Someone gained complete control over your computers and smartphones and now they’re making your digital life a nightmare. When a stalker gets their hooks in that deep, escape is difficult, but we can help.
Picture this. You enter your house and find a stranger (or an enemy) sitting at your kitchen table chowing down on your leftover potato salad and reading your mail. You order him out, but before long, he’s back. You change the locks. You call the police (who can’t seem to do anything). No matter what you try, you can’t get rid of the unwanted invader. Eventually, in desperation, you change your name and move out of state.
It may sound like an unlikely tale in the physical world, but in the digital realm, it’s a lot easier for a stalker to occupy and effectively own your online life. I’m not just talking about an over-controlling partner stalking you with software so as to know your location and read your texts—terrible as that is. I’m talking here about a complete takeover, where someone else, known or unknown to you, can read your email, post to your social media feeds, and run any software they want (including malware) on your computer.
This terrible concept isn’t just something I made up for clicks, sadly. It started with an email from a reader seeking help for a relative who was experiencing exactly this kind of digital stalking. The shadowy nemesis changed passwords on the relative’s phone and computer, altered settings to eliminate operating system security features, and gained full access to his email.
Yes, they reported this invasion to the police, but the police couldn’t do anything. There was no smoking gun, no physical evidence, no video footage of the perp fleeing the crime scene. Even the best detectives may not be trained to investigate cybercrime.
I talked over the problem with my colleagues who deal in security at one level or another. What advice can we offer this poor unfortunate soul? In the end, we concluded there’s just one way to recover, and it’s about as annoying as having to change your name and move out of state.
Among the less drastic ideas we kicked around were these: Get a new email address. Run an antivirus scan. Run a bunch of scans with aggressive cleanup apps such as Malwarebytes Free. Reinstall Windows. But we couldn’t guarantee any of these would foil a determined stalker.
It’s likely that the attacker initially gained control of the PC using a Remote Access Trojan (RAT). If this type of malware slips past your antivirus, its owner has unlimited power over your PC. Exempt the RAT from future antivirus scans? Sure! Turn off all security settings in Windows? No problem! In fact, the RAT-pilot can reconfigure Windows to permit remote control without requiring any malware. That degree of control can even make the RAT redundant, so it’s no big deal if a subsequent malware scan removes it.
As for reinstalling Windows, this task comes in various levels. To get rid of entrenched malware and restore safe settings, you’d need the most extreme level, meaning you’d have to reconfigure the PC as if it were new. That’s a major pain, and it still might not even do the job: Though not common, malware that can survive a Windows reinstall exists.
Don’t even think about getting a new email address until you’ve verifiably eliminated the remote presence on your computer. Otherwise, the attacker will own your new account the moment you log in.
Even if your PC has been purified, a corrupted mobile device could taint it all over again, especially a jailbroken device. Jailbreaking removes safeguards built into the mobile operating system, opening it to all kinds of vulnerabilities. Some people deliberately jailbreak their phones so they can use certain iffy apps. To those people I say…don’t do that! Jailbreaking an Apple device almost certainly requires physical access, but software-only jailbreak apps (including malicious ones) exist for Android.
Resetting a smartphone to factory settings is a relatively easy task compared with resetting a Windows box. And it’s painless, as you can restore your apps and settings from the cloud. But hold on a moment: Chances are good that your stalker has compromised that cloud profile. Restoring from your tainted cloud profile will just put the stalker back in charge.
In every scenario we gamed, trying to fix the problem one step at a time didn’t play out. Oust the stalker from one device and he weasels back in from another, or from an online account. It’s not easy, but you really need to start fresh with clean devices and clean accounts.
Given that half-measures may not do the job, you need to grit your teeth and prepare to spin up a new computer, a new smartphone, a new phone number, and a new email address. That’s the way to make a sure escape from this kind of domineering stalker. Yes, it’s extreme, but the victim in our real-world example was happy to follow this advice.
Don’t fling the old devices into the shredder just yet, but do strip them of all connectivity. Unplug Ethernet cables, turn off cellular connections, disable Wi-Fi, turn off Bluetooth. While you’re at it, reset your home router to factory settings. If your router was using factory default credentials, there’s every possibility your stalker had control of it as well. Those default router credentials are all over the internet—anybody can get them, with no need for hacking skills. So after resetting the router, give it a nonstandard SSID and a strong password. Don’t worry; it’s not difficult to access the router’s settings and make these changes.
