Got a nagging feeling something isn’t quite right on your computer or network? We describe 10 giveaway signs that say you’ve been compromised—and what you can do to stay safe.
1. The Threat Actors Proudly Tell You
Sometimes, if they are going to make money out of their attack the threat actors (the bad guys) need to communicate with you.
The encryption of all the files on your network and the inability of your company to process data will have informed you that the network has been compromised. The ransom note tells you how to pay to restore access to your own data.
The official advice is to not pay ransoms, although estimates suggest that 50% of victims do pay. In 2019, municipalities in Florida paid USD 1.1 million over ransomware in one two-week period. Paying the ransom lets the cybercriminals win. They get what they want. So they are encouraged to do it again. And others are encouraged to try their hand at what they see as easy money.
Of course, not paying the ransom means you must shutdown, cleanse, and restore your systems from backups. But that’s not always possible. Sophisticated threat actors can reside in your systems for weeks before they trigger the encryption. They take the time to make sure they have infected your local—and sometimes your remote—backups.
If restoring your systems isn’t an option for you, you may find the decryption key online. Sites such as the No More Ransom Project—an initiative backed and supported by Europol—exist to help you with this.
It’s worth noting that even if you do pay the ransom you may not get a working decryption key. They often fail. So you’re still faced with a lot of manual steps and downtime. And best practices say you should still do a deep cleanse and restore your systems. You need to ensure all remnants of the ransomware have been removed.
Doxxing attacks require communication from the threat actors. These attacks exfiltrate sensitive and private documents and threaten to post them publicly on the internet. It’s a form of digital blackmail. For a sum of money, they promise to delete the documents instead of releasing them.
Pop-up adverts offering to speed up your system, remove malware, or pretending to be tech support are all indicators that your network or computer has been compromised.
It might just be a vulnerability in your browser that has been exploited, and until you click on an advert nothing will else happen to your computer. On the other hand, it might indicate your operating system is already infected and adware has been installed.
Another type of attack that announces itself is a simple email scam. The email will suggest that a hacker has managed to use your webcam and has captured footage of you in some sort of compromising situation. Unless you pay up, they threaten to release the footage to friends and family.
These scam emails can be ignored. They are sent out scatter-gun fashion to thousands and thousands of people in the hope that a small percentage pay up. A small percentage of a very large number is still a good payday for the cybercriminals.
Using someone’s webcam to spy on them is possible, of course. It’s called camfecting and sadly it is on the rise. It is used for everything from industrial espionage to stalking. But these are, by their nature, covert crimes and the perpetrators don’t announce themselves.
2. Your Browser Goes Rogue
If your browser has acquired new toolbars that you didn’t install, it has been infected. The toolbars may act as keystroke loggers that capture the account credentials for sites that you visit, or they may harvest credit and PayPal details from e-commerce sites. They may trigger further malware downloads, sometimes selected according to your browsing habits.
If you’re lucky, the worst you’ll suffer is your web searches are redirected to websites you did not search for. The threat actors are paid to drive traffic to websites and use redirections to generate as much traffic as they can. This can go hand in hand with the rogue toolbars, but web redirections can be the result of standalone infections.
3. People Receive Fraudulent Invitations From You
Threat actors set up fraudulent and copycat profiles on social media platforms and send invitations to the friends of the person with the real profile, or they gain access to the real profile probably through a fishing attack.
The real or bogus profile can be used to spread contentious or otherwise sensitive messages to undermine you, your company, or the company you work for. The profile can be used to gently tease information out of your friends—a technique called social engineering—to aid in credential theft or identity theft.
Your friends may receive a message—purportedly from you—asking them to receive a payment on PayPal on your behalf. You’ve sold something and need to be paid for it, but something is wrong with your PayPal account.
Because the victim is asked to receive and not make a payment, and because the request has come from you, their suspicions are not aroused. The message also asks them to transfer the money to their bank account and then on to yours. The details of the account are included in the message.
But, of course, the bank account belongs to the threat actors. Once the money is in their bank account the initial PayPal transaction is reversed. The victim is now out of pocket to the tune of the entire transaction.
4. Passwords Mysteriously Change
If you cannot log in to an online service or platform, make sure the service is operational. They might be having an outage. But if they are up and running and other users have no problems, it’s likely that your account has been hijacked. If a threat actor has managed to log in to your account they will change the password so that you cannot log in.
They may have guessed your password or used some form of dictionary attack. Maybe your password was in a data breach from a different site where you’d used the same password. You might have fallen prey to a phishing attack. But once the threat actors are in, they’ll change your password to keep you out.
You need to report the incident to the site as soon as you can. Of course, the onus is on you to prove to them that you are the genuine owner of the account, and not a threat actor social engineering their way into gaining access to the account. All of that takes time. Suggest to the support representative that they lock the account down right away, and only allow any access to it once they have satisfied themselves that they know who the genuine owner is.
If you’ve used the credentials on that account on any other systems or platforms, change the password on those systems immediately.
5. Software Materializes On Your Computer
If software appears on your computer and you have no idea where it came from, it might be enemy action. Viruses and malware install themselves and hide. Trojans, worms, and other malicious software such as adware may appear as regular applications. They will show up in the list of installed applications on your computer.
