IT NEWS

InterContinental Hotels’ booking systems disrupted by cyberattack

In a statement filed at the London Stock Exchange, InterContinental Hotels Group PLC reports that parts of the company’s technology systems have been subject to unauthorized activity. The activity significantly disrupted IHG’s booking channels and other applications.

The InterContinental Hotels Group, also known as IHG Hotels & Resorts, operates 17 hotel brands around the world, including established brands like InterContinental, Regent, Six Senses, Crowne Plaza, and Holiday Inn. IHG has over 6,000 hotels in more than 100 countries.

Ransomware?

Obviously, ransomware is not the same as “technology systems have been subject to unauthorized activity,” but in cases like these it is an automatic reflex to assume that it’s a ransomware attack. Especially when—as reported by BleepingComputer—the Lockbit ransomware group last month claimed an attack on Holiday Inn Istanbul Kadıköy, one of the hotels operated by IHG.

IHG didn’t disclose whether the attack was the result of ransomware or some other malware. For now, it is in the process of notifying authorities about the intrusion, and working with their technology suppliers. In addition, experts from outside of IHG are being brought in to help with the investigation.

Booking system

The unavailability of the online booking system must be a major pain for IHG. The website is unresponsive and a message in the booking system says the company is working to resolve the issues as quickly as possible, suggesting customers with questions to call the hotel directly.

message booking site IHG

“At this time, you may have challenges booking a new reservation, accessing information about your upcoming reservations and accessing your IHG One Rewards account.  We’re working to restore all service as soon as possible. If you have an urgent request for an upcoming stay or need to make an urgent reservation, you can call the hotel directly to make, amend or cancel a booking. Thank you for your patience.”

The company says IHG’s hotels are still able to operate and to take reservations directly.

How to defend against ransomware

A complete set of defenses against ransomware should cover three stages:

  • Prevention and detection

The least painful time to thwart a ransomware attack is before it can do any harm. Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Block and/or flag emails that could contain malicious links and attachemnets. And educate and train your staff about how to handle such emails.

  • Monitoring and containment

Authentication policies can help to limit the lateral access that ransomware operators often exercise before they actually deploy the ransomware. Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

  • Recovery and removal

Put your backups outside of the reach of attackers, and make sure they work by testing that you can restore working systems from them. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Some security solutions offer built-in ransomware rollback options.

A complete removal is key if you want to prevent the threat actor from coming back. It’s not just about closing the door they got in through, they could also have planted a backdoor they can leverage to come back. Many of the tools they deploy are legitimate, but will still have to be removed or disabled for unauthorized access.

Customer data

At this point it is unclear whether any customer data were compromised, but we will keep you updated.

Vulnerability response for SMBs: The Malwarebytes approach

The intel you need to secure your business—delivered straight to your inbox

From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full with the best of our business blog. Subscribe to our Business newsletter today.


At Malwarebytes, we understand that small-and-medium sized businesses find it uniquely difficult to quickly respond to vulnerabilities. Often, these organizations simply don’t have enough resources to keep up with the volume of patches. 

The stakes are obviously high: According to Ponemon Institute, almost 60% of low-security maturity organizations suffered a data breach because “a patch was available for a known vulnerability but not applied”. 

At first glance, the solution to SMB patching challenges seems pretty simple. With increased automation and security staff, organizations can significantly reduce the time it takes for businesses to respond to vulnerabilities—and we all know that time is of the essence in the patching world.

However, most SMBs don’t have the budget to hire an IT team dedicated to patching. On top of that, automated patch management tools typically aren’t integrated into businesses’ security stack. That means IT teams can find themselves hopping from one security tool to the next, losing visibility, speed, and efficiency in the process. 

The Malwarebytes approach

How we approach vulnerability response at Malwarebytes directly reflects the pain points of SMBs, and it all starts with an intuitive user experience.

Intuitive

With Malwarebytes Vulnerability Assessment, IT teams can easily identify, classify and prioritize vulnerabilities in drivers, applications, macOS, and Windows server and desktop operating systems (OSes). 

Our cloud-native Nebula management console is easy to-use and provides broad visibility across your attack surface, so you can rapidly identify security gaps and eliminate attack vectors. 

The following information is displayed for each endpoint vulnerability.

  • CISA recommended: Shows if the vulnerability is found in the CISA managed catalog of known exploited vulnerabilities.  Provides a link to the CISA catalog for the vulnerability if recommended in the column. 

  • CVE: Shows the CVE number as reported in the National Vulnerability Database. You can click on the CVE number to view additional vulnerability information and recommended remediation steps. 

  • Description: Description of the vulnerability and how it is used to exploit the application. 

  • Endpoint: Host name of the vulnerable endpoint.

  • Identified date: Date the vulnerability was detected on the endpoint.

  • OS platform: Operating system platform of the endpoint.

