Redirected internet searches, unexpected installs, rogue mouse pointers: Here's what to do when you've been 0wned.
By Roger A. Grimes
Columnist, CSO |
In today's threatscape, antimalware software provides little peace of mind. In fact, antimalware scanners are horrifically inaccurate, especially with exploits less than 24 hours old. Malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable. All you have to do is drop off any suspected malware file at Google’s VirusTotal, which has over 60 different antimalware scanners, to see that detection rates aren’t all as advertised.
To combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection and all of the above to be more accurate. Still they fail us on a regular basis. If they fail, you need to know how to spot malware that got through.
How to know if you've been hacked
Here are 15 sure signs you've been hacked and what to do in the event of compromise.
- You get a ransomware message
- You get a fake antivirus message
- You have unwanted browser toolbars
- Your internet searches are redirected
- You see frequent, random popups
- Your friends receive social media invitations from you that you didn’t send
- Your online password isn’t working
- You observe unexpected software installs
- Your mouse moves between programs and makes selections
- Antimalware, Task Manager or Registry Editor is disabled
- Your online account is missing money
- You’ve been notified by someone you’ve been hacked
- Confidential data has been leaked
- Your credentials are in a password dump
- You observe strange network traffic patterns
Note that in all cases, the number 1 recommendation is to completely restore your system to a known good state before proceeding. In the early days, this meant formatting the computer and restoring all programs and data. Today, it might simply mean clicking on a Restore button. Either way, a compromised computer can never be fully trusted again. Follow the recommended recovery steps listed in each category below if you don't want to do a full restore. Again, a full restore is always a better option, risk-wise.
1. You get a ransomware message
One of the worst messages anyone can see on their computer is a sudden screen take-over telling them all their data is encrypted and asking for a payment to unlock it. Ransomware is huge! After a slight decrease in activity in 2017, ransom-asking programs have come roaring back. Billions of dollars in productivity is being lost and billions in ransom are being paid. Small businesses, large businesses, hospitals, police stations and entire cities are being brought to a halt by ransomware. About 50% of the victims pay the ransom, ensuring that it isn’t going away anytime soon.
Unfortunately, according to cybersecurity insurance firms who are often involved in the payouts, paying the ransom does not result in working systems about 40% of the time. Turns out that ransomware programs aren’t bug free and unlocking indiscriminately encrypted linked systems isn’t as easy as putting in a decryption key. Most victims end up with many days of downtime and additional recovery steps even if they do pay the ransom.
What to do: First, if you’ve got a good, recent, tested data backup of the impacted systems, all you have to do is restore the involved systems and fully verify (officially called unit testing) to make sure the recovery was 100%. Sadly, most companies don’t have the great backups that they thought they had. Test your backups! Don’t let ransomware be the first time your company’s critical backups are being tested.
The best protection is to make sure you have good, reliable, tested, offline backups. Ransomware is gaining sophistication. The bad guys using malware are spending time in compromised enterprise environments figuring how to do the most damage, and that includes encrypting or corrupting your recent online backups. You are taking a risk if you don’t have good, tested, backups that are inaccessible to malicious intruders.
If you belong to a file storage cloud service, it probably has backup copies of your data. Don’t be overly confident. Not all cloud storage services have the ability to recover from ransomware attacks, and some services don’t cover all file types. Consider contacting your cloud-based file service and explain your situation. Sometimes tech support can recover your files, and more of them, than you can yourself.
Lastly, several websites may be able to help you recover your files without paying the ransom. Either they’ve figured out the shared secret encryption key or some other way to reverse-engineer the ransomware. You will need to identify the ransomware program and version you are facing. An updated antimalware program might identify the culprit, although often all you have to go on is the ransomware extortion message, but that is often enough. Search on that name and version and see what you find.
2. You get a fake antivirus message
You get a popup message on your computer or mobile device that it is infected. The pop-up message pretends to be an antivirus scanning product and is purporting to have found a dozen or more malware infections on your computer. Although this isn’t near as popular as it used to be, fake antivirus warning messages are still a situation that has to be dealt with in the right way.
They can occur because of two reasons: Either your system is already compromised or it is not compromised beyond the pop-up message. Hope for the latter. These types of fake antivirus messages usually have figured out a way to lock up your browser so that you can’t get out of the fake message without killing the browser and restarting it.
What to do: If you get lucky, you can close the tab and restart the browser and everything is fine. The fake message doesn’t show back up. It was a one-time fluke. Most of the time you’ll be forced to kill the browser. Restarting it sometimes reloads the original page that forced the fake ad onto you, so you get the fake AV ad again. If this happens, restart your browser in incognito or inprivate mode, and you can browse to a different page and stop the fake AV message from appearing.
The worse scenario is that the fake AV message has compromised your computer (usually due to social engineering or unpatched software). If this is the case, power down your computer. If you need to save anything and can do it, do so before powering down. Then restore your system to a previous known clean image. Most operating systems have reset features built especially for this.
