Antimalware software offers little peace of mind in today’s threatscape. Antimalware scanners are actually terribly inaccurate, particularly when they are less than 24 hours old. Malicious hackers and malware can at will change their tactics. Swap a few bites and it becomes impossible to identify a previously recognized malware program. All they have to do is drop out any suspected malware file on Google’s VirusTotal, which has more than 60 different antimalware scanners.
To fight against this, a large number of anti-malware programs monitor program behaviors to collect previously unrecognized malware, often called heuristic programs. Other programs use more accurate virtualized environments, monitoring systems, detection of network traffic and everything else. They still fail us regularly. If they fail, you must know how to spot malware.
How to know if you’ve been hacked?
- You get a fake antivirus message
- You have unwanted browser toolbars
- You get a ransomware message
- Your friends receive social media invitations from you that you didn’t send
- You see frequent, random popups
- Your internet searches are redirected
- Antimalware, Task Manager or Registry Editor is disabled
- Your mouse moves between programs and makes selections
- You observe unexpected software installs
- Your online password isn’t working
- Confidential data has been leaked
- Your credentials are in a password dump
- Your online account is missing money
- You’ve been notified by someone you’ve been hacked
- You observe strange network traffic patterns
Note that the recommendation of number 1 in all cases is to restore your system fully before proceeding to a known good condition. In the early days, this meant the computer was formatted and all programs and data restored. Today it could just mean to click a Restore button. Never again can a compromised computer be fully trusted. If you do not want to do a full recovery, follow the recommended recovery steps in each category below. Again, a complete restoration is always a better risk-based option.
- One of the worst messages anyone can get on their computer is a sudden screen takeover that tells all their data is encrypted and asks for a payment to unlock it.
You get a Ransomware message. Ransomware is huge! Ransomware is huge! Following a slight decrease in activity in 2017, lump sum programs have returned roaring. Millions of dollars are lost in productivity and billions are paid in ransom. Ransomware stops small companies, large companies, hospitals, police stations and entire cities. About 50% of the victims pay the ransom, so that they don’t leave soon.
Unfortunately, according to cyber-security insurance companies that are often involved in payments, about 40 per cent of the time, ransom payments do not produce work systems. It turns out that ransomware programs are not bug-free and it is not so easy to unlock indiscriminately encrypted connected systems that put a decryption key. The majority of victims end up with many days of downtime and additional recovery even if they pay for their ransom.
Be ready to become a Certified Information Security Professional with this comprehensive PluralSight online course. Now offer a free 10-day trial! How to do this: First, if you have a good, recent and tested system data backup, all you need to do is restore the systems involved and fully verify (officially called unit-tests) that the recovery is 100 percent. Sadly, most firms don’t have the great backups they think they have. Test your backups! Test your backups! Don’t let ransomware be the first time critical backups are tested for your company.
The best protection is to ensure good, reliable, tested and offline backups. Ransomware is becoming more sophisticated. Bad people using malware spend time in compromise corporate environments to figure out how they can do the most damage, including encrypting or corrupting their latest online backups. You take a risk if you do not have good, tested and inaccessible backups for malicious intruders.
If you belong to a file storage cloud service, your data may be backed up. Don’t be too confident. Don’t be too confident. Not all cloud storage services can recover from ransomware attacks and not all file types are covered by certain services. Consider contacting and explaining your situation with your cloud-based file service. Tech support can sometimes restore your files, and more than you can.
Finally, several websites can help you retrieve your files without paying for the ransom. They have either discovered the common secret encryption key or some other way to reverse the ransomware. You must identify the version and the ransomware program you are facing. An updated anti-malware program could detect the culprit, although the ransomware extortion message is often sufficient. Search for that version and name and see what you’re looking for.
- You get a falsified antivirus message
You get a popup message that it is infected with your computer or mobile device. The pop-up message claims that it is an antivirus scanning product and claims to have found a dozen or more malware infections on your computer. Although this is not as popular as before, fake antivirus warning messages continue to be handled in the right way.
This can occur for two reasons: either your system is already affected or not affected beyond the pop-up message. Hope for the last. Hope for the latter. These types of fake antivirus messages have usually found a way to lock your browser to prevent you from getting out of the fake message without killing and restarting the browser.
What to do: If you get lucky, you can close the tab and restart your browser and it’s okay. The fake message is not revealed. It was a fluke once. You will be forced to kill the browser most of the time. Sometimes restarting the fake ad is reloading the original page, so you get the fake AV ad again. If this happens, restart the incognito or inprivate mode of your browser and browse another page and stop the fake AV message.