  • OS type: Type of operating system installed on the endpoint.

  • Severity: Severity level of the detected vulnerability. Severity is set using the CVSS standard. For more information, see CVSS Score System

  • Vendor: Vendor name of the installed software which is vulnerable.

easset upload file92124 234944 e

Effective

We use the Common Vulnerability Scoring System (CVSS) to automatically assess the degree of risk associated with detected vulnerabilities. From within the dashboard in our Nebula cloud-based console, users can see at a glance which endpoints are at risk and the projected degree of risk for each: High, Medium, or Low.

You can install available system patches with our Patch Management module. The following information is available for each patch:

  • KB ID: Knowledge base ID of the patch.
  • Description: Short description of the patch.
  • Category: Type of patch.
  • Endpoint: Host name of the endpoint.
  • Identified date: Date the patch was detected on the endpoint.
  • Size: Size of the patch.
  • Restart required: Requirement of a restart to complete installation of the patch.
  • Vendor: Vendor of the patch.
  • Patch: Name of the patch.
  • Severity: Severity level of the patch.

To apply a system patch, all you have to do is select all or check specific boxes for system patches you want to install and then click “Apply patch”. Done.

easset upload file59890 234944 e

You can also install updates on outdated software programs. On our Software Inventory page, you can deploy software code revisions across OSes and a wide range of third-party legacy and modern applications, including Adobe, Chrome, and cloud storage apps (such as Box).  

In addition, with our advanced scheduling feature, users can pick and choose which applications to include in scheduled updates and which OS patches get deployed based on a combination of category and severity.

easset upload file14555 234944 e

Inclusive

Not only do you gain instant visibility into potential vulnerabilities in your applications and operating systems, but you can do so all from the same platform you use for your endpoint protection.

Our VPM is built on the cloud-based Nebula security platform, making it easy to manage all your Malwarebytes solutions from a single platform: Malwarebytes Incident Response (IR), Endpoint Protection (EP), and Endpoint Detection and Response (EDR)

easset upload file17171 234944 e

The Nebula security platform provides an intuitive guided user interface; next-generation threat intelligence; multi-layered security, including industry leading remediation; and easy integration with SIEM, SOAR, and ITSM solutions to simplify detection and response and resolve IT tickets with ease.

Intuitive, effective, and inclusive vulnerability response for SMBs

A combination of factors is responsible for SMBs not doing timely patching, but can mainly be chalked up to a lack of automation and dedicated IT patching staff. In fact, vulnerability and patch management activities for most SMBs are either only partially deployed or not even planned or deployed at all. 

That changes with Malwarebytes VPM modules

Our approach to vulnerability response is designed for SMBs with limited IT staff, and who understand how valuable automation is in the patching process. Not only that, but our VPM modules are add-ons to the cloud-based Nebula security platform, making it easy to manage all your security solutions in a single pane-of-glass.

Want to see Malwarebytes Vulnerability Assessment and Patch Management in action? Watch the demos:

Vulnerability Assessment:

Patch Management: 

More resources:

What is patch management?

What is vulnerability assessment?

Podcast: Why software has so many vulnerabilities

Warning issued about Vice Society ransomware targeting the education sector

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint  Cybersecurity Advisory (CSA) after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks.

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.

This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. After issuing advisories about MedusaLocker and Zeppelin ransomware, this is the third CSA of 2022 which aims to provide technical information on ransomware variants and ransomware threat actors.

Vice Society

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Malwarebytes has been tracking the group since December 2020. Due to similarities in naming and tactics we suspect there is a tie to the HelloKitty ransomware group. Both use the .kitty or .crypted file extension for encrypted files. According to CISA, the Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may just as easily deploy other variants in the future.

The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.

Tactics

Vice Society has been known to exploit known vulnerabilities in SonicWall products, and the set of vulnerabilities commonly referred to as PrintNightmare. The CSA also mentions the gang exploiting internet-facing applications without providing details.

Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrate data. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike in order to move laterally.

Los Angeles Unified school district

In a recent example of a school district targeted by ransomware, the huge Los Angeles Unified School District fell victim to a ransomware attack. LAUSD is the second largest school district In the US, and the attack targeted the LAUSD’s information technology systems during the Labor Day weekend. Authorities moved to shut down many of the district’s most sensitive platforms over the weekend to stop the spread and restrict the damage, and by Tuesday most online services — including key emergency systems — were operating safely.

The attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down.

An investigation involving the FBI, the Department of Homeland Security and local law enforcement is underway. 

Mitigation

From the example above we can see that constant monitoring and adequate intervention helped to limit the impact.

