How about this horror story: You walk up to your house, and the front door opens. The person at the door is…you! Someone has totally taken over your life. You can’t get help, and you can’t get rid of them. Eventually, in desperation, you change your name and move out of state.Yes, this story sounds unlikely, but move it online, and it’s all too possible that a stalker could effectively own your life. I’m not just talking about an abusive partner stalking you with software so as to know your location and read your texts—terrible as that also is. I’m talking here about a complete takeover, where someone else, known or unknown to you, can read your email, post to your social media feeds, and run any software they want (including malware) on your computer.Unfortunately, this terrible scenario isn’t just something I made up for illustrative purposes. It started a few years ago, with an email from a reader seeking help for a relative experiencing exactly this kind of digital stalking. The relative’s shadowy nemesis changed passwords on his phone and computer, altered settings to eliminate operating system security features, and gained full access to his email.They filed a police report, but the police couldn’t do anything. There was no smoking gun, no physical evidence, and no video footage of the perp fleeing the crime scene. Even the best detectives may not be trained to investigate cybercrime.
How to Find and Remove Stalkerware on Your Phone and PC
I discussed the problem with my colleagues who work in security at one level or another. What advice can we offer this poor, unfortunate soul? In the end, we concluded that a totally fresh start is the only way to recover. It’s a tough slog, but not nearly as arduous as changing your name and schlepping all your stuff into a moving van. Here’s what we came up with.Tainted Accounts, Tainted DevicesAmong the less drastic ideas we discussed were some simple ones: Get a new email address, run an antivirus scan, run a bunch of scans with aggressive cleanup apps like Malwarebytes Free, and reinstall Windows. But we couldn’t guarantee any of these would foil a determined stalker.It’s likely that the attacker initially gained control of the PC using a Remote Access Trojan (RAT). If this type of malware slips past your antivirus, its owner has unlimited power over the PC. Exempt the RAT from future antivirus scans? Sure! Turn off all security settings in Windows? No problem! In fact, the RAT pilot can reconfigure Windows to permit remote control without requiring any malware. That degree of control can even make the RAT redundant, so it’s no big deal if a subsequent malware scan removes it.
Top Apps for Fighting Back Against Stalkers
There are various levels of reinstalling Windows. To get rid of entrenched malware and restore safe settings, you’d need the most extreme level, meaning you’d have to reconfigure the PC to its new out-of-the-box state. That’s a major pain, and it still might not even do the job. While not common, malware that can survive a Windows reinstall exists.Don’t even think about getting a new email address until you’re verifiably free of any remote presence on your computer. Otherwise, the attacker will own your new account the moment they see you log in.Even if your PC has been purified, a corrupted mobile device, especially a jailbroken device, could taint your digital life all over again. Jailbreaking removes safeguards built into the mobile operating system, opening it to all kinds of vulnerabilities. Some people deliberately jailbreak their phones so they can use certain iffy apps. To those people, I say…don’t do that! Jailbreaking an Apple device almost certainly requires physical access, but software-only jailbreak apps (including malicious ones) exist for Android.Resetting a smartphone to factory settings is a relatively easy task compared with resetting a Windows box. And it’s painless, as you just restore your apps and settings from the cloud. But hold on a moment. Chances are good that your stalker has compromised that cloud profile. Restoring your account from a tainted cloud profile will just put the stalker back in charge.In every scenario we gamed, trying to fix the problem one step at a time didn’t play out. Oust the stalker from one device, and they weasel back in from another or from an online account. It’s not easy, but you really need to start fresh with clean devices and clean accounts. And yes, this scorched-earth policy is a lot like changing your name and moving out of state.It’s Time for a Clean SweepGiven that half-measures won’t do the job, you need to grit your teeth and prepare to spin up a new computer, a new smartphone, a new phone number, and a new email address. That’s the way to make a sure escape from this kind of domineering stalker. Yes, it’s extreme, but the victim in our real-world example was happy to follow this advice.Don’t fling the old devices into the shredder just yet, but do strip them of all connectivity. Unplug Ethernet cables, turn off cellular connections, disable Wi-Fi, and turn off Bluetooth. While you’re at it, reset your home router to factory settings. If your router was using factory default credentials, there’s every possibility your stalker had control of it as well.The default login credentials for popular routers are all over the internet, though—anybody can get them with no need for hacking skills. After resetting the router, give it a nonstandard SSID and a strong password. Avoid putting your address or any personal information in the SSID since every passing smartphone sees the SSID. Don’t worry; it’s not difficult to access the router’s settings and make these changes.