OK, it’s time to set up the new computer. Don’t log into any existing accounts during the process. Create a new, pristine account with a strong password. Go ahead and write down the password—you can shred the paper soon. Likewise, when you set up your new phone, don’t even think about connecting with an existing profile. Create a new account.
For your new email provider, choose an encrypted email service. I’m not suggesting that your friends will enthusiastically start exchanging encrypted mail with you (though you’re sure to find uses for encryption). The point is that this type of service has security as its very basis. Even when you don’t use encryption, you’re much better protected than you would be with one of the popular free webmail services.
Select an email system that requires you to create a new address, such as ProtonMail or Tutanota, rather than one that encrypts your existing account. Pick a username that’s not your actual name but that won’t be too hard for your friends to remember. OtakuRedhead? BigGeocachingRat? No need to make it easy for your personal stalker to find you. And you can probably get the name you want without appending some crazy number to make it unique, simply because these services don’t have the billion-odd users that, say, Gmail does.
Choose a strong, unique password for your new email account and write it down on your increasingly valuable piece of paper. Once you enable two-factor authentication (2FA), your new email account is ready for use. Note that for these email services, 2FA typically kicks in the first time you log in on a new device, not every time you want to check your mail. But that first-time check should be enough to foil a hacker.
Next, install a password manager and create a new account backed by your new, secure email address. If you already use one, consider the possibility that it may be compromised. This may be a good time to try a new product. Choose one that supports 2FA and enable that feature right away. You may need to install an authenticator app on your new, clean smartphone.
Remember those passwords you wrote down? Time to change them to strong new ones, under the watchful eye of the password manager. Once you’ve got the new passwords safely recorded, you can shred the paper with the old ones on it.
Of course, you’ll want to install a powerful security suite to fend off exploit attacks, malware, and more. Pick one that includes coverage for all the platforms your devices use.
With a new PC, a new phone, a new email address, and a new phone number, you’re free! Your cyber-stalker has no access to your life. Unfortunately, neither do you. It’s now time to carefully recover what’s yours.
Take your old, hacked phone out of its lead-lined crypt and double-check that it has zero connectivity. No cellular, no Wi-Fi, no Bluetooth, no nothing. Flip through the pages of installed apps and note which ones you need to install on your new phone. Yes, for non-free apps you’ll have to pay again under your new account. This is a great opportunity to drop those less-used apps that clutter the screen.
You may also have important programs installed on your old, compromised PC. Carefully look through those, capturing any details such as serial numbers and registration codes. That data will help when you go to install the apps on your new computer.
Now open Contacts on the old phone and on the new. Manually copy the name, email, and phone number for the contacts that are still important to you. No need to copy snail mail addresses; you can always request those in a text or email. Once you’ve copied over the important contacts, send out a text or email letting your peeps know your new contact information, and strongly advising them not to use the old.
Some people leave important information sitting in email messages, figuring they can always go find it if needed. Are you one of those? Flip through your stored messages and extract anything that’s truly important. Then give serious thought to deleting your old account. If your stalker still has access to it, they may continue mining it long after you’ve abandoned it.
Recovering and protecting your other online accounts comes next. If you have a password manager on the old computer, bring up the list of accounts and work through them. For each account that’s still valuable, log in on the new computer, then immediately change the password to a strong one generated by your password manager. Also, change the username; typically, you’ll use your new email address. Verify that the password manager on the new computer captured all the changes. Then, if it’s available, enable 2FA for the account.
This is a really important step. Using two-factor authentication might have been enough to prevent the initial stalker invasion. When access to an account requires only a password, anybody in the world who has that password can get in. When access also requires a code sent to your phone, only you can access the account. You might even consider requiring a physical key to be present to sign into some devices. We recently awarded the Yubico YubiKey 5C NFC an Editors’ Choice award for physical security tokens.
In the modern world, data lives in the cloud. Presuming that you’re thoroughly modern and that you successfully regained control of your cloud storage services, you may already have access to all your data. But a vast number of people still keep data locally, anywhere from a few documents to gigabytes of pictures and videos. Recovering your data without risking contamination is a tough problem.
