The hack of popular streamer Dellor - how did it actually happen and how can people protect themselves from this particular type of attack?

[kofman13]

many of you might not know of the streamer dellor but he is pretty popular and has recieved lots of hate and trolling over the years. Recently he was hacked. He apparently lost "everything" this virus infected all his computers on the network, "destroyed his smart lights and smart home devices" they got his bank passwords, electric company, dumped his robin hood account, he couldnt pay rent or pay bills, they took over his cellphone account. like literally destroyed his life.

here is a video covering it.

https://www.youtube.com/watch?v=-I6WDlpikHw&ab_channel=EsportsTalk

in his tweets and videos he is saying it was a "keylog trojan, a rat file" . what exactly does that mean. its not clear how he got hacked this bad. did someone trick him into running a virus inside a file? or was he just minding his business on his computer and someone just magically remotely hacked him because they knew his IP address? And side-note he says he had 2FA turned on for all acounts

what do you think? and how can people protect themselves besides not being popular enough to target?

 

EDIT: in one scene in the video he shows all his Hue hubs and smart lighting bulbs and smart switches and all the other smart home stuff saying they destroyed it all. how can a hacker destroy a smart hub or smart light bulb with a virus from his computer?

[kelvinhall05]

Just now, kofman13 said:

its not clear how he got hacked this bad

$10 says he was a dumbass and clicked or downloaded something he shouldn't have.

[WhitetailAni]

Either he was really stupid or he made it up.

I don't think someone would have been able to do that by themselves.

[kofman13]

Just now, kelvinhall05 said:

$10 says he was a dumbass and clicked or downloaded something he shouldn't have.

maybe. did you watch the video already that fast? lol. ALso he says in one of the twitter video clips in the video that "now i know about security and we are good to go" does that mean he might have not been careful and was clicking on random stuff?

[kofman13]

Just now, FakeKGB said:

Either he was really stupid or he made it up.

I don't think someone would have been able to do that by themselves.

Its really scary like some Live Free or Die Hard movie plot stuff.. but at the same time hard to believe from what i know (which is limited). like to get hacked that bad you would have to usually willfully open a really bad virus manually on your computer? right? Because usually if a website is bad windows defender or something like Malwarebytes will block it, or if a file is bad it will warn you or not even let it finish downloading. Is it possible to just hack someone as bad as he is saying just from knowing their IP.. like remotely? or they would have to befriend them and trick them into opening a virus like Phishing?

[WhitetailAni]

There's absolutely no way hacker person activated a keylogger without Windows telling them "DO YOU WANT TO LET THIS MAKE CHANGES TO YOUR DEVICE?!"

He probably was stupid and clicked "Yes" or something.

[kelvinhall05]

5 minutes ago, kofman13 said:

maybe. did you watch the video already that fast? lol. ALso he says in one of the twitter video clips in the video that "now i know about security and we are good to go" does that mean he might have not been careful and was clicking on random stuff?

 

I read this as "I was a dummy and got phished"

[Oshino Shinobu]

For the most part, frequently applying security updates to your systems is one of the best ways to keep them safe from attacks that don't require user action. The majority of major security flaws in software is in things that are open to the internet and are generally server side exploits. Take CVE 2021-24078, which is a nasty vuln in Windows DNS Server, which could allow for mass data theft and disruption of services simply by sending an email with embedded images pointing to an unkown malicious domain. For client systems, which typically aren't exposed to the internet for unsolicited requests, there's rarely any major security issues that don't require action from a user. EternalBlue is the last one I can think of.

 

Setting up frequent scheduled scans for viruses/malware is another good practice for protecting against malicious files a user may have downloaded. 

 

If you're following those two steps, short of a specifically targeted attack, you're unlikely to fall victim to anything as widespread and devastating as what's being claimed. If he always had MFA setup, I find it hard to believe that so many accounts were stolen via a RAT keylogger.