Simple Tricks to Remember Insanely Secure Passwords
OK, it’s time to set up the new computer. Do not log into any existing accounts during the process. Create a new, pristine account with a strong password. Go ahead and write down the password—you can shred the paper soon. Likewise, when you set up your new phone, don’t even think about connecting with an existing profile. Create a new account.For your new email provider, choose an encrypted email service. I’m not suggesting that your friends will enthusiastically start exchanging encrypted mail with you (though you’re sure to find uses for encryption). The point is that this type of service has security as its very basis. Even when you don’t use encryption, you’re much better protected than if you chose one of the popular free webmail services.Select an email system that requires you to create a new address, like ProtonMail or Tuta Mail, rather than one that encrypts your existing account. Pick a username that’s not your actual name but that won’t be too hard for your friends to remember. OtakuRedhead? BigGeocachingRat? No need to make it easy for your personal stalker to find you. And hey—you can probably get the name you want without appending some crazy number to make it unique simply because these services don’t have the billion-odd users that something like Gmail does.Choose a strong, unique password for your new email account and write it down on your increasingly valuable piece of paper. Once you enable multi-factor authentication, your new email account is ready for use. Note that for these email services, multi-factor authentication may only kick in the first time you log in on a new device, not every time you want to check your mail. But that first-time check should be enough to foil a hacker.
What Is Two-Factor Authentication?
Next, install a password manager and create a new account backed by your new, secure email address. If you already use one, consider the possibility that it may be compromised. This may be a good time to try a new product. Choose one that supports multi-factor authentication and enable that feature right away. You may need to install an authenticator app on your new, clean smartphone.Remember those passwords you wrote down? Time to change them to strong new ones under the watchful eye of the password manager. Once you’ve got the new passwords safely recorded, you can shred the paper with the old ones on it.Of course, you’ll want to install a powerful security suite to fend off exploit attacks, malware, and more. Pick one that includes coverage for all the operating systems your devices use.Recover Your LifeWith a new PC, a new phone, a new email address, and a new phone number, you’re free! Your cyber-stalker has no access to your life. Unfortunately, neither do you. It’s now time to carefully recover what’s yours.Take your old, hacked phone out of its lead-lined coffer and double-check that it has zero connectivity—no cellular, Wi-Fi, Bluetooth, or anything else. Flip through the pages of installed apps and note which ones you need to install on your new phone. Yes, for non-free apps, you’ll have to pay again under your new account. This is a great opportunity to drop those less-used apps that clutter the screen.You may also have important programs installed on your old, compromised PC. Carefully look through those, capturing any details such as serial numbers and registration codes. That data will help you install the apps on your new computer.Now open Contacts on the old phone and the new one. Manually copy the name, email, and phone number of the contacts that are still important to you. This is another opportunity to purge data you no longer need. There is no need to copy snail mail addresses; you can always request those in a text or email. Once you’ve copied over the important contacts, send out a text or email letting your peeps know your new contact information and strongly advising them not to use the old one.Some people leave important information sitting in email messages, figuring they can always go find it there if needed. Are you one of those? Flip through your stored messages and extract anything that’s truly important. Then, give serious thought to completely deleting your old account. If your stalker still has access to it, they may continue mining it long after you’ve abandoned it.Recovering and protecting your other online accounts comes next. If you have a password manager on the old computer, bring up the list of accounts and work through them. For each account that’s still valuable, log in on the new computer, then immediately change the password to a strong one generated by your password manager. Also, change the username; typically, you’ll use your new email address. Verify that the password manager on the new computer captured all the changes. Then, if it’s available, enable multi-factor authentication for the account.This is a really important step. Using multi-factor authentication might have been enough to prevent the initial stalker invasion. When access to an account requires only a password, anybody in the world who has that password can get in. When access also requires a code sent to your phone, only you can access the account. You might even consider requiring a hardware security key to sign into some devices. We recently named the Yubico Security Key C NFC an Editors’ Choice for physical security tokens.
It’s Surprisingly Easy to Be More Secure Online
Recover Your DataIn the modern world, data lives in the cloud. Presuming that you’re thoroughly modern and that you successfully regained control of your cloud storage services, you may already have access to all your data. However, a vast number of people still keep data locally, anywhere from a few documents to gigabytes of pictures and videos. Recovering your data without risking contamination is a tough problem.I wouldn’t recommend connecting the old computer to the new one for a data transfer, and I wouldn’t even connect the old computer to the local network. The safest technique I could come up with involves using an external USB hard drive. You can get a 6TB unit for less than $90 and an 8TB one for less than $150. Once you’re finished with the data transfer, you’re sure to find a use for that drive.
