Someone remotely accessed my computer to initiate a wire transfer and deleted the notification out of my gmail

[rx7ven]

So today, someone initated a wire transfer out of my broker account and they went into my gmail to delete the notification quick style hoping i won't notice. If it weren't for my app alerting me, I would of never known. I was in front of my computer the whole time, nothing suspicious took place and I'm not one to click on shady scam and phishing links. Luckily I was able to call my broker to file a fraud case so they canceled the transaction. But now I'm wondering how did they do it? I have 2 factor turned on my google account so i would have known if someone logged into my account but i received no such notification. I then went to go dig in my sessions in my google account and i saw no new devices connected under my account. Then i clicked into my own device and this is what I see. I see someone from Arkansas had logged into MY COMPUTER here in California, "This Device"! How is that possible? Is it a VPN? it cant be. It doesnt make sense. They werent controling my computer or anything either. I also ran several anti malware scans and nothing special showed up.

 

[UsandThem]

Tough to know exactly what happened (could have been a virus, malware, security hole, data leak or breach, program, etc.)

One of the first things I always do after installing Windows is disabling remote assistance / remote access to my PC. Also, if they were able to access your Gmail account and with you not getting a notification from the 2-factor authentication setting, something must have happened for them to gain and change settings.

I've had email services like Yahoo email have security breaches were my username, password, and other personal information was leaked. But I've never really had anything like that happen with Gmail. However, I use rather long passwords for all of my accounts, and I never use the same password for any of my accounts. I also change them every year or two for extra security.

Also, I just noticed the newest 20H2 Windows update reenables remote assistance again by default.

 

[rx7ven]

but remote assistance would mean i can see that they are controlling my computer, which is not the case here. I also checked all my security settings and everything is intact. If they gained access to my password, then it would show they logged in from a new device, but not from my own computer. How does google show that my computer was logged in simutaenously from california and from arkansas? my computer is hardwired here in california.

 

[Steltek]

Google likely tracks login data by using the MAC address of the network adapter on your computer. It is possible the person who hit you could have spoofed the MAC address of their network adapter to match yours, which would have made it look like to Google that your machine was logging in from a different place. They were also probably logging in through a VPN server to hide their location, so I wouldn't just presume they were actually in Arkansas.

In any event, however they did it, it has happened. Were I in your situation, I would presume they have EVERYTHING - bank accounts, credit cards, the works. You simply can't afford not to. Change ALL of your account passwords now, preferably from a different computer. Consider requesting account number changes from the various institutions due to identity theft. Also, speak to your financial institutions to determine if you can totally block wire transfers if you don't routinely do them. And, file a police report if you haven't done so yet.

You say you ran a malware scan - did this include a scan for rootkits as well? Some malware scanners like Malwarebytes don't do this by default and actually require you to specifically enable rootkit scans as this functionality significantly slows scans and increases system resource useage. Consider a full wipe and reinstall for the affected computer as a must.

Look at any web browser extensions you have installed and consider getting rid of them. There are lots of them that purport to be valid but are in fact unknown malware - who knows what data they are actually collecting? Also, do you save website passwords in your browsers? I don't.

If you have a wireless router, is the firmware updated? Is the router old? Are you running adequate wireless security? Even WPA2 is broken now, but it is better than nothing. Further, there are some major, dangerous exploits out there now being actively utilized that affect a lot of popular routers (Netgear is a big one) whose firmware can be infected remotely to install malware directly on the router itself. There was also a new proof of concept demonstrated recently that allowed javascript to totally bypass NAT and firewalls on all routers. That one is going to be nasty to fix if it pans out.

I don't allow ANYONE to even touch the machine I use to handle my finances. It isn't that I don't trust them, but I can't trust them. Anyone had access to yours in the past year? Even trustworthy people sometimes do stupid things accidentally, like unintentionally mis-typing a URL or accessing a phishing link without thinking. So, I can't trust them with that machine.

If you are not already doing it, utilize complex passwords for all your accounts. If you have difficulty with this, use the free version of LastPass. It will generate the passwords for you and give you a secure way to store them. The free version also provides a mobile app for your phone (something a lot of the other companies charge for).

 

[postmortemIA]

but remote assistance would mean i can see that they are controlling my computer, which is not the case here. I also checked all my security settings and everything is intact. If they gained access to my password, then it would show they logged in from a new device, but not from my own computer. How does google show that my computer was logged in simutaenously from california and from arkansas? my computer is hardwired here in california.

PsExec can launch programs on your local computer remotely under your credentials, as long as they have credentials.

 

[hogowagh]

yup sounds like you have a rat on your device