 

I'd imagine he's either making stuff up or exaggerating, or he fell victim to a phishing/social engineering attack and doesn't want to admit it. Most successful attacks are through getting someone to reveal their information themselves rather than actually hacking and compromising systems, at least outside of government aided attacks as the complexity of compromising a system to that extent takes a lot of resources.

[TetraSky]

Never heard of him, but sounds like he fell for a phishing scam and got keylogged (allows a "hacker" to get everything he types) and the RAT, is a remote access trojan... which creates a backdoor to let someone have access to his computer/network. Soo... yeah. He messed up. He was likely targeted by a "hacker" and he fell hook, line and sinker to the scheme. 

[Master Disaster]

RAT = Remote Access Tool. These things are MUCH more than keyloggers, they give the host full access to everything on the client machine. That includes screen viewing, webcam viewing, audio listening, full access to the HDDs of the system and any network drives, access to the computers task manager and a remote console. The ratter can do pretty much anything with your PC that you can plus has the ability to log every single keypress you make.

 

To the people saying "its impossible to install a trojan without prompting the user", sorry but you're wrong. The RAT host will generate a patch that you use to infect client machines with and it will be 100% stealth. You have to get it on to the client machine (usually done by remote access ala Team Viewer type apps) but all you have to do is drop it into the users Startup folder and when they reboot the app runs automatically with Windows, once its running it will delete the patch, remains resident in memory and cannot be detected by the user at all.

[kofman13]

14 minutes ago, Master Disaster said:

RAT = Remote Access Tool. These things are MUCH more than keyloggers, they give the host full access to everything on the client machine. That includes screen viewing, webcam viewing, audio listening, full access to the HDDs of the system and any network drives, access to the computers task manager and a remote console. The ratter can do pretty much anything with your PC that you can plus has the ability to log every single keypress you make.

 

To the people saying "its impossible to install a trojan without prompting the user", sorry but your wrong. The RAT host will generate a patch that you use to infect client machines with and it will be 100% stealth. You have to get it on to the client machine (usually done by remote access ala Team Viewer type apps) but all you have to do is drop it into the users Startup folder and when they reboot the app runs automatically with Windows, once its running it will delete the patch, remains resident in memory and cannot be detected by the user at all.

Interesting. So he would still have to open an infect file someone tricked him into downloading snd opening, not simply them injecting it into your system just by knowing your ip address

[kofman13]

25 minutes ago, kelvinhall05 said:

 

I read this as "I was a dummy and got phished"

This tweet and others I see, and the fact that they went for his crypto currency in his Robin Hood account before anything else makes me think that it was some social engineering phishing scam involving some cryptocurrency or investment scheme and they got him to install something....

[Master Disaster]

11 minutes ago, kofman13 said:

Interesting. So he would still have to open an infect file someone tricked him into downloading snd opening, not simply them injecting it into your system just by knowing your ip address

That's just it, no he doesn't have to open anything.

 

All the actor needs is remote access to your PC by way of something like Team Viewer, they usually get this by pretending to be someone else on the phone and tricking you into allowing them into your PC. Once they're in all they have to do is drop the patch into your Startup folder (which they can do without you ever knowing) and wait for you to reboot your PC.

[kofman13]

15 minutes ago, Master Disaster said:

That's just it, no he doesn't have to open anything.

 

All the actor needs is remote access to your PC by way of something like Team Viewer, they usually get this by pretending to be someone else on the phone and tricking you into allowing them into your PC. Once they're in all they have to do is drop the patch into your Startup folder (which they can do without you ever knowing) and wait for you to reboot your PC.

ok then im good, id never fall for anything like that

[WkdPaul]

36 minutes ago, kofman13 said:

ok then im good, id never fall for anything like that

That can still be bundled into a legit-looking application, and when you're prompted by Windows UAC during the install, and accept, you've basically installed it yourself. Though in this case it was targeted, so most likely phishing.