The worse scenario is that your computer has been affected with the fake AV message (usually because of social engineering or unpatched software). Power your computer down if this is the case. Do it before powering down if you have to save anything and can do it. Then restore the previously known clean image to your system. Most operating systems have specially designed features for resetting.
Note: A related scam is a technical support scam when an unexpected browser message emerges, warning your computer is affected, and calling the toll-free number on the screen to receive technical assistance. The warning is often made by Microsoft (even if you use an Apple computer). These technology support scammers instead ask you to install a program that will give them full access to your system. They will run a fake antivirus that finds a lot of viruses, not surprisingly. Then you are selling a program to solve all your problems. You just have to give them a credit card to start the process. Fortunately, these kinds of scam warnings can usually be defeated when you reboot or close your browser and do not have the website hosting it. Such malware has rarely done anything to your computer that needs to be fixed.
If you have fallen for one of the technology support scams and given them your credit card, report it to your credit card company immediately and get a new credit card. Reset your PC as directed above if you give remote access to your computer to the imposter tech support person.
- This is a common sign of exploitation:
Your browser has multiple new toolbars with names that seem to indicate that the toolbar is supposed to help you. This is a common sign of exploitation. Except you recognize that the toolbar comes from a well-known supplier, it is time to drop the fake toolbar.
What to do: Most browsers allow you to review toolbars that are installed and active. Remove any one that you haven’t want to install. Remove it if in doubt. If you can’t easily remove the fake toolbar, see if your browser has the option to reset the web browser back to default. If this does not work, follow the instructions for fake antivirus messages listed above.
By ensuring that all your software is completely patched, and looking for free software to install these toolbars, you can generally avoid malicious toolbars. Hint: Read the agreement on licensing. In the licensing agreements, toolbar installs are often mentioned that most people don’t read.
- Many hackers make their living by redirecting your browser somewhere you don’t want to go.
The hacker is paid for by clicking on the website of someone else. Often they don’t know that the clicks to their site are malicious.
You frequently find this type of malware by typing in Internet search engines a few related, very common words (for example’ puppy’ or’ golden fish’), and checking if the results show the same websites— almost always irrelevant to your terms. Sadly, many of today’s redirected internet searches are well covered up by additional proxies, so the bug results are never brought back to alert the user.
In general, you are also redirected if you have bogus toolbar programs. Technical users who want to confirm can sniff their own network or browser traffic. On a compromised computer, the traffic sent and returned is always distinctly different from a uncompromising computer.
What to do: Follow the same directions as the removal of fake toolbars and programs. This is usually sufficient to remove malicious redirection. Also, if you check your C:\Windows\System32\drivers\etc\hosts file on a Microsoft Windows computer, you can see if malicious-looking redirections are configured inside. The host file tells your PC where to go when a specific URL is entered. It’s not used anymore. If the filestamp on the host files is recent, it could be changed maliciously. You can simply rename or remove it without a problem in most cases.
- This popular sign that you have been hacked is one of the most annoying popups.
When you get random browser pop-ups from websites that don’t generate them normally, your system is affected. I am constantly surprised that websites, legitimate and otherwise, can bypass anti-pop-up mechanisms in your browser. It’s like fighting spam email, but worse.
What to do: not to sound like a broken record, but generate random pop-ups typically from one of the three above mentioned malicious mechanisms. You must get rid of fake toolbars and other programs, even if you hope to get rid of pop-ups.
- Your friends receive social media invitations from you that you did not send.
Either you or your friends are invited to “be a friend” when friends are already connected on the social media site. You usually think, “Why are they inviting me again? Did they not beat me and I did not notice them, and they invite me back now. “Then you notice that the social media site of a new friend is devoid of recognizable friends (or just some) and none of the older posts. Or your friend will contact you to find out why you are sending new requests to your friend. In either case, the hacker controls your social media website, created a second near-look buggy page, or installed a rogue social media application.
First, warn other friends not to accept the unexpected request of a friend. Say something, “Don’t accept Bridget’s new invitation. She’s hacked, I think!”. Then contact Bridget to confirm it in another way. Disseminate news in your social media circles. Next, if not first, contact the social media site and report or bug the site. Each site has its own method for reporting flawed requests that you can find by searching online. Often it’s as easy as clicking a reporting button. If your social media site is really hacked (and it’s not a second fake look-alike page), your password needs to be changed (see help information for how to do that if you don’t).
Well, don’t waste time, better yet. Change to Authentication Multi-Factor (MFA). Thus the wrong guys (and rogue apps) cannot so easily steal and overcome your presence in social media. Finally, be leery about installing any application in social media. Often they’re malicious. Review installed applications on your social media account / page regularly and delete them all except those you really want.