Note: A related scam is the technical support scam where an unexpected browser message pops up warning that your computer has been compromised and to call the toll-free number on your screen to get technical support help. Often the warning claims to be from Microsoft (even if you’re using an Apple computer). These tech support scammers than ask you to install a program, which then gives them complete access to your system. They will run a fake antivirus, which not surprisingly, finds lots of viruses. They then sell you a program to fix all your problems. All you need to do is give them a credit card to start the process. Luckily, these types of scam warnings can usually be defeated by rebooting your computer or closing your browser program and avoiding the website that hosted it upon you. Rarely has this type of malware done anything to your computer that requires fixing.
If you fall for one of these tech support scams and you gave them your credit card, immediately report it to your credit card company and get a new credit card. Reset your PC as instructed above if you give the imposter tech support person remote access to your computer.
3. You have unwanted browser toolbars
This is a common sign of exploitation: Your browser has multiple new toolbars with names that seem to indicate the toolbar is supposed to help you. Unless you recognize the toolbar as coming from a well-known vendor, it's time to dump the bogus toolbar.
What to do: Most browsers allow you to review installed and active toolbars. Remove any you didn't want to install. When in doubt, remove it. If the bogus toolbar isn't listed there or you can't easily remove it, see if your browser has an option to reset the browser back to its default settings. If this doesn't work, follow the instructions listed above for fake antivirus messages.
You can usually avoid malicious toolbars by making sure that all your software is fully patched and by being on the lookout for free software that installs these tool bars. Hint: Read the licensing agreement. Toolbar installs are often pointed out in the licensing agreements that most people don't read.
4. Your internet searches are redirected
Many hackers make their living by redirecting your browser somewhere you don’t want to go. The hacker gets paid by getting your clicks to appear on someone else's website. They often don't know that the clicks to their site are from malicious redirection.
You can often spot this type of malware by typing a few related, very common words (for example, "puppy" or "goldfish") into internet search engines and checking to see whether the same websites appear in the results — almost always with no relevance to your terms. Unfortunately, many of today's redirected internet searches are well hidden from the user through use of additional proxies, so the bogus results are never returned to alert the user.
In general, if you have bogus toolbar programs, you're also being redirected. Technical users who really want to confirm can sniff their own browser or network traffic. The traffic sent and returned will always be distinctly different on a compromised computer vs. an uncompromised computer.
What to do: Follow the same instructions as for removing bogus toolbars and programs. Usually this is enough to get rid of malicious redirection. Also, if on a Microsoft Windows computer check your C:\Windows\System32\drivers\etc\hosts file to see if there are any malicious-looking redirections configured within. The hosts file tells your PC where to go when a particular URL is typed in. It’s hardly used anymore. If the filestamp on the host files is anything recent, then it might be maliciously modified. In most cases you can simply rename or delete it without causing a problem.
5. You see frequent, random popups
This popular sign that you've been hacked is also one of the more annoying ones. When you're getting random browser pop-ups from websites that don't normally generate them, your system has been compromised. I'm constantly amazed by which websites, legitimate and otherwise, can bypass your browser's anti-pop-up mechanisms. It's like battling email spam, but worse.
What to do: Not to sound like a broken record, but typically random pop-ups are generated by one of the three previous malicious mechanisms noted above. You'll need to get rid of bogus toolbars and other programs if you even hope to get rid of the pop-ups.
6. Your friends receive social media invitations from you that you didn’t send
We’ve all seen this one before. Either you or your friends receive invitations to “be a friend” when you are already connected friends on that social media site. Usually, you’re thinking, “Why are they inviting me again? Did they unfriend me and I didn’t notice, and now they are re-inviting me.” Then you notice the new friend’s social media site is devoid of other recognizable friends (or maybe just a few) and none of the older posts. Or your friend is contacting you to find out why you are sending out new friend requests. In either case, the hacker either controls your social media site, has created a second near-look-alike bogus page, or you or the friend has installed a rogue social media application.
What to do: First, warn other friends not to accept the unexpected friend request. Say something like, “Don’t accept that new invitation from Bridget. I think she’s hacked!”. Then contact Bridget some other way to confirm. Spread the news in your common social media circles. Next, if not first, contact the social media site and report the site or request as bogus. Each site has its own method for reporting bogus requests, which you can find by searching through their online help. It’s often as easy as clicking on a reporting button. If your social media site is truly hacked (and it isn’t a second bogus look-alike page), you’ll need to change your password (refer to the help information on how to do this if you don’t).
Better yet, don’t waste time. Change to multi-factor authentication (MFA). That way the bad guys (and rogue apps) can’t as easily steal and take over your social media presence. Lastly, be leery of installing any social media application. They are often malicious. Periodically inspect the installed applications associated with your social media account/page and remove all but the ones you truly want to have there.
7. Your online password isn’t working
If you are typing in your online password correctly, for sure, and it isn’t working, then you might be hacked. I usually try again in 10 to 30 minutes, because I’ve had sites experiencing technical difficulties not accept my valid password for a short period of time. Once you know for sure that your current password is no longer working, it's likely that a rogue hacker has logged in using your password and changed it to keep you out.
- Data and Information Security
- Network Security
- Intrusion Detection Software
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)