Augh!
I need some help. Hopefully, someone out there has the technical expertise to advise me on this. I'm driving myself crazy with paranoia...
I'll try to lay out all the facts, as best I can.
First, I work as a technical service expert in the IT department of a MAJOR financial corporation in the U.S. My job consists of tracking down issues with the internal computer applications (mostly web-based) and resolving them. I used to do actual development, but management discovered I was better at analysis than development, so I got moved to a role that is more analysis less development. Anyway, I have above average PC skills, but am no expert, especially on cyber-security.
Second, the town where I live is serviced by Mediacom cable, and that is who we use for both TV and internet. Mediacom charges for internet usage by the GB (this is important). FOr the past month or two, there has been a MASSIVE problem in this town with people "losing" GB of data. For example, my daughter is also with Mediacom and generally only uses 10-15 GB per month. But last month her usage report on her bill said she used 500 GB. When she called to comlain they shut her down with "you must be streaming more," except she was on vacation for half the month, and didn't stream anything more than usual when she wasn't. I noticed my usage was almost double what it usually is this month too. Plus, the local community web-board has had over 250 other people in town complaining of the same thing, to varying degrees. But, Mediacom has laughed off every complaint with "not our problem." In addition, multiple people (including my daughter) have called in to have tech-support come to their house about the problem only to have them never show, and when they call in to find out why, find that the ticket was closed with a note that the customer called in and cancelled (which was not actually done).
Third, I am using Windows 10. Just reloaded my PC from July 20-25 because of another issue and after finishing ran every test on Shields Up to check for vulnerabilities. I passed every test.
So, that's the background. I think that's all of it...
Last Thursday, my daughter called to complain about all this. Prior to that, I heard rumblings of the situation, but didn't concern myself much because it didn't seem to affect me, yet. After she called I went to the ISP website to check my usage, and WOW... WAY TOO HIGH! Getting to that page, I accidentally logged into my Mediacom online web-mail account, which I have never used. And, while I was in their web pages, I filled out an online form for service on an unrelated issue (we're missing a few channels from our cable line-up, ones we pay extra to get).
On Friday, while I was on my nightly commute home from work, I was hacked.
Here's how I found out... I got home and checked my email. In it was a note from eBay that I had purchased some bed sheets and a chalk board. Um, ok... I hadn't. I checked eBay, and sure enough, there were the purchases. I asked around the family, nobody in the house had made the purchases. I called eBay to complain and have them cancelled. The eBay tech checked and said that the items were bought from a PC with the "same electronic signature" as my last authorized purchase there. Uh-oh.
S, I went and checked my browser history. Sure enough, at 4:36 eBay. First an attempt to buy an iTunes gift card, stopped when PayPal asked for a password. Then another attempt with the same result. THen, a search using "search.mediacom.com" and a third attempt. Then, the purchase of the chalk board, which went through because of PayPal autopay. Then the bed sheets, same thing. Finally one last attempt at a gift card failed and that was the end of that at 4:47.
Now, a few notes on the above. I left for work that morning at 7:00 and got back home at 6:00. So that browser history section from the hack stands out like a sore thumb. My wife was home during the time and was on the phone in the same room as my PC, and there was nobody at it. And, search.mediacom.com is the search engine that the ISP pushes as the default when you load the "welcome pack" they send you when first purchasing their service. Naturally, the first thing most people do is switch that to Google or Bing or anything else. Truthfully, it's been so long since I went through this, I forgot it existed.
I spent the rest of that night looking for vulnerabilities and shutting them down, including disabling all remote host stuff built in to Windows 10, and telling my firewall not to allow any remote access attempts. I also changed all my passwords even though the goober didn't break any that I could see. I checked all the Windows logs I could find, and see absolutely no other movement on my PC in any way. I saw no other applications, other than the browser run in that time period.
The next morning, I woke up and started to assemble all the details I had to take to the police. When looking in Chrome to get the browser history I noticed that from 6:56 - 7:05 that morning the goober was in my browser AGAIN! This time he attempted to buy an iTunes gift card, failed, then went and bought a small adapter for a PSP. That got him into Paypal, I assume through the autopay(?) where he proceeded to change the contact phone number to one that tracked back to a town an hour away. Naturally, I called that number and got a message the the "TextNow" customer couldn't be reached.
Except for small bursts here and there, I've been disconnected since. I bundled up all the logs, and screenshots of all the details and handed it all over to the police.
Now for the questions and such...
I have no clue how the goober got in, especially on the second day. Any ideas? As far as I know, everything was locked down, and there is no evidence at all of him doing more than messing around in the browser. So, what more should I look at to lock down? I plan to do a full wipe and reinstall of everything (again), but am worried that whatever I might have missed before will be missed again. Will a wipe and reinstall be enough to change my signature enough so that if he now has a direct link to my machine it will no longer work and to find me he'll have to scan for me again? I've asked my ISP to change my IP, will that help? Any good guides out there on how to lock Windows 10 tight? (But, again, I was checked and running tight, and had my firewall set to stealth, so I don't know how he found me to begin with unless it was a worm on the ISP site.) Is there *any* way to tell if I am secure short of just waiting to see if he hits me again? I've turned on logging on the router and firewall, if he tries again before I get around to the re-load, hopefully, I'll catch his IP.
There's more questions, millions more, but this post is long enough.