TeamViewer Used to Attack Leading Footwear Retailer

Time will tell if this is the case; however, TeamViewer has confirmed that they have seen significant numbers of accounts being taken over.

A leading footwear retailer in South Africa contacted Foregenix recently to assist with more specialized monitoring of their Point of Sale Systems – the reason being that they had become concerned about the numbers of merchants with integrated Point of Sale (POS) systems being hacked in South Africa, resulting in significant fraud losses and penalties from the card schemes. With alerts regularly coming out from their acquiring bank, they decided to enlist the assistance of the Foregenix team to help monitor their payment systems.

Interestingly enough within two weeks of deploying Serengeti IR, our team picked up unusual activity on one of the POS systems – sure enough the client’s TeamViewer account had been hacked and the attackers loaded a new variant of NewPOSThings (not detected by the encumbent Anti-Virus/Anti-Malware solution) to begin harvesting payment data from the POS. Fortunately with Serengeti IR monitoring and alerting, the Foregenix DFIR team immediately identified the attack and shut it down – no lost customer data and no leaked payment card data.

Needless to say it was the first confirmed TeamViewer account compromise to come across our team (there have been a few other suspected "smoking guns", but none have been proven conclusively to be as a result of TeamViewer credentials being compromised) – and we suspect it will not be the last. If you use Team Viewer in your business, we would advise implementing two-factor authentication and to implement other appropriate controls for your business – as outlined in the TeamViewer blog.

If you would like to read a bit more about the above attack, please download our case study.