Unexplained software doesn’t necessarily mean you’ve been compromised across a network or the internet. Free software sometimes comes with a catch you need to read the terms and conditions to find out. The cost of some free software is unwittingly agreeing to have other packages you didn’t know about installed as well. The other packages will probably gather user information that can be monetized by the software authors, such as statistics regarding your computer and internet use that can be sold to marketing companies.
If you leave your computer unattended and logged in, the threat actors have the brief opportunity they need. It’s possible to boot computers from USB memory sticks and to inject a stub program that will run when you next log in. The stub downloads installers for other malware and programs. The attacker doesn’t even need your log in details to plant the seed for further infection.
Unattended laptops, even though they are logged out and turned off, are particularly susceptible to this type of “evil maid” attack because they are left unattended in hotel rooms or taken to be inspected at border crossings.
6. The Cursor Flies Solo
A moving mouse pointer without your hand on the mouse may indicate hardware issues or be due to “drift” in the software drivers. But if the cursor movements are purposeful and the pointer is making selections from menus and opening and closing windows, there are two options. Your technical support team may be remotely accessing your machine for valid reasons—although they should advise you of the fact in advance—or you have been infected with a remote access trojan (RAT) and the threat actors are connected to your computer.
A RAT allows the threat actors to connect and control your computer and observe what you do. It can also record keystrokes so that they can see what you did when they were not connected. They can transfers files to and from your computer, and turn your microphone and webcam on and off—without turning on tell-tale LEDs.
A typical approach is to connect your computer and then wait. If they see a long period of inactivity and it is late in your timezone they will connect to your computer. If the threat actors have seen a very long period without any activity from you they may risk taking control during daylight hours.
That’s when you might see the cursor moving on its own.
7. Your Shields Are Down And Won’t Come Up
If your defensive software such as personal firewall, anti-virus, and anti-malware are turned off and refuse to come back into service, you’ve been infected with a virus or other malware.
Modern malware is capable of disabling your defensive software and preventing it from being turned back on, reset, or re-installed. That is a clear-cut indicator that you have been infected by malicious software.
8. You’re Haemorrhaging Money
Most cybercrime is financially motivated. If the threat actors can obtain your credentials to a valuable asset such as online banking, PayPal, or a cryptocurrency digital wallet they’ll rub their hands with glee and empty it.
If they successfully mount a spear-phishing attack against someone in accounts and convince them that a c-suite member needs these funds transferred immediately, or that this invoice needs to be paid straight away you can lose tens of thousands of dollars in an afternoon.
9. Your Private Data Is On The Public Web
If your data is on the web, there’s no doubt you’ve been compromised. Sometimes this is done as a doxxing attack. Occasionally the public parading of private documents is carried out because the perpetrators are social justice hacktivists and for whatever reasons your enterprise has fallen under their crosshairs.
Another often overlooked risk is the employee with a grievance. In 2014 a senior auditor at UK supermarket Morrisons named Andrew Skelton posted the personal details of 100,000 of his fellow employees to a file-sharing website. He then tipped off the British press. His motive was revenge against his employer. He was still smarting from a disciplinary meeting held one month earlier.
10. Your Own Systems Tell You So
Any and all alerts from your intrusion detection system (IDS) or other monitoring software should be treated as genuine incidents until an investigation proves otherwise.
Inexplicable activity captured in system logs such as strange logins at unusual times or from geographically odd IP addresses or large movements of data at night can indicate something is amiss.
A pre-requisite to using this type of alerting is an understanding of your normal network traffic and behavior. Free tools like Snort, wireshark, Brim, and Graylog can help with this. You can’t get on top of this stuff with manual processes alone, so get software to help you.
What Can You Do To Protect Your Systems?
Cybersecurity is tough. It’s been said many times: you have to repel every attack, but the bad guys only need to get lucky once. A multi-layered approach with an educated workforce, appropriate defensive and monitoring software, and good IT governance will go a long way to keeping your systems safe. Pick the appropriate measures from this list and action them.
- Keep all operating systems and applications patched up to date.
- Use quality firewalls and only open ports after a business case has been reviewed and accepted.
- Enforce robust passwords and forbid the re-use of passwords on more than one system or website. Nominate a company-acceptable password manager.
- Where possible, enforce two-factor authentication.
- Put in place a multi-layered backup system, and store backups in different locations.
- Test your backups, your data restoration processes, and your disaster recovery plans.
- Create and dry-run an Incident Response Plan. Rehearse it with the stakeholders. Make sure everyone involved knows that the plan is in force, that it has been walked-through, and that in the event of an incident it is actually followed. Don’t let the excitement make people go off-script.
- Put in place monitoring software that looks at access attempts, system logs, network traffic, and raises alerts on suspicious or out of bounds activity.
- Explore safety and security protocols with your bank to prevent large transfers without additional, correlating information and validation.
- Use top-rated end-point protection suites encompassing anti-virus, anti-malware, and web browsing.
- Educate your staff in cyber-awareness, and keep that training topped up.
- Foster a security-minded culture in which staff are empowered to question unusual requests, report suspicious and inexplicable events, and suggest improvements without fear of recrimination. If they see something, they should say something.