Possible Remote Connection to PC. Malicious Amazon and eBay Charges.

GoldenBoy99

Estimable
Aug 14, 2014
2
0
4,510
Hello! Sorry to be bothering anyone on this Christmas day, but this happened a few hours ago. Relevant details: Just before going to a Christmas gathering I bought some items on Amazon and then left for a Christmas gathering. I don't remember if I left the "order confirmed" page open or not, but the Amazon login info is stored on the browser and the credit card info comes up on Amazon automatically too. As we were coming back from the Christmas gathering my mom notices emails about charges (ebay gift card $100, multiple playstation gift cards). I explain that those weren't from me and are what scammers would buy. I initially thought it was just the credit card that got compromised, but when I got home to my PC the tab that was up was the Amazon checkout page of the PS gift cards. I thought that maybe I left Amazon up and the page auto-refreshed, but I checked History and I could see the person's searches and path. Then, most disturbingly, I pressed the back arrow on the Amazon tab and went through all of the different listings they bought, from Amazon and eBay. The Amazon charges were made with the saved card, and the eBay one with Paypal which I assume was saved on it.

I don't have teamviewer, but the fact that I could see all of their progress in that Chrome tab made me think my PC (Win 10, desktop, no wifi card, just ethernet) had been remotely accessed. After this I shut the PC down and tried to turn it on again, but it stopped for a few minutes on the ASUS screen with the rotating circle of dots. I then shut it down, unplugged the ethernet cable, and tried it again. It worked then. Maybe this part is just coincidence since I usually hibernate my PC instead of shutting it down and it could've needed to do something, but idk. I tried it just now with the ethernet in and it made it past that screen instantly as I have an SSD. I haven't experienced any slow speeds or other problems with this PC before. This apparent intrusion is my only one. The credit card is cancelled, and the Amazon and Paypal passwords have been changed from another device, and I'll change all my other passwords I use on that PC to something new.

First, does this sound like remote access to you guys? If so, what is an appropriate course of action? Will some malware removal tool do the trick or maybe something obvious is hiding in my processes? Finally, and maybe this can wait for later or I can look into it myself, is there anything I can do to prevent this again since I don't know how they could've got in? I've removed malware before but never something like this. All I can think is possibly I inadvertently clicked an infected or ad or link, and it was able to install itself. I haven't noticed this application though, and Windows Defender hasn't noticed it yet. After I submit this post I'll try to start with Malwarebytes. The timing of this incident is also suspect since I haven't bought anything for a while on this PC and two hours after I do someone else buys hundreds of dollars of items. Also, I have my PC set to sleep after 2 hours which is when it should require a password again. My last search on the PC was 10:53, and the first search by the scammer was 12:54, so they must've got in right at the end. Their last search was only 7 minutes after that, but they had already tried to get many things through Amazon and eBay.

And of course, I'll be unlinking payment info and passwords from my browsers now in addition to the changed passwords, as well as reducing the time for the PC to require a password again.

TL;DR: Fraudulent charges were made with credit card and paypal for Amazon and eBay items. Home PC shows a tab going through these websites, purchasing these items. Is this a remote access, any idea how it happened, and what can I do to be sure everything is secure?
 
Solution
Yes, this does look like some sort of remote access. Not just a compromised credit card.
You seeing their search history in your browser confirms it.

Full wipe and reinstall.
Just a malware removal is not good enough. You have no idea what else they put in there.

USAFRet

Illustrious
Moderator
Yes, this does look like some sort of remote access. Not just a compromised credit card.
You seeing their search history in your browser confirms it.

Full wipe and reinstall.
Just a malware removal is not good enough. You have no idea what else they put in there.
 
Solution

GoldenBoy99

Estimable
Aug 14, 2014
2
0
4,510


Thanks for the fast responses! I'll look into wiping and reinstalling and get that done. I think I'll back my Steam games, documents, pics, etc onto another hard drive and wipe the rest. As for the items, they were instant email codes and and I don't think they changed any addresses as they had access to the PC. The eBay one was sent to the our email and they could see the Amazon codes as soon as they purchased them, so no need to send them anywhere special. No one could get to the PC as the doors to the house were locked, and I'll just say there were some valuables around the PC that would've been a lot easier to get away with than PS cards.

Also, I don't believe the slow start-up was a coincidence. Even with ethernet disconnected it took around 10 minutes on that screen and still didn't start. I then tried again and had to just put it into safe mode after it still wasn't working. Malwarebytes detected 3 trojans, and I get rid of those, but I'll continue with the wipe.