In today’s threatscape, antimalware software provides little peace of mind. In fact, antimalware scanners are horrifically inaccurate, especially with exploits less than 24 hours old. Malicious hackers and malware can change their tactics at will.
Swap a few bytes around, and a previously recognized malware program becomes unrecognizable. All you have to do is drop off any suspected malware file at Google’s VirusTotal, which has over 60 different antimalware scanners, to see that detection rates aren’t all as advertised.
To combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection, and all of the above to be more accurate.
Still, they fail us on a regular basis. If they fail, you need to know how to spot malware that got through. Here are 15 sure signs you’ve been hacked and what to do in the event of a compromise.
- You get a ransomware message
- You get a fake antivirus message
- You have unwanted browser toolbars
- Your internet searches are redirected
- You see frequent, random popups
- Your friends receive social media invitations from you that you didn’t send
- Your online password isn’t working
- You observe unexpected software installs
- Your mouse moves between programs and makes selections
- Antimalware, Task Manager or Registry Editor is disabled
- Your online account is missing money
- You’ve been notified by someone you’ve been hacked
- Confidential data has been leaked
- Your credentials are in a password dump
- You observe strange network traffic patterns
Note that in all cases, the number 1 recommendation is to completely restore your system to a known good state before proceeding. In the early days, this meant formatting the computer and restoring all programs and data.
Today, it might simply mean clicking on a Restore button. Either way, a compromised computer can never be fully trusted again. Follow the recommended recovery steps listed in each category below if you don’t want to do a full restore. Again, a full restore is always a better option, risk-wise.
1. You get a ransomware message
One of the worst messages anyone can see on their computer is a sudden screen take-over telling them all their data is encrypted and asking for a payment to unlock it. Ransomware is huge! After a slight decrease in activity in 2017, ransom-asking programs have come roaring back.
Billions of dollars in productivity are being lost and billions in ransom are being paid. Small businesses, large businesses, hospitals, police stations, and entire cities are being brought to a halt by ransomware. About 50% of the victims pay the ransom, ensuring that it isn’t going away anytime soon.
Unfortunately, according to cybersecurity insurance firms who are often involved in the payouts, paying the ransom does not result in working systems about 40% of the time. Turns out that ransomware programs aren’t bug-free and unlocking indiscriminately encrypted linked systems isn’t as easy as putting in a decryption key. Most victims end up with many days of downtime and additional recovery steps even if they do pay the ransom.
What to do: First, if you’ve got a good, recent, tested data backup of the impacted systems, all you have to do is restore the involved systems and fully verify (officially called unit testing) to make sure the recovery was 100%. Sadly, most companies don’t have the great backups that they thought they had. Test your backups! Don’t let ransomware be the first time your company’s critical backups are being tested.
The best protection is to make sure you have good, reliable, tested, offline backups. Ransomware is gaining sophistication. The bad guys using malware are spending time in compromised enterprise environments figuring out how to do the most damage, and that includes encrypting or corrupting your recent online backups. You are taking a risk if you don’t have good, tested, backups that are inaccessible to malicious intruders.
If you belong to a file storage cloud service, it probably has backup copies of your data. Don’t be overly confident. Not all cloud storage services have the ability to recover from ransomware attacks, and some services don’t cover all file types. Consider contacting your cloud-based file service and explain your situation. Sometimes tech support can recover your files, and more of them, than you can yourself.
Lastly, several websites may be able to help you recover your files without paying the ransom. Either they’ve figured out the shared secret encryption key or some other way to reverse-engineer the ransomware. You will need to identify the ransomware program and version you are facing. An updated antimalware program might identify the culprit, although often all you have to go on is the ransomware extortion message, that is often enough. Search on that name and version and see what you find.
2. You get a fake antivirus message
You get a popup message on your computer or mobile device that it is infected. The pop-up message pretends to be an antivirus scanning product and is purporting to have found a dozen or more malware infections on your computer. Although this isn’t near as popular as it used to be, fake antivirus warning messages are still a situation that has to be dealt with in the right way.
They can occur because of two reasons: Either your system is already compromised or it is not compromised beyond the pop-up message. Hope for the latter. These types of fake antivirus messages usually have figured out a way to lock up your browser so that you can’t get out of the fake message without killing the browser and restarting it.
What to do: If you get lucky, you can close the tab and restart the browser and everything is fine. The fake message doesn’t show back up. It was a one-time fluke. Most of the time you’ll be forced to kill the browser. Restarting it sometimes reloads the original page that forced the fake ad onto you, so you get the fake AV ad again. If this happens, restart your browser in incognito or in private mode, and you can browse to a different page and stop the fake AV message from appearing.
The worse scenario is that the fake AV message has compromised your computer (usually due to social engineering or unpatched software). If this is the case, power down your computer. If you need to save anything and can do it, do so before powering down. Then restore your system to a previously known clean image. Most operating systems have reset features built especially for this.
Note: A related scam is the technical support scam where an unexpected browser message pops up warning that your computer has been compromised and to call the toll-free number on your screen to get technical support help. Often the warning claims to be from Microsoft (even if you’re using an Apple computer).
These tech support scammers then ask you to install a program, which then gives them complete access to your system. They will run a fake antivirus, which not surprisingly, finds lots of viruses. They then sell you a program to fix all your problems. All you need to do is give them a credit card to start the process.
Luckily, these types of scam warnings can usually be defeated by rebooting your computer or closing your browser program, and avoiding the website that hosted it upon you. Rarely has this type of malware done anything to your computer that requires fixing. If you fall for one of these tech support scams and you gave them your credit card, immediately report it to your credit card company and get a new credit card. Reset your PC as instructed above if you give the imposter tech support person remote access to your computer.
3. You have unwanted browser toolbars
This is a common sign of exploitation: Your browser has multiple new toolbars with names that seem to indicate the toolbar is supposed to help you. Unless you recognize the toolbar as coming from a well-known vendor, it’s time to dump the bogus toolbar.
What to do: Most browsers allow you to review installed and active toolbars. Remove any you didn’t want to install. When in doubt, remove it. If the bogus toolbar isn’t listed there or you can’t easily remove it, see if your browser has an option to reset the browser back to its default settings. If this doesn’t work, follow the instructions listed above for fake antivirus messages.
You can usually avoid malicious toolbars by making sure that all your software is fully patched and by being on the lookout for free software that installs these toolbars. Hint: Read the licensing agreement. Toolbar installs are often pointed out in the licensing agreements that most people don’t read.
4. Your internet searches are redirected
Many hackers make their living by redirecting your browser somewhere you don’t want to go. The hacker gets paid by getting your clicks to appear on someone else’s website. They often don’t know that the clicks to their site are from malicious redirection.
You can often spot this type of malware by typing a few related, very common words (for example, “puppy” or “goldfish”) into Internet search engines and checking to see whether the same websites appear in the results — almost always with no relevance to your terms. Unfortunately, many of today’s redirected Internet searches are well hidden from the user through the use of additional proxies, so the bogus results are never returned to alert the user.
In general, if you have bogus toolbar programs, you’re also being redirected. Technical users who really want to confirm can sniff their own browser or network traffic. The traffic sent and returned will always be distinctly different on a compromised computer vs. an uncompromised computer.
What to do: Follow the same instructions as for removing bogus toolbars and programs. Usually, this is enough to get rid of malicious redirection. Also, if on a Microsoft Windows computer checks your C:\Windows\System32\drivers\etc\hosts file to see if there are any malicious-looking redirections configured within. The host’s file tells your PC where to go when a particular URL is typed in. It’s hardly used anymore. If the file stamp on the host files is anything recent, then it might be maliciously modified. In most cases, you can simply rename or delete it without causing a problem.
5. You see frequent, random popups
This popular sign that you’ve been hacked is also one of the more annoying ones. When you’re getting random browser pop-ups from websites that don’t normally generate them, your system has been compromised. I’m constantly amazed by which websites, legitimate and otherwise, can bypass your browser’s anti-pop-up mechanisms. It’s like battling email spam, but worse.
What to do: Not to sound like a broken record, but typically random pop-ups are generated by one of the three previous malicious mechanisms noted above. You’ll need to get rid of bogus toolbars and other programs if you even hope to get rid of the pop-ups.
6. Your friends receive social media invitations from you that you didn’t send
We’ve all seen this one before. Either you or your friends receive invitations to “be a friend” when you have already connected friends on that social media site. Usually, you’re thinking, “Why are they inviting me again? Did they unfriend me and I didn’t notice, and now they are re-inviting me?” Then you notice the new friend’s social media site is devoid of other recognizable friends (or maybe just a few) and none of the older posts.
Or your friend is contacting you to find out why you are sending out new friend requests. In either case, the hacker either controls your social media site, has created a second near-look-alike bogus page, or you or the friend has installed a rogue social media application.
What to do: First, warn other friends not to accept the unexpected friend request. Say something like, “Don’t accept that new invitation from Bridget. I think she’s hacked!”. Then contact Bridget some other way to confirm. Spread the news in your common social media circles. Next, if not first, contact the social media site and report the site or request as bogus.
Each site has its own method for reporting bogus requests, which you can find by searching through their online help. It’s often as easy as clicking on a reporting button. If your social media site is truly hacked (and it isn’t a second bogus look-alike page), you’ll need to change your password (refer to the help information on how to do this if you don’t).
Better yet, don’t waste time. Change to multi-factor authentication (MFA). That way the bad guys (and rogue apps) can’t as easily steal and take over your social media presence. Lastly, be leery of installing any social media application. They are often malicious. Periodically inspect the installed applications associated with your social media account/page and remove all but the ones you truly want to have there.
7. Your online password isn’t working
If you are typing in your online password correctly, for sure, and it isn’t working, then you might be hacked. I usually try again in 10 to 30 minutes, because I’ve had sites experiencing technical difficulties not accepting my valid password for a short period of time. Once you know for sure that your current password is no longer working, it’s likely that a rogue hacker has logged in using your password and changed it to keep you out.
What usually happens in this scenario is that the victim responded to an authentic-looking phishing email that purportedly claimed to be from the service. The bad guy uses it to collect the logon information, logs on, changes the password (and other information to complicate recovery), and uses the service to steal money from the victim or the victim’s acquaintances (while pretending to be the victim).
What to do: If the scam is widespread and many of your acquaintances have been contacted, immediately notify all your close contacts about your compromised account. This will minimize the damage being done to others by your mistake. Second, contact the online service to report the compromised account. Most online services now have easy methods or email contact addresses to report compromised accounts. If you report your account as compromised, usually the service will do the rest to help you restore your legitimate access. Also, consider enacting MFA.
If the compromised logon information is used on other websites, immediately change those passwords. Be more careful next time. Websites rarely send emails asking you to provide your login information. When in doubt, go to the website directly (don’t use the links sent to you in email) and see if the same information is being requested when you log on using the legitimate method. You can also call the service via its phone line or email them to report the received phish email or to confirm its validity.
8. You observe unexpected software installs
Unwanted and unexpected software installs are a big sign that your computer has been hacked. In the early days of malware, most programs were computer viruses, which work by modifying other legitimate programs.
They did this to better hide themselves. Most malware programs these days are Trojans and worms, and they typically install themselves like legitimate programs. This may be because their creators are trying to walk a very thin line when the courts catch up to them. They can attempt to say something like, “But we are a legitimate software company.”
The unwanted software is often legally installed by other programs, so read your license agreements. Frequently, I’ll read license agreements that plainly state that they will be installing one or more other programs. Sometimes you can opt-out of these other installed programs; sometimes you can’t.
What to do: There are many programs that will show you all your installed programs and let you selectively disable them. My favorite checkers for Microsoft Windows are Microsoft’s free programs, Autoruns or Process Explorer. They don’t show you every program installed but they will tell you the ones that automatically start themselves when your PC is restarted (Autoruns) or the ones currently running (Process Explorer).
Most malware programs will be found embedded in the much larger list of legitimate running programs. The hard part can be determining what is and what isn’t legitimate. You can enable the “Check VirusTotal.com” options, and the programs, along with Google’s Virustotal.com website, will tell you which ones it thinks are malware. When in doubt, disable the unrecognized program, reboot the PC, and re-enable the program only if some needed functionality is no longer working.
9. Your mouse moves between programs and makes selections
If your mouse pointer moves while making selections that work (this is the important part), you’ve definitely been hacked. Mouse pointers often move randomly, usually due to hardware problems. If the movements involve making choices to run particular programs, malicious humans are somewhere involved.
This technique is not as common as some other attacks. Hackers will break into a computer, wait for it to be idle for a long time (like after midnight), then try to steal your money. Hackers will break into bank accounts and transfer money, trade your stocks, and do all sorts of rogue actions, all designed to lighten your cash load.
What to do: If your computer “comes alive” one night, take a minute before turning it off to determine what the intruders are interested in. Don’t let them rob you, but it will be useful to see what they are looking at and trying to compromise. Take a few pictures to document their tasks. When it makes sense, power off the computer. Unhook it from the network (or disable the wireless router) and call in the professionals. This is the one time that you’re going to need expert help.
Using another known-good computer, immediately change all your other login names and passwords. Check your bank account transaction histories, stock accounts, and so on. Consider paying for a credit-monitoring service. If you’ve been a victim of this attack, you have to take it seriously. Complete restore of the computer is the only option you should choose for recovery. If you’ve lost any money, make sure to let the forensics team make a copy first. If you’ve suffered a loss, call law enforcement and file a case. You’ll need this information to best recover your real money losses if any.
10. Antimalware, Task Manager, or Registry Editor is disabled
This is a huge sign of malicious compromise. If you notice that your antivirus software is disabled and you didn’t do it, you’re probably exploited — especially if you try to start Task Manager or Registry Editor and they won’t start, start and disappear, or start in a reduced state.
What to do: Perform a complete restore because there is no telling what has happened. If you want to try something less drastic first if on a Windows computer, try running Microsoft Autoruns or Process Explorer (or similar programs) to root out the malicious program causing the problems. They will usually identify your problem program, which you can then uninstall or delete.
If the malware “fights back” and won’t let you easily uninstall it, research the many methods on how to restore the lost functionality (any internet search engine will return lots of results), then restart your computer in Safe Mode and start the hard work. I say “hard work” because usually, it isn’t easy or quick. Often, I have to try a handful of different methods to find one that works. Precede restoring your software by getting rid of the malware program using the methods listed above.
11. Your online account is missing money
I mean lots of money. Online bad guys don’t usually steal a little money. They like to transfer everything or nearly everything, often to a foreign exchange or bank. Usually, it begins with your computer being compromised or from you responding to a fake phish from your bank or stock trading company. The bad guys log on to your account, change your contact information, and transfer large sums of money to themselves.
What to do: In most cases you are in luck because most financial institutions will replace the stolen funds (especially if they can stop the transaction before the damage is truly done). However, there have been cases where the courts have ruled it was the customer’s responsibility not to be hacked, and it’s up to the financial institution to decide whether they will make restitution to you.
To prevent this from happening in the first place, turn on transaction alerts that send text alerts to you when something unusual is happening. Many financial institutions allow you to set thresholds on transaction amounts, and if the threshold is exceeded or it goes to a foreign country, you’ll be warned. Unfortunately, many times the bad guys reset the alerts or your contact information before they steal your money. So, make sure your financial or trading institution sends you alerts anytime your contact information or alerting choices are changed.
12. You’ve been notified by someone you’ve been hacked
One of the top ways that any organization finds out they have been successfully compromised is a notification by an unrelated third party. This has been the case since the beginning of computers and continues to be true.
Verizon’s respected Data Breach Investigations Report has revealed that more companies were notified that they were hacked by unrelated third parties than organizations that recognized their own compromises. In July 2019, Microsoft revealed that it had detected nation-state attacks against over 10,000 of its customers since the beginning of the year.
What to do: First, figure out if you have truly been hacked. Make sure everyone slows down until you confirm that you have been successfully compromised. If confirmed, follow your predefined incident response plan. You have one, right? If not, make one now and practice with stakeholders.
Make sure that everyone knows that your IR plan is a thoughtful plan that must be followed. You don’t want anyone going off on their own hunting parties or anyone inviting more people “to the party” before it’s decided who needs to be involved. Your biggest challenge is going to be actually having people follow the plan in an emergency. Communicate and practice, ahead of time.
13. Confidential data has been leaked
Nothing confirms you’ve been hacked like your organization’s confidential data sitting out on the internet or dark web. If you didn’t notice it first, then likely the media and other interested stakeholders will be contacting your organization to confirm or find out what you are doing about it.
What to do: Like the previous sign, first find out if it’s true that it is really your confidential data out there. In more than a few cases, hackers have claimed to compromise a company’s data but didn’t have anything confidential. Either they made up the claim and data, only had publicly available data, or they had some other company’s data. So, first, confirm.
If it is your organization’s confidential data, it’s time to tell senior management, begin the IR process, and figure out what needs to be communicated to whom by when. In many countries and states, the legal requirement to report compromised customer data can be as short as 72 hours, and many times you won’t even be able to confirm the leak or how it happened in 72 hours. It goes without saying that you need to get legal involved.
14. Your credentials are in a password dump
Literally billions of valid (at least at one time) logon credentials are on the internet and dark web. They have usually been compromised by phishing, malware, or website database breaches. You will not usually be notified by third parties as is the case with other types of data leaks. You have to proactively lookout for this sort of threat. The sooner you know this sort of thing has happened the better.
You can check for compromised credentials one at a time using various websites (like Have I Been Pwned), check across multiple accounts using various free open source intelligence tools (like The Harvester), free commercial tools (like KnowBe4’s Password Exposure Test), or any of the commercial services that look for your company’s data and credentials all the time for a fee.
What to do: After first confirming whether the dump contains any currently used credentials, reset all your logon credentials. Start an IR process to see if you can figure out how your organization’s logon credentials ended up outside the company. Also, implement MFA.
15. You observe strange network traffic patterns
Many a compromise was first noticed by strange, unexpected network traffic patterns. It could have been a badly distributed denial of service (DDoS) attack against your company’s web servers or large, expected file transfers to sites in countries you do not do business with. If more companies understood their legitimate network traffic patterns there would be less need for a third party to tell them they are compromised.
It’s good to know that most of the servers in your company don’t talk to other servers in your company. Most servers in your company don’t talk to every workstation in your company and vice-versa. Most workstations in your company should not be using non-HTTP/non-HTTPS protocols to talk directly to other places on the internet.
What to do: If you see unexpected, strange traffic that you cannot explain, it’s probably best to kill the network connection and start an IR investigation. Years ago, we probably would have said to err on the side of operational caution. Today, you can’t take any chances. Kill any suspicious transfers until they are proven legitimate.
If you don’t understand your valid network traffic, you need to do so. Dozens of tools are designed to help you better understand and document your network traffic. I would recommend checking out the free, open-source alternatives like Bro and Snort, but both require a lot of time, resources, and research to use effectively. Instead, find a good commercial solution that has already done all the hard work for you.
Prevention is the best cure
The hope that an antimalware program can perfectly detect malware and malicious hacking is pure folly. Keep an eye out for these common signs and symptoms of your computer being hacked. If you are risk-averse, as I am, always perform a complete computer restore in the event of a breach. Once your computer has been compromised, the bad guys can do anything and hide anywhere. It’s best to just start from scratch.
Most malicious hacking originates from one of three vectors: running Trojan horse programs, unpatched software, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy — and luck.