Reddit – Dive into anything

Edit 2: If you’ve also fell for this, you need to disconnect the infected computer from your network and immediately change all your passwords on a known good device and make sure 2FA/MFA is enabled on everything you can. It’s worth scanning any other computers on your network just in case. All storage drives installed on the infected PC (especially the OS drive), and any storage like flash drives connected to the PC since infection need to be wiped and your OS reinstalled (don’t try creating an OS installer on your infected PC, if you don’t have one do it on a known good device). As far as I know this should resolve the issue, but if you have any other suggestions please comment them

Edit for more visibility: Use uBlock Origin! It’ll get rid of ads like this (whitelist anyone you want to support or consider contributing money directly, but be careful with who/what you whitelist). And still keep the 1st point in mind

Tldr at the bottom

First thing: This applies to any software of course, always download from official sources or trusted 3rd parties, don’t blindly trust the first links to pop-up.

Second thing: Use MFA (Multifactor Authentication) on everything as this will prevent the majority of instances of an account being compromised.

Third thing: I can’t 100% confirm this was because of a malicious Afterburner download, but it’s my best guess based on the information I have

——————————————————

Story time:

Yesterday morning (the 12th) I had some accounts compromised: 3 Google accounts, my PayPal, and my Amazon. PayPal sent me a text alert early morning yesterday warning of suspicious activity and asked me to confirm an order for over $2000 placed at Best Buy. I of course confirmed that it was not me, and I soon after got in contact with Best Buy. My number was tied to the order probably because it’s tied to my PayPal so when I called Best Buy it told me about the order that was tied to my number which was a MacBook, but got nothing else as the Best Buy location for the pick-up was closed. I then contacted Best Buy support chat and successfully got the order cancelled to get a jumpstart on the refund process instead of waiting on just PayPal to resolve things

I changed my PayPal password and thought that was the end of it, but later in the day when trying to log into Amazon I learned that had been compromised too. It told me due to suspicious activity the password had to be reset and that I needed a OTP (one time password) sent to my email in order to get in. Problem was I was not seeing the OTP in my email. I tried resending a OTP multiple times, checked spam, refreshed multiple times and nothing. I assumed Amazon’s servers were just having some trouble but decided to check my trash folder and there they were.

This immediately spooked me as that should not have gone to the trash so I decided to do some investigating and found out my filter settings were changed to automatically mark anything from Amazon as “read” and to trash it, but also for anything from Best Buy and PayPal. I knew my email had also been compromised at this point and I investigated further.

I looked into my Google account activity history and discovered there were searches on 3 of my Google accounts. My main account (with the filter settings changed, and only one with filter settings changed) had a search for “coinbase” as well as a search for “amazon” (but this search is said to be done through Google apps). 2 other accounts also had searches for “coinbase” but that was it. These were not me and I was asleep during this time.

Later on I discovered through the activity history in Gmail specifically that on one of my emails there was a login from some other IP address (activity was all me on the other 2 when I discovered this). Interestingly this IP is from my same ISP, but it’s in another state. However, the Best Buy pickup was for a faraway state the ISP doesn’t even service so I’m guessing this IP was spoofed and maybe it made the attackers job easier to disguise as coming from the same ISP.

——————————————————

Onto the Afterburner stuff:

On the 11th I decided to redownload Afterburner (get the latest version), I did a Google search and clicked on the first link which was an ad but appeared to be from MSI. While installing it Windows Security popped up some alerts about threats and seemingly resolved them. I then decided to uninstall that Afterburner install and get it straight from MSI’s site and had no issues there and figured that was the end of it.

A couple hours ago I decided to look into the Afterburner thing some more since it’s the only suspicious thing I can think of that happened recently, and sure enough I found an article from last year detailing a site disguised as MSI offering a download of Afterburner but bundled with malicious software that MSI themselves gave a PSA warning about. Here’s that article: https://www.pcworld.com/article/394551/dont-get-fooled-by-this-malware-ridden-msi-afterburner-fake.html

Here’s a screenshot I took on Edge (Chrome wasn’t showing the link when I searched again) of these bad links, the second link is the one I went to which was the first result when I searched for it on Chrome but they are all bad. https://imgur.com/a/6rroIH0

I scanned the malicious Afterburner download as well as an Afterburner download straight from MSI. As you can see the malicious download shows threats:

Malicious download: https://www.virustotal.com/gui/file/0b72865ee76d0fe8ce86da24035e723bfe1460c9b7ca43f9dc308653ae20a868

Legit download: https://www.virustotal.com/gui/file/42b257623c9445d5bc5eeddd44da8cc885c43a16fd2a98077338f937b777eaa3

Last night while logging my Google accounts out of all devices (from a separate device) I discovered that my main PC (where I downloaded the malicious Afterburner) showed activity from the same state as the IP address I found earlier. No malicious devices were found, and no other of my devices showed activity from out of state so it appears that it’s my PC that was compromised.

Based on the article, the Window Security detected threats, the scans, and the fact the suspicious activity shows as seemingly coming from my main PC, I’m assuming this was caused by that malicious Afterburner download.

I’ll be contacting PayPal, Google, and Best Buy (again) to find out more details. I already contacted Amazon but could not get any details beyond what was attempted to be ordered on my account which was a RTX 3080 Ti. I’ve already changed my passwords for my compromised accounts and will continue changing passwords for everything else I can think of (all from a separate device).

——————————————————

Additional screenshots:

Activity on my main PC outside where I live (I’m from Utah, Colorado is the suspicious activity): https://imgur.com/a/fsvdtl2

Screenshots of the suspicious searches, tampered filter settings, and security activity on one of my accounts showing nothing suspicious (all me): https://imgur.com/a/HRhKbyx

I made a post on r/cybersecurity_help if you want any additional details you might find there: https://www.reddit.com/r/cybersecurity_help/comments/td2598/3_google_accounts_amazon_and_paypal_accounts_were/

Final notes:

My emails have stayed logged in on my PC for awhile so I don’t think this is an instance of keylogging. I received no emails about my Google accounts relating to suspicious activity but I understand these could have been permanently deleted along with possibly other trails. If you have any insight to offer on exactly what might have happened please feel free to chime in!

tldr: Compromised accounts, MacBook and 3080 Ti fraudulent orders, thought back to a suspicious Afterburner download and found a article detailing a fake MSI site with a malicious Afterburner download, scanned the malicious download next to a legit Afterburner download which showed threats on the malicious one, combining all this with the details I found about my accounts I put 2 and 2 together and am assuming the malicious download led to my problems.