- Your online password won’t work if you type correctly and surely in your online password, and it doesn’t, then you may be hacked.
I usually try again in 10 or 30 minutes because I did not accept my valid password for a short time at sites that have technical difficulties. Once you’re sure your current password won’t be working anymore, a rogue hacker may have logged in and changed your password to keep you out.
In this scenario, the victim usually responds to an authentic phishing e-mail alleged to be from the service. The bad guy collects log-in information, logs on, changes the password and other information to make recovery complicated, and uses the service to steal money (while pretending to be victim), from the victim or his acquaintances.
What to do: if you have a large amount of scams and many of your acquaintances have been contacted, inform all your close contacts on your affected account immediately. This minimizes the damage caused by your error to others. Secondly, to report the compromised account, contact the online service. Most online services now have easy methods for reporting affected accounts or email addresses. If you report your account as compromised, the service will usually do everything else to help you restore your legitimate access. Then consider MFA enactment.
If the affected login information is used on other websites, change these passwords immediately. Next time, be more careful. Websites seldom send e-mails requesting your login information. If in doubt, go directly to the website (do not use the email links sent to you) and see if the same information is requested when you log on using legally validated methods. You can also call or email the service to report or confirm the validity of the received e-mail.
- Unwanted and unexpected software installs are an important sign that your computer has been hacked.
In early times, malware was mostly computer viruses, which work by modifying other legitimate programs. They did this to hide themselves better. Most malware programs are Trojans and worms nowadays, and they are usually installed as legitimate programmes. This may be because their designers try to follow a very thin line when the courts reach them. You can try saying something like, “But we are a legitimate software company.” Unwanted software is often legally set up through other programs. I will frequently read license agreements that clearly indicate that one or more other programs will be installed. Sometimes you can choose these other programs installed; sometimes you can’t.
What to do: there are many programs that show all your installed programs and allow you to disable them selectively. My favorite Microsoft Windows checkers are free Microsoft software, Autoruns or Process Explorer. You do not show each installed program but they will tell the program to start automatically when your PC is restarted (Autoruns) or running (Process Explorer).
Most malware programs are incorporated into a much larger list of legitimate running programs. The difficult part can be what is and what is not legitimate. You can enable the “VirusTotal.com check” options, which you can use to tell you which programs, together with the website of Google Virustotal.com, you think are malware. If in doubt, disable the unrecognized program, restart the PC, and re-activate the program only if some necessary functionality does not work anymore.
- Your mouse moves between programs and does selections.
You have definitely been hacked if the mouse pointer moves while making selections that work. Mouse pointers often move randomly, usually because of hardware issues. If the movements involve choosing to run certain programs, malicious people are involved.
This is not as common as some other attacks. Hackers break into a computer, wait long (as after midnight) to get idle, then try stealing your money. Hackers break into bank accounts and transfer money, trading your stocks and carrying out all kinds of crazy actions to alleviate your cash flow.
What to do: If you “live” your computer one night, take a minute to decide what the intruders want. Don’t let them rob you, but what they’re looking for and trying to compromise will be useful to see. Please take some photos to document your tasks. Power off the computer when it makes sense. Remove the wireless router from the network (or disable it) and call the professionals. This is the first time that you will need expert assistance.
Using another well-known computer, change all other login names and passwords immediately. Check the transaction history of your bank account, stock accounts and so on. Consider paying a credit surveillance service. If you have suffered this attack, you must take it seriously. Complete computer restoration is the only way to retrieve it. Make sure you let the forensics team make a copy first when you lose any money. Call law enforcement and file a case if you have suffered a loss. You will need this information to recover your actual losses, if any.
- Disabled Antimalware, Task Manager or Registry Editor
This is a big sign of a malicious compromise. You probably get exploited if you see that your antivirus software is disabled and did not do so, especially when you try to start Task Manager or Registry Editor and it won’t start, start, disappear or start in a reduced state.
What to do: perform a complete restoration because there is no information about what happened. If you want to try anything less dramatic first, try to root the malicious program that causes problems by running Microsoft Autoruns or Process Explorer (or similar programs) on a Windows computer. You usually identify your problem program that you can then delete or uninstall.
If the malware “fights back” and you can’t easily uninstall it, look up the many methods of restore the lost functionality (any Internet search engine will return plenty of results). I say “hard work” because it’s not usually easy or fast. Often, I have to try a few different ways to find one that works. Before you restore your software, get rid of the malware by using the above methods.
Before they steal your money, our contact information. So,
- I mean a lot of money is missing from your online account.
Bad guys usually don’t steal a little money online. They love to transfer it all or almost all, often to a foreign exchange or bank. It usually begins by compromising your computer or by reacting to a fake phish from your bank or stock trading company. The bad guys log on, change your contact details and transfer large sums of money to themselves.
