address?

Thomas Donohue > His Stigness
02/27/2019 at 12:03

Thanks for the info. The keys are my biggest issue....unless I drive somewhere, I don’t have them (which is almost always when I travel) . I wish there was more of a credit-card sized key, though some of them are pretty small now.

ttyymmnn > McMike
02/27/2019 at 12:04

Basically, yes, but it happened with my gmail @. And yes, I am dumping my Spectrum email as soon as I find a way to archive the IMAP mailboxes. But I think I have a plan for that, too.

His Stigness > Thomas Donohue
02/27/2019 at 12:21

A Yubikey is very small and wouldn’t take up much space in your wallet. But I will research it in a few minutes and see if I can add another key to my Lastpass. If you can it solves your problems. I think the only reason I didn’t get a second key was cost. Like I said, the Yubikey 5 is $45. But I was dumb and bought a Yubikey 4 just days before they released the 5, so I also bought a FIDO2 key for my Gmail and the Yubikey 4 for Lastpass because of different standards. Long story short is if you worked for the CIA or something you wouldn’t use Lastpass because they only use OTP, not FIDO2 like Gmail does. But for the normal person it doesn’t matter.

Longer story short if I had waited a few weeks I could have one Yubikey 5 which works with any service or device.

McMike > ttyymmnn
02/27/2019 at 12:43

Basically, yes, but it happened with my gmail @.

I know your gmail account received the phony email, but the phony email was from Tyy.mmm@Spectrum, right?

If so......

Your Tyymmm@Spectrum has been spoofed.

What they have done is hack your email address, steal all your contacts, and created another email address that LOOKS like yours. They will do some or all of the following with it.

Email all your contacts with spam

Email all your contacts with a fake “look at my photos” link that takes them to a fake login screen that says “log in to view them.” The login could be for facebook, google, etc…. Another spoofing attempt.

Email all your contacts with a link to a virus, malware, ransomware, etc….

Sell it to someone so they cam do any of the listed mischief.

You can’t stop this. It’s not even your account that’s doing it, it just appears you are the person. The best thing you can do is send one last email to all your contacts with “please ignore anything you recieve from this username “tyymmm”. I am moving to a new account. I will be “mmm.Tyy” from now on. (Or something similar. Instead of “mikebrown,” become “brown.michael.d,” “mdbrown” etc…). That Spectrum username is now garbage.

ttyymmnn > McMike
02/27/2019 at 12:44

No, the phony message from India was addressed to my gmail, with a gmail address. The dot was thrown into the part before the @. So, instead of xxxx@gmail.com it was xx.xx@gmail.com and I still got it.

McMike > ttyymmnn
02/27/2019 at 12:57

Thank god.

His Stigness > Thomas Donohue
02/27/2019 at 15:46

So I confirmed you can have multiple Yubikeys in your LastPass account. So just get two Yubikey 5s and store one safe at home. And hopefully you’re using Gmail and you can use the same two keys.