Besides IOCs and attack techniques, the CSA provides a lot of mitigation advice. Since the techniques used by the Vice Society group are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups, for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. This makes it less likely that you will be severely interrupted, and/or only have irretrievable data, in the event of a ransomware attack.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies:

  • Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
  • Implement time-based access for accounts set at the admin level and higher
  • Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers
  • Store passwords using industry best practice password hashing functions
  • Implement password rate limits and lockouts
  • Avoid frequent password resets (once a year is fine)
  • Avoid reusing passwords
  • Disable password “hints”
  • Require administrator credentials to install software

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

How to set up an Android for your kids

Last week, we gave you some tips on how you can set up a new iPhone for your child to use as they start this school year. Today, we’ll look at doing the same for Android phones.

Setting up an Android isn’t very different from setting up an iPhone as both platforms follow a similar logic to making devices child-friendly. This makes it easier for you if you have children with different preferences for phone brands.

1. Set up a screen lock

With your child, figure out the best way they can screen lock their phone and open it quickly if needed. This could be a PIN, pattern, or password.

Opting to unlock with a swipe only may get your child to the home screen quicker—and stops them from making accidental calls or texts while the phone is in their pocket—but it’s not going to save them from anyone who wants to deliberately access their phone, especially if they do it behind your child’s back.

Android Help has a page on how to set a screen lock.

2. Ensure Find My Device is enabled

Google has a “Find My” feature baked into its Android OS. It’s called Find My Device, formerly Android Device Manager.

This feature automatically turns on if you’re signed in to a Google account on Android. To ensure the device can be found, Google lists what needs to be turned on for the Find My Device to work. You can check out the list and how you can go about ticking them off on this page.

You can also use Find My Device to make the device make a sound (in case it’s lost in the house somewhere), secure the device by locking it down remotely, and wiping the device from afar (hopefully, the last resort) if the device is truly lost or stolen, and you don’t want any of your child’s data ending up in someone else’s hands.

3. Set up parental controls

A built-in parental control feature can be found in the Google Play Store app. It’s not on by default, so you have to enable this on your child’s phone. Your child won’t be able to turn this off again as you’ll be asked to create a PIN, which needs to be entered before anyone can fiddle with the parental control settings.

Here, you can restrict the apps (not the content) your child sees on the Play Store based on their age (PEGI rating). 

If you need a step-by-step guide, Google has you covered.

4. Download and set up Family Link

Family Link is an additional Google parental control app. Download it from the App Store, and set it up. This offers parents and guardians more granular restrictions and limitations for their children.

Note that Family Link accounts are different from standard Google accounts. Once the app is installed, it’ll walk you through setting up that account. 

As you go through the setup process, it’s worth talking to your child about what limitations you are putting on them when using the device, such as screen time, what apps they can use, purchase controls, etc., and why.

Allow them to share their thoughts about these limitations and restrictions. Create a dialogue with them so they feel listened to.

5. Use YouTube Kids instead of regular YouTube

For parents with young kids who don’t want them to see things they’re not supposed to see, YouTube Kids is an alternative to YouTube. It only plays kid-friendly content, doesn’t show ads, and doesn’t allow comments.

Of course, there’s always the possibility of some videos slipping through the filters. In one case, a video that overtly says it’s not for kids was falsely categorized by YouTube’s AI. Thankfully, it didn’t end up on YouTube Kids, but it’s still good practice to watch with your child every now and then, or you can sit them in the same room while they watch.

If you want better control over apps, like you want to block them than restrict them fully, and you can’t get that from Google’s apps, you can seek help from third-party apps.

Finally

Navigating the internet is already tricky enough, and you need all the help you can get when introducing your kids to new territories as they grow up.

So, research, read a lot, and get expert opinions. Handing your child their first phone only happens once, but what happens afterward is a crucial stage of adjustment for your child and you!

Good luck!

Sextortionists used mobile malware to steal nude videos, contact lists from victims

In an international police operation supported by Interpol, law enforcement agencies have uncovered and dismantled an international sextortion ring that managed to extract at least US$ 47,000 from victims.

Sextortion is a form of cybercrime in which the victim is blackmailed by threatening to make embarrassing pictures or videos public. Interpol says there’s been a sharp rise in sextortion reports around the world in recent years, mirroring a rise in other types of cybercrime that has been made worse by the COVID-19 pandemic.

Tactics

In this particular sextortion ring, the cybercriminals contacted their victims—who were based mainly in Hong Kong (China) and Singapore—through online sex and dating platforms before asking them to download a mobile app via a hyperlink to engage in ‘naked chats’.

The application turned out to be malicious in that it was specifically designed to steal the contact lists from the affected phones. The syndicate then blackmailed victims by threatening to send the nude videos to their relatives and friends.

Law enforcement

The law enforcement agencies launched an investigation and in-depth analysis of a zombie command and control server which was hosting the malicious application. Combined with reports from victims, law enforcement zeroed in on the perpetrators, establishing a joint investigation between Interpol’s cybercrime division and police forces in Hong Kong (China) and Singapore.