There’s no way I’d recommend connecting the old computer to the new for a data transfer. I wouldn’t even connect the old computer to the local network. The safest technique I could come up with involves using an external USB hard drive. You can get a 2TB unit for less than $50 and a 4TB one for less than $100. And once you’re finished with the data transfer, you’re sure to find a use for that drive.
Keeping it totally disconnected from any kind of network, fire up the compromised PC and plug in the external drive. Comb through folders like Documents, Pictures, and Videos, and transfer anything of importance to the removable drive. Examine the whole file system, as this may be the last time you turn on the old PC.
Before you plug the external drive into your new computer, open your security suite and look for a feature with a name like “rescue disk.” If you don’t find it, search for that phrase on the security company’s website. What you’re after is the option to create a bootable USB or DVD with a built-in antivirus scanner. Because the rescue disk runs a non-Windows operating system, Windows-based malware is powerless to resist it. Boot from the rescue disk and run a full scan of the external drive. Don’t be surprised if some of your documents are infected—many malware attack chains include steps that involve apparently innocuous documents.
That’s it. You’ve done all you can. The documents and files brought over from the old computer should be free of malware. Copy them to the appropriate locations on your new PC and get on with your life.
Of course, you now have a computer and a smartphone that you don’t dare use. You might be able to trade in the smartphone for anything from a few bucks to a few hundred. Just be sure you wipe it back to factory settings before you wave goodbye.
As for the PC, no matter what your plans, your first step should be to utterly wipe the hard drive. I use the free, open-source Darik’s Boot and Nuke (DBAN) for this purpose. You create a bootable disk, boot the PC from it, and turn DBAN loose to chew through the hard drive. When it’s done, the disk should be back to its pre-formatting condition. If you’re planning to donate or discard the PC, it’s ready.
In the event you’re bold enough to continue using the device, consider swapping in a pristine new hard drive. As DBAN’s documentation points out, there are situations where erasure might be incomplete, including remapped sectors and hidden areas. Your stalker probably didn’t go to the trouble to create a malware hiding place that could survive DBAN, but do you feel lucky?
That leaves the worry that the PC’s very firmware might be compromised. Malware at the firmware level is practically invulnerable, unless you have the tech skills to overwrite the firmware code or physically replace the chips involved. Firmware-based malware is extremely uncommon, and it’s very unlikely you’ll ever encounter it. It’s also very unlikely you’ll win the lottery. Do you still buy lottery tickets? Then just get rid of the tainted PC!
But wait, you may ask, how did that awful takeover happen in the first place? How can I be sure it doesn’t happen to me? As it turns out, there’s quite a bit you can do to fend off this type of attack.
The reader whose letter triggered my thoughts on this topic mentioned the idea of using Abine Blur for privacy protection. It’s a good thought, but only if you start with a clean email address on a guaranteed-clean computer. When you use Blur’s masked email feature, your correspondents never see your actual email address. Every one of them gets a unique disposable address. It’s tough for a stalker to take over your email when your address isn’t exposed to anyone.
Two-factor or even multifactor authentication is a golden ticket for privacy protection. Remote takeover of an account or system becomes almost impossible when authentication requires a factor beyond just the password. Using multifactor authentication puts a huge barrier in front of anyone trying to take over your accounts and devices.
Don’t let your devices out of your sight. Even when you’ve locked them with passwords and more, physical possession gives a huge advantage to the attacker. Think carefully before leaving a device with a repair shop. You may have to give the repair tech your login information, which means entrusting them with your whole digital life. Maybe you can have them perform the repair while you watch.
This should go without saying, but I’ll say it. Check in on your security suite from time to time. Make sure it’s still active and working. If you get a prompt to renew, do it! Don’t let your protection lapse.
Note that all these precautions against system takeover are also effective against identity theft. In fact, anyone who has remote control of your devices is in a prime position to steal your identity. You’ll want to look into whether or not your stalker has stolen your identity, too, though that’s beyond the scope of this story.
Here’s hoping you never experience the nightmare of identity theft, or of a complete digital takeover by a sadistic stalker. If you do, however, at least you now know how to escape.