3

Walked into my office an hour into a Remote File Transfer initiated by an unknown user. I disabled it right away and looked through the files they transferred, which include a blank check with my routing and account numbers, my personal CV, and a few other items including my Chrome User Folder (hopefully not any password files they can crack? UGH!)

Anyway I just opened the log.txt and see this: 296361708 11-09-2013 02:35:35 11-09-2013 03:26:42 116 Filetransfer {9EC3C275-E1A6-4E8A-AF99-25CBE403D89D}

The 296361708 looks like the Teamviewer ID, but what about the numbers within {}, does this give me any identifiable info that can help me track this down?

Since this I've changed my TV password and enabled "Must Approve All Incoming Requests", but I'm concerned about them downloading my Google Chrome Cache and History files... and of course blank checks and my CV... along with a few database files that I was editing on my desktop =/ Not really sure what to do here. Thanks in advance for any insight or advice.

Scot Smith
  • 31
  • 1
  • 2

1 Answers1

1

Firstly, if you used the password save function in chrome, your in trouble. Essentially, chrome has no security wrt the password save feature. Immediately change all your passwords! I would recommend also enabling 2-factor authenticaiton on any sites which support it i.e. google, itunes, dropbox etc.

I'm not sure what the number in {} is, the last part might be a MAC address. HOwever, as it is trivial to spoof both MAC addresses and IP addresses, you are unlikely to be able to track down the source. Even if you could, more than likely they are in a different country and trying to do anything legally will be near impossible. Certainly report this to your IT area (if you have one) and you can report the incident to the police, but don't expect much action. They are generally either under resourced or just overwhelmed with such cases to really do much other than record the incident for stats etc (which is important for things like getting more resources).

I would also be rather concerned about how they gained initial access. While you cought them in the act of downloading files, you can't be sure they haven't done other things or for how long they have had access to your system. In general, once a system has been compromised, the best thing to do is re-image it and start with a fresh known good system, though be careful restoring data from any backups you make as you don't know when you were first compromised and you may have backed up compromised files etc.

To be on the safe side, you should also report the incident to your bank. They may be able to put a watch on your accounts or may decide to change your account details etc. As you also lost a copy of your CV, watch out for any signs of identity theft. This could include unusual/unexpected contact from banking and other financial institutions, unknown bank or credit card transactions etc. One reason to report such incidents is to ensure it is on the record in case you run into identity theft issues at a later date.

Tim X
  • 3,242
  • 13
  • 13