Retail store PC compromised

[Modder man]

A friend of mine has a small retail store, network is just a timewarner business connection and their provided equipment. One of the machines on the network was compromised and all accounts associated with that machine were drained. What can I do to determine how they got in? Should I care how they got in? What steps should I take to ensure that it does not happen again?

 

[Ocellaris]

How do you know it was compromised? What does "all accounts associated with that machine were drained" mean?

Have you actually scanned the PC for malware? Is the PC up to date on all security updates and running any protection software? Do the people using the PC have admin rights that could have led to them installing malware?

 

[Modder man]

All of the people have admin rights it is just a consumer laptop sitting on the front counter. This is the machine that he does his orders from. All accounts drain means that any account that was used for purchasing on this machine was drained bank accounts emptied and credit cards maxed out. I havent done anything with the machine, I dont know what he has done I just got pulled into this this morning.

 

[klank]

File a police report and let them handle it.

Use a new system, lock it down by removing admin rights, up to date AV, firewall, etc. Use it only for invoicing.

 

[Ocellaris]

All of the people have admin rights it is just a consumer laptop sitting on the front counter. This is the machine that he does his orders from. All accounts drain means that any account that was used for purchasing on this machine was drained bank accounts emptied and credit cards maxed out. I havent done anything with the machine, I dont know what he has done I just got pulled into this this morning.

Could the users of the PC browse the internet as well? This is pretty much the worst case scenario for a PC handling any credit or financial information. It is very likely that the PC has multiple bits of malware on it from various people clicking links on Facebook and Google search results and such. I really don't think you need to spend a lot of time trying to determine the "how" here. This happened because there was zero security protocol for protecting that machine and the owners were tremendously irresponsible in how they let the PC get used.

 

[Modder man]

Agreed I didn't know if it was worth the time to investigate the how. or just move forward with better practices.

 

[klank]

The other thing is that the "attack" could have been initiated by someone inside the company. It seems fishy that the bank accounts were drained. Usually when a remote hacker does this crap they just steal the CCs.

 

[Modder man]

I do wonder about that. Some of his employees are flat out shady. I dont know that I can protect him from himself if he continues to let them work there though.

 

[jojo69]

run away

 

[/usr/sbin]

Holy crap that's bad security.

One question. Did you scan? If it was compromised then that should show up. If nothing is there it was likely an inside job.

 

[Modder man]

Its a friend of mine, im not going to run away. This is not a paid job I will just do what I can to help. try to help fix some broken practices, im not on the hook for anything.

 

[jojo69]

let me guess...

WA or CO weed store

 

[Sp33dFr33k]

Many banking trojans/viruses can come in via emails, attachments, etc. Could have been someone calling the store and directing them to phishing site. Could have been employees browsing the internet. Trojans that target businesses will absolutely drain any accounts they get the credentials for, it's very common.

 

[Modder man]

actually a pet store......I am thinking it is most likely from employee web browsing.

 

[Stoly]

sounds fishy to me.

An inside job is very likely IMO but since there is like ZERO security a hacker would have its field day.

BTW I just can't understand WHY for the love of the all mighty lord and he's son Jesus, why is credit/debit card information saved in the PC?

 

[Ocellaris]

sounds fishy to me.

An inside job is very likely IMO but since there is like ZERO security a hacker would have its field day.

BTW I just can't understand WHY for the love of the all mighty lord and he's son Jesus, why is credit/debit card information saved in the PC?

The info likely isn't stored on the PC (hopefully not!), I suspect it was getting scraped when it is entered/scanned in.

If the owner wants to let the employees mess around online while working, there should be a separate PC they can use for it and the invoice PC should be locked down.

 

[Modder man]

The info likely isn't stored on the PC (hopefully not!), I suspect it was getting scraped when it is entered/scanned in.

If the owner wants to let the employees mess around online while working, there should be a separate PC they can use for it and the invoice PC should be locked down.

What he said, I highly doubt the information was stored on the PC. What I dont know is if its being collected/ how it is being collected

 

[Modder man]

Had access to the machine for a bit today, no malware or anything found on the machine.

 

[cantalup]

Had access to the machine for a bit today, no malware or anything found on the machine.

giving all to use admin rights is not correct . everyone can do everything

I believe, someone or more that work in the store did that....

the question is "how to prove it"

my suggestion is:
report to the police first, as precaution. and think later on how to handle or find the culprit!

 

[MrHandee]

Going to echo the whole 'calling the cops' thing and the idea that yeah these users should be having a guest account.

Since they're on a guest account put some sort of VM on or even a program to restore the computer and wipe off whatever new Miley Cyrus pics they downloaded. Shadow Defender is good, so is Reboot Restore Rx. Both are free. Don't mind spending some cash? Deep freeze and Drive Vaccine work well.

Once you're set up you should look into one of these options to lock down the computer and erase their (clearly) troublesome behaviours.