Recommended by Our Editors
Keeping it totally disconnected from any kind of network, fire up the compromised PC and plug in the external drive. Comb through folders like Documents, Pictures, and Videos, and transfer anything of importance to the removable drive. Examine the whole file system, as this may be the last time you turn on the old PC.Before you plug the external drive into your new computer, open your security suite and look for a feature with a name like “rescue disk.” If you don’t find it, search for that phrase on the security company’s website. What you’re after is the option to create a bootable USB or DVD with a built-in antivirus scanner. Because the rescue disk runs a non-Windows operating system, Windows-based malware is powerless to resist it. Boot the old computer from the rescue disk and run a full scan of the external drive. Don’t be surprised if some of your documents are infected—many malware attack chains include steps that involve apparently innocuous documents.That’s it. You’ve done all you can. The documents and files brought over from the old computer should be free of malware. Copy them to the appropriate locations on your new PC and get on with your life.Deal With Hazardous WasteOf course, you now have a computer and a smartphone that you don’t dare use. You might be able to trade in the smartphone for anything from a few bucks to a few hundred. Just be sure you wipe it back to factory settings before you wave goodbye.No matter what your plans are for the PC, your first step should be to utterly wipe the hard drive. I use the free, open-source Darik’s Boot and Nuke (DBAN) for this purpose. You create a bootable disc, boot the PC from it, and turn DBAN loose to chew through the hard drive. When it’s done, the drive should be back to its pre-formatting condition. If you’re planning to donate or discard the PC, it’s ready.In the event you’re bold enough to continue using the device, consider swapping in a pristine new hard drive. As DBAN’s documentation points out, there are situations where erasure might be incomplete, including remapped sectors and hidden areas. Your stalker probably didn’t go to the trouble to create a malware hiding place that could survive DBAN, but do you feel lucky?That leaves the worry that the PC’s very firmware might be compromised. Malware at the firmware level is practically invulnerable unless you have the tech skills to overwrite the firmware code or physically replace the chips involved. Firmware-based malware is extremely uncommon, and it’s very unlikely you’ll ever encounter it. It’s also very unlikely you’ll win the lottery. Do you still buy lottery tickets? Then just get rid of the tainted PC!
How Your Password Was Stolen
Avoid Getting Pwned in the First PlaceBut wait, you may ask, how did that awful takeover happen in the first place? How can I be sure it doesn’t happen again? As it turns out, there’s quite a bit you can do to fend off this type of attack.The reader whose letter triggered my thoughts on this topic mentioned the idea of using IronVest (called Abine Blur at the time) for privacy protection. It’s a good thought, but only if you start with a clean email address on a guaranteed-clean computer. When you use IronVest’s masked email feature, your correspondents never see your actual email address. Every one of them gets a unique disposable address. It’s tough for a stalker to take over your email when your address isn’t exposed to anyone.Cloaked works in much the same way, and it’s also a full-scale password manager. With Cloaked, it’s perfectly natural that every website has a unique password and a unique username. Cloaked takes privacy a step further with the ability to mask phone numbers used in texts and calls.Multi-factor authentication is a golden ticket for privacy protection. Remote takeover of an account or system becomes almost impossible when authentication requires a factor beyond just the password. Using multi-factor authentication puts a huge barrier in front of anyone trying to take over your accounts and devices.Don’t let your devices out of your sight. Even when you’ve locked them with passwords and more, physical possession gives a huge advantage to the attacker. Think carefully before leaving a device with a repair shop. You may have to give the repair tech your login information, which means entrusting them with your whole digital life. Maybe you can have them perform the repair while you watch.This should go without saying, but I’ll say it. Check in on your security suite from time to time. Make sure it’s still active and working. If you get a prompt to renew, do it! Don’t let your protection lapse.Note that all these precautions against system takeover are also effective against identity theft. In fact, anyone who has remote control of your devices is in a prime position to steal your identity. You’ll want to look into whether or not your stalker has stolen your identity, too, though that’s beyond the scope of this story.Here’s hoping you never experience the nightmare of identity theft or of a complete digital takeover by a sadistic stalker. If you do, however, at least you now know how to escape.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Neil J. Rubenking
Lead Analyst for Security
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my “User to User” and “Ask Neil” columns, which began in 1990 and ran for almost 20 years. Along the way I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.In the early 2000s I turned my focus to security and the growing antivirus industry. After years working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.
Read Neil J.’s full bio
Read the latest from Neil J. Rubenking