What to do: In most cases, you are lucky because most financial institutions replace the money you have stolen (particularly if they can stop the transaction before the damage really happens). However, the courts have ruled that it is the responsibility of the customer not to be hacked, and it is up to the financial body to decide to make restitution to you.
To avoid this, first, turn on transaction alerts that send text alerts to you when something unusual occurs. You can set thresholds for transaction amounts by many financial institutions and you are warned if the threshold is exceeded or it goes to a foreign country. Unfortunately, the bad guys many times reset their alerts or contact details before stealing their money. Therefore, make sure that your financial or trading institution sends you alerts whenever your information or warning choices change.
- One of the best ways in which any organization finds that it is successfully compromised is to notify a third party without any association.
This has been the case since computers began and is still true. Verizon’s respected Data Breach Investigations Report found that more firms have been notified of hacking by unrelated third parties than organizations that have acknowledged their own compromises. Microsoft reported in July 2019 that since the start of the year, it has detected nation-state attacks against over 10,000 of its customers.
First, find out if you’re really hacked. What to do? Make sure everyone slows down until you confirm you have been compromised successfully. Follow your predefined incident response plan if confirmed. You got one, right? If not, practice with stakeholders now. Make sure everyone knows that your IR plan is a thoughtful plan to follow. You don’t want anybody to go on their own hunting parties or invite more people to the “party” before you decide who must take part. Your main challenge will be to get people to follow the plan in an emergency. Communicate and practice in advance.
- Nothing confirms that you have been hacked such as your organization’s confidential data on the Internet or the dark web.
If you haven’t noticed this first, then you will probably contact the media and other stakeholders to confirm or to find out what you are doing.
What to do: Like the previous sign, see if your confidential information is true. In more than a few cases, hackers claimed to compromise the information of a company but had nothing confidential. Either they made the claim and data, they only had data available to the public or they had some other company information. So, confirm it first.
If it is the confidential data of your company, it is time to tell senior management, begin the IR process and find out who should be told by whom. The legal requirement to report compromised customer data can be as short as 72 hours in many countries and states, and many times you cannot even confirm leakage or how that occurred in 72hours. Of course, you have to get involved legally.
- Literally, billions of valid (at least once) login credentials are on the Internet and on the dark web.
Your credentials have a password dump. They are usually compromised by infringements of phishing, malware or websites. You are not normally notified by third parties as is the case with other data leaks. You have to look for this kind of threat proactively. The sooner you know this kind of thing, the better it happened.
You can check for compromised credentials one at a time on various websites (like Have I Been Pwned), check on various accounts using a number of free open source intelligence tools (like The Harvester), free commercial tools (such as the KnowBe4 Password Exposure Test), or any commercial service that is always looking for information and credentials from your company for a fee.
What to do: Restart all your login credentials after first confirming whether the dump contains any currently used credentials. Start an IR process to see whether you can figure out how the logon credentials for your organization ended outside the company. Implement MFA, then.
- You observe strange traffic patterns on the network
Many strange, unexpected traffic patterns first noticed a compromise. This could have been a misrepresented denial of service (DDoS) attack on your company’s webserver or large, anticipated file transfers to sites in non-business countries. If more companies understood their legitimate network traffic patterns, a third party would have less need to tell them that they are compromised. It’s good to know that most of your servers don’t speak with other servers in your company. Most of your company’s servers don’t speak at every workstation and vice versa. Most of your workstations should not use non-HTTP /non-HTTPS protocols to talk to other sites on the Internet directly.
What to do: If you see unforeseen, odd traffic, the best thing to do is probably kill a network connection and start an IR inquiry. We probably had said we were wrong on the side of operational caution a few years ago. You can’t take any opportunities today. Kill suspected transfers until they prove legitimate.
You need to do so if you do not understand your valid network traffic. Dozens of tools are designed to help you better understand your network traffic and document it. I would recommend that we check free, open-source alternatives such as Bro and Snort, but both take a great deal of time, resources and research. Instead, find a good business solution that has done you all the hard work.
Prevention is the best way to cure Malware and malicious hacking are pure folly in the hope that a program can perfectly detect malware. Keep an eye on these common symptoms and signs of hacking your computer. If you, as I am, are risk-adverse, always carry out a full computer restoration in the event of a violation. The bad guys can do anything and hide everywhere once your computer is compromised. It’s best to start at the beginning.
The most malicious hacking is caused by one of three vectors: Trojan horse programs, unpatched software and fake phishing emails. Do better to avoid these three things and you will have to rely less on accuracy and luck of your antimalware software.