0

My coworker's computer was logged into via RDP by an unknown person. He took pictures of what was open on the desktop before being disconnected when the other person logged back in.

The hacker was in the process of purchasing a VPN and a domain with a (probably stolen?) credit card.

Why were they purchasing these things via RDP? So it can't easily be traced back to them? Or were they going to connect the computer via VPN to a botnet or something?

rys
  • 123
  • 1
  • 2
  • 4

1 Answers1

0

Yes, RDP over VPNs is the current method of choice for carders. Increasingly so due to many proxy configurations becoming much less effective than they used to be thanks to improved anti-fraud purchasing mechanisms.

They need a Windows machine on a clean IP to build a legitimate browser fingerprint and successfully fool a website's payment system into believing they're not a fraud.

Dom
  • 300
  • 1
  • 2
  • 9
  • Makes sense! Thanks. Any way to protect RDP in the future? I already recommended a long, easy-to-remember password. They do not have a VPN or anything, but should I lock down port 3389 to the single IP he needs? Or what is the best/other approach(s)? (Sorry not enough rep to upvote yet) – rys Oct 19 '17 at 14:40
  • Gives what's out there these days, I'd say disable the feature entirely whenever it's not needed, unless that's not practical. Other than that, tighten up security across the entire network, because once that's compromised the machine doesn't stand a chance. – Dom Oct 20 '17 at 02:39