Skip to content
Naked Security Naked Security

Questions linger after ISP blocks TeamViewer over fraud fears

Data stolen from an ISP after a breach has led to its customers being targeted by scammers - but blocking a widely used tool is not a way to improve security

Last Wednesday, for no apparent reason, the TeamViewer remote desktop application stopped working on the network of one of the UK’s largest ISPs, TalkTalk.

It’s a popular application with remote support professionals and power users alike and so support forums soon filled with complaints from perplexed users who noticed that access was possible with 4G and some TalkTalk business connections but not home broadband.

Complaints such as the following:

No access in North Yorkshire with TalkTalk – nightmare for work. If they can’t fix this within the day will have to cancel as I need this connection for my livelihood (sic). Terrible.

By Thursday, journalists dragged the truth out of the company that it had “blocked a number of applications including TeamViewer,” which led to a joint statement confirming this on TeamViewer’s website:

TeamViewer and TalkTalk are in extensive talks to find a comprehensive joint solution to better address this scamming issue.

We now know (as some suspected at the time) that the block was connected to abuse of TeamViewer by criminals based in India who had been using it as part of a tech support scam targeting TalkTalk customers.

The BBC reported on this two days before the block, including the disturbing claim that the criminals had been able to quote stolen customer account data to make scam calls sound more convincing.

On Thursday, TalkTalk turned off the block and TeamViewer started working again. Still puzzled, we decided to probe deeper.

Pulling the plug on an application without warning is, as far as we know, almost unheard of for a UK ISP, so one might assume that this happened because the company believed it was an emergency situation.

But why block an application without informing customers until a day later? Forum comments suggest that even TalkTalk’s own telephone support staff were unaware of the TeamViewer block at first. And what changed on Thursday to allow it to be unblocked?

TalkTalk told Naked Security:

Like all ISPs we constantly monitor our network and testing regimes in order to protect our customers from any potential and known risks.

That’s hardly elucidating. TeamViewer, meanwhile, told us that it had raised the issue of the block with TalkTalk as soon as it heard of it and took the view that filtering one application missed the point that criminals could abuse numerous others too.

TeamViewer was not at fault for what happened. On that basis “you could go ahead and block email,” TeamViewer’s Axel Schmidt told Naked Security, pointedly.

Both companies alluded to improving security without giving detail. We’ll refrain from mentioning one or two possibilities for security reasons but an obvious mitigation would be for TalkTalk to temporarily filter application traffic from Indian IP addresses, a short-term solution at best. Presumably, TeamViewer is also combing its user base for fraudulent accounts.

Although far from new, it’s where this is going that worries us. Tech support scams that hijack remote desktop tools look like an ever-expanding front for fraud that, even without stolen customer data, is hard to counter. TeamViewer and TalkTalk will not be the last victims, nor India the last host. The industry – and customers – should take this threat very seriously.

Defence is about following simple rules:

Never allow a cold caller to install anything on your computer – hang up.

Never respond to web pop-ups suggesting you call a support line.

Be aware that fraudsters are now using stolen data to make their calls sound more convincing – no cold caller is trustworthy, period.

When encountering scams, complain through official channels such as Action Fraud in the UK or the FBI.

Above all, spread the word.

And the industry:

Start communicating. When blocking an application, tell customers ASAP.

Work pre-emptively with remote desktop providers

Customer intel is vital – don’t ignore complaints


 

4 Comments

I have come across this issue of con man using remote support software to an ill end like the fake Microsoft help team from India that tried to access my system by getting me to install Logmein.com remote support software, being in IT i never did this but did waste 30min of there time and reported the detail for Logmein to Logmein.com

Reply

Well, agreed with the viewpoint of Axel Schmidt. Time for TalkTalk to block email, Skype, web sessions, browsers, their own network, internet to their users & eCommerce sites.

That covers most areas and applications of misuse and fraud?

Reply

I have had the same problem with TalkTalk except I have been using Anydesk.com application and it is still blocked. the last I have heard from TalkTlka is this
Hi Ian, we’re working with a number remote desktop providers on improving security for our customers, we recommend speaking with the application provider for the latest service

Reply

Although they have unblocked Teamviewer there is still a block on Anydesk and maybe more smaller companies. This really is not on

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!