So far, the investigation has traced 34 sextortion cases back to the uncovered syndicate. This may be just the tip of the iceberg since sextortion victims are often too embarassed to file a report.

Stephen Kavanagh, Interpol’s Executive Director of Police Services said:

“Sextortionists sometimes count on their victims feeling too much shame to go to the police, but reporting these crimes is often the first step to bringing these criminals to justice,”

#YouMayBeNext

In June, Interpol launches awareness campaigns to remind the public that cyberattacks can happen to everyone, and at any time. The #YouMayBeNext campaign will focus on cybercrimes that involve extortion including:

The campaigns say victims of sextortion or other cybercrimes do the following: 

  • Cease all contact with the suspected cybercriminals
  • Do not pay or provide further images or information to the suspected cybercriminals
  • Keep or assemble any evidence of the crime
  • Report the crime to police

Unless you are a seasoned vigilante, that is solid advice, but the best advice is not to share any pictures that could be used to extort you over the internet, no matter who they claim to be or how safe you think it will be. Even pictures shared for legitimate reasons are capable of getting people in a lot of trouble.  

Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability

QNAP (Quality Network Appliance Provider) has warned users to update Photo Station to the latest available version.

The warning comes after QNAP detected that cybercriminals known as DeadBolt have been exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that are directly connected to the internet.

QNAP produces NAS (Network Attached Storage) devices, among other things. QNAP’s Photo Station is an online photo album that allows users to share photos and videos stored on their NAS with others over the internet. With Photo Station, users can drag and drop photos into virtual albums, which means they don’t have to create copies when they are needed in more than one album.

Deadbolt

The ransomware group responsible for this attack is generally known as DeadBolt. The name DeadBolt is also used in the file extension of the encrypted files that the group’s ransomware generates.

QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

The vulnerability

Little has been published about the vulnerability, except that the QNAP Product Security Incident Response Team (QNAP PSIRT) made the assessment and released the patched Photo Station app for the current version within 12 hours. All that was made clear is that the ransomware gang is exploiting a Photo Station vulnerability to encrypt QNAP NAS systems that are directly connected to the internet.

The vulnerability has been fixed in the following versions:

  • QTS 5.0.1: Photo Station 6.1.2 and later
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
  • QTS 4.3.6: Photo Station 5.7.18 and later
  • QTS 4.3.3: Photo Station 5.4.15 and later
  • QTS 4.2.6: Photo Station 5.2.14 and later

How to fix the QNAP Photo Station vulnerability

Update Photo Station to the latest available version or to switch to QuMagie.

Here’s how to update Photo Station:

  • Log on to QTS (the QNAP NAS Operating System) as administrator.
  • Open the App Center and then click the magnifying glass.
  • A search box will appear. Enter “Photo Station”.
  • Click Update and then OK.
  • The application will be updated.

Note: The Update button is not available if your version is already up to date.

Do not connect your NAS directly to the internet. To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

Don’t share the WhatsApp ‘Martinelli’ phone hacking alert: It’s a hoax

Everyone loves a good campfire story prone to exaggeration. However, when told online it’s not quite got the same effect. Long ago, sites like Myspace would play host to very certain types of messages. “Don’t open this post from Johnny Cyberhack, or your account will be stolen and your C drive will be wiped”. Complete nonsense, but vague and scary hacking-themed missives will always find a receptive audience.

Chain letters, scam messages, and viral hoaxes tied to a threat often spread like wildfire. The latest is a rehash of an old “Martinelli” hoax that’s circulating again.

Martinelli: Back for another round of shenanigans

As reported by AFP, the older hoax has been repackaged for another round. This specific hoax has been bouncing around since at least 2017. The message, posted to Facebook but also seen on WhatsApp itself, reads as follows:

Dear friends, this is a warning that was aired on BBC radio this morning: If you are a WhatsApp user, please pay attention. A video titled ‘Martinelli’ will be released tomorrow. Please don’t open it – it will hack your phone and the impact cannot be reversed.

Also, if you receive a message about updating WhatsApp, do not click RUN. Please also warn your friends to not open a video titled the ‘Pope’s dance’. That video will change the combinations in your phone. Be careful because it is very dangerous.

Dancing Popes, hacked phones, and a Martinelli as a special bonus. It all sounds very bad for your mobile’s health, but it’s all a work of fiction.

Great Martinellis of our time

Our hacking friend Martinelli can be seen at work here in 2020. It even references “WhatsApp Gold”, a common fixture of WhatsApp themed scams:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called Martinelli do not open it, it hacks your phone and nothing will fix it. Spread the word. If you recieve a message to update the WhatsApp to WhatsApp Gold, do not click!!!!! Now said on the news this virus is difficult and severe. Pass on to all.

Here’s an example of the same Martinelli missive from 2021. In fact, we can even see Martinelli receiving a #FALSO from