 

Still, don't install stuff from untrusted sources, and don't click on links in emails.

[Kisai]

58 minutes ago, wkdpaul said:

That can still be bundled into a legit-looking application, and when you're prompted by Windows UAC during the install, and accept, you've basically installed it yourself. Though in this case it was targeted, so most likely phishing.

 

Still, don't install stuff from untrusted sources, and don't click on links in emails.

Sounds possibly more like spear-phishing. If someone is hated for some reason, you can bet people will try to bait them into doing something.

 

Like enterprise banking involves installing security tools. Consumer, nah.

 

Though I'm highly skeptical when people say they were hacked. Usually only one of two things are true:

a) They did something stupid and are embarrassed about it/caught in a lie

b) They want to hide something illegal/immoral/unethical

 

Like when MMO players claim they were hacked, they almost certainly downloaded an unauthorized tool, and that tool stole their login token in the background. There is a reason why cheat tools always trip AV products, and have done so since games were on floppy disks.

 

The only difference between Windows Vista and later from earlier OS's in this regard is that people often get told to "run it in Admin" as a troubleshooting step, and that's just plain bad advice. Like streamers keep getting told to run OBS or Streamlabs in Admin, which just leads to a chain of "always run everything in admin to stream with it", so it would not surprise me if this was the case, but my money is on "wants to hide their losses on robinhood"

 

[Kisai]

2 hours ago, kofman13 said:

 

what do you think? and how can people protect themselves besides not being popular enough to target?

Easy, don't make yourself a target. Typical troll behavior is:

1) Find someone to take down a peg, usually someone who is a self-proclaimed white-knight or snowflake

2) Bait them into doing something out of character, and then use it as proof that they're just like everyone else

 

The people who run troll sites straight up want to make everyone trolls.

 

So you avoid being a target by not being someone of public interest. Be yourself, and don't bathe in internet cesspools. That stink doesn't come off. If you want to be a lawyer, politician or involved in law enforcement, every single bad thing you've ever done, will come back to haunt you.

 

Quote

EDIT: in one scene in the video he shows all his Hue hubs and smart lighting bulbs and smart switches and all the other smart home stuff saying they destroyed it all. how can a hacker destroy a smart hub or smart light bulb with a virus from his computer?

Because IoT stuff are mostly insecure toys. Flash the firmware over and over and it's done. When all WiFi routers came with no security turned on, it was pretty easy to just access them, flash the firmware, and lockout the owner. Consider that old open 802.11b/g routers can be hijacked from 500m away.

 

There's also ways of inducing bootloops in SoC and microcontrollers that prevent them from being recovered.

[XWAUForceflow]

Disclaimer, i have no idea who that guy is and what happened to him. But word of advise, if someone actually targets you specifically then you are in big, big trouble. Depending on the lengths someone is willing to take to get to you you need to be extremely careful and paranoid to have any chance of not getting screwed over.

 

In his case, being a public figure? My first angle of attack would be to see if you can send him stuff to a p/o box or something like that. Get (or better yet make) a cool USB gadget that you think would catch his interest and infect that one with a Trojan horse. If he is not careful and plugs that into any of his PCs inside his private network you have a very good chance to be able to actually get in. Once that door is open there is a lot of damage you can do depending on your skill-set and patience.

[WkdPaul]

10 hours ago, XWAUForceflow said:

In his case, being a public figure? My first angle of attack would be to see if you can send him stuff to a p/o box or something like that. Get (or better yet make) a cool USB gadget that you think would catch his interest and infect that one with a Trojan horse. If he is not careful and plugs that into any of his PCs inside his private network you have a very good chance to be able to actually get in. Once that door is open there is a lot of damage you can do depending on your skill-set and patience.

