Newly discovered malware campaign adds to TeamViewer's account hijacking woes

Researchers at Trend Micro have discovered a malware spam campaign targeting Italy, that may or may not tie in to recent TeamViewer user account hijackings.
Researchers at Trend Micro have discovered a malware spam campaign targeting Italy, that may or may not tie in to recent TeamViewer user account hijackings.

Remote-access application provider TeamViewer continues to assert that poor password management is the chief cause behind a recent spate of user account hijackings, but a new alert from Trend Micro suggested that a malware campaign could be another significant piece to the puzzle.

In a security blog post today, Trend Micro reported its discovery of a malicious spam email campaign in which recipients are duped into downloading a malicious JavaScript file containing a trojanized version of TeamViewer called Teambot, as well as Dridex keylogging and credentials-stealing malware. The trojanized TeamViewer app that Trend Micro observed is actually an approximately five-year-old version of the program – version 6.0.017222.0. The app is currently offering updates on its version 11.

The spam emails are specifically targeted toward Italy residents and are written in native Italian, either promising free trials of TeamViewer software or tricking current users with subject lines that translate into English as “Your ID was used” and “Your account information.” Trend Micro acknowledged the possibility that related or separate campaigns could also be targeting other nationalities, as well as possibly trojanizing more recent versions of TeamViewer.

Of course, the broader question is: Does this campaign tie into the recent surge in TeamViewer account hijackings, whereby attackers remotely hacked into users' computers and reportedly emptied their PayPal and banking accounts?

“When we talk about account hijackings, they typically come down to one of three things: stolen passwords through data breaches, social engineering of the [software] support center for account resets, or malware,” said Christopher Budd, global threat communications manager at Trend Micro, in an interview with SCMagazine.com. Often, account hijackings come from an “amalgam of multiple causes,” he added, meaning this campaign could potentially be one aspect of a larger, multifaceted campaign.

In an interview with SCMagazine.com, a spokesperson for Goppingen, Germany-based TeamViewer acknowledged the existence of various malware scams targeting the company, but expressed doubt that this particular campaign played a hand in recent events.

Rather, the spokesperson reiterated the company's contention that these hijackings are largely the result of irresponsible password practices on the part of users. In other words, customers who were victimized likely used the same exact passwords for TeamViewer as they did for other online websites that may have been recently compromised and breached (like LinkedIn, for instance).

“We're not excluding the possibility of malware playing a role in the whole account hijacking and abuse scenario. But from the evidence that we've collected, it is very likely that what's really at the center of this account abuse problem is people reusing password or using passwords that are not good enough,” said the spokesperson, adding that TeamViewer would look into the Trend Micro findings.

According to Budd, Trend Micro's discovery still would not explain reports that some users' accounts were reportedly hijacked even with two-factor authentication implemented. Meanwhile, the TeamViewer spokesperson refuted these reports altogether, stating that “There is no evidence at all that would suggest that our two-factor authentication has been compromised in any way.”

Regardless, scams like these illustrate the importance of keeping antivirus programs updated, applying software whitelists when applicable and appropriate, and practicing responsible email security.

“Email is a vector that is still dangerous,” said Budd. “We've been focused on all kinds of threats for past few years that have pushed email to bottom of the stack... [Our] focus been on autopilot when it comes to email security, and the events of the past year show that we need to put our eye back on that ball.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS