It's happened, I was hacked

[Frenzy]

I didn't think it was possible but... Yeah I had whats app installed on my pc so after they gained access to my pc they simply used whatsapp to authorise paypal transactions. Someone purchased £300 worth of pubg mobile codes... on cdkeys.com
They also tried to purchase codes on eneba but that had two factor authentication so they failed.

Anyway, just a warning. Don't have whatsapp installed on your pc and don't use cdkeys.com, they're support just said contact paypal and refused to refund despite the codes not being used.

They also tried amazon but I long since deleted any payment details on there.

 

[Frenzy]

You probably clicked a link you shouldn't have.

Probably, first time I've been hacked using a pc in 25 years, no one is infallible. I'm usually very careful. Saying that, after upgrading my pc I decided to rely on windows defender, bad call I guess.

 

[Frenzy]

What's app native app or just a shortcut? Did they remote your PC to do it?

Native application, you download it then authorise it by scanning the qr code in whatsapp. I've never used paypal to verify transactions through whatsapp before so I was really surprised to see it!

 

[Frenzy]

Do you not have windows security thing where it pops up saying do you want to open it for most stuff. UAC or somit?

I do, it still got past this somehow. I'm usually very good at vetting everything I download.

 

[Frenzy]

I see. You can do the same for the web application, which is what I use at web.whatsapp.com

If I'm compromised in the future they won't be able to use this method anymore as they would need my phone to authorise it.

I just feel so stupid for getting caught out and wanted to warn others.

I grabbed Avast as it was free and it picked up the trojans and deleted them. Anyone know of a better alternative? Not sure I Trust kapersky and I didn't realise bitdefender charged... may have to bite the bullet and just pay for it.

edit the trojan was PwrSh:ViperSoftX-D

 

[Frenzy]

Yeh that's a RAT... You were controlled remotely.

JavaScript-based Remote Access Trojan (RAT)

So a link from a dodgy website instead of an executable I guess?

 

[Frenzy]

Very possible.

It kept trying to connect to apibilng.com
Wish we could catch these asshats.

 

[Frenzy]

Looks like it was only registered a month ago, they're hiding behing cloudflare. I'd report the domain to cloudflare and they might be able to break the DNS resolution

Thanks, I was trying to figure out how to do this.

 

[Frenzy]

malwarebytes might pick up more.

Btw do u use a adblocker, as that should stop up most dodgy sites opening up tabs going to infected sites i think.

Yeah I use adblocker ultimate on chrome, might go back to firefox and grab the javascript blocker i used to use. I think it was nonamescript?

 

[Frenzy]

I used all the antivirus yesterday and I could still see the powershell script loading in event viewer so I had to bite the bullet and format with a fresh install...

 

[Frenzy]

I didn't have any cracked games or software on this pc which is why I was so confused as to how I was infected. I'm not networked to other pcs either.

This malware installs itself to the registry and runs from it too which makes it very difficult to remove. It's being actively developed which is prob why no av could catch it. Apparently it primarily targets crypto, I guess when they found no crypto they went after other stuff.

I've been refunded by paypal now and added an authenticator to my phone too.