There's plenty of pentesting devices that can be used that way. There are even real looking USB charging cables that can be loaded with scripts or softwares to be installed when connected to a computer, one I know is the O.MG cable ; https://shop.hak5.org/collections/hotplug-attack-tools/products/o-mg-cable

 

There are plenty of other products like this out there, and as you said, if the hacker has them in their sight and is persistent, the victim hasn't much chances.

[Middcore]

Never heard of this guy in my life but some quick Google research on him leads me to strongly believe that if this happened at all, it happened to him because he did something dumb. 

[WkdPaul]

8 hours ago, Middcore said:

Never heard of this guy in my life but some quick Google research on him leads me to strongly believe that if this happened at all, it happened to him because he did something dumb. 

Thing is, most people don't understand security when it comes to computers, they don't understand having their account as the local admin is bad, that having separate emails for financial/important vs website registration/social media stuff should be a thing by default, that MFA/2FA should be enabled on all possible account, that restricting your personal social media account as much as possible is important (ie Facebook, lots of people have everything set to 'public'), etc.

 

Also, no, Microsoft won't call you or send you an email because they saw that you have a virus on your computer, no the government isn't going to call you because you owe them money that you have to transfer using iTunes gift cards, etc... the amount of people falling for this is completely ridiculous.

Edited February 24, 2021 by wkdpaul

[kofman13]

On 2/24/2021 at 9:03 AM, wkdpaul said:

Thing is, most people don't understand security when it comes to computers, they don't understand having their account as the local admin is bad, that having separate emails for financial/important vs website registration/social media stuff should be a thing by default, that MFA/2FA should be enabled on all possible account, that restricting your personal social media account as much as possible is important (ie Facebook, lots of people have everything set to 'public'), etc.

 

Also, no, Microsoft won't call you or send you an email because they saw that you have a virus on your computer, no the government isn't going to call you because you owe them money that you have to transfer using iTunes gift cards, etc... the amount of people falling for this is completely ridiculous.

I am reading about "local admin" problems now. and im looking into what to change. so you're saying if I install apps with admin account but then actually have my daily-use on the non-admin second account, any potential viruses wouldn't be able to do any system wide changes because that infected account doesnt have admin privileges? and virus cant leap over to the admin account?

Or do you mean local admin is bad as in I should setup windows with Microsoft account instead of local?

[tkitch]

14 minutes ago, kofman13 said:

I am reading about "local admin" problems now. and im looking into what to change. so you're saying if I install apps with admin account but then actually have my daily-use on the non-admin second account, any potential viruses wouldn't be able to do any system wide changes because that infected account doesnt have admin privileges? and virus cant leap over to the admin account?

Or do you mean local admin is bad as in I should setup windows with Microsoft account instead of local?

Running day to day as an Admin is a huge risk, if you're lazy about security.

 

People get infected with viruses by clicking on stupid shit on the internet.  This isn't an argument, it's a hard fact.

 

For better security, you want an Admin account that you ONLY use to install new software.  

 

Your daily driver shouldn't even be a Power User, if you want the best security.  

 

You should also make sure that the UAC popup in windows is enabled.  That DOES actually help.

[WkdPaul]

3 minutes ago, kofman13 said:

I am reading about "local admin" problems now. and im looking into what to change. so you're saying if I install apps with admin account but then actually have my daily-use on the non-admin second account, any potential viruses wouldn't be able to do any system wide changes because that infected account doesnt have admin privileges? and virus cant leap over to the admin account?

Yes and no, virus can still do damages even if they don't have admin privilege's from the user's account. And a virus can be activated if you're using the admin account and the UAC prompts were disabled.

 

What's important is reducing attack vectors as much as possible, having a non-admin user as your main account is preferable since anything that requires elevated privilege's will have a prompt.

 

Using the admin account as little as possible makes for a safer environment. I get that people prefer ease of use and see passwords and prompts as an inconvenience, but better be safe than sorry. I setup computers that I give to family members that way, and I underline that using the admin account as the default account means I won't be able to help if they have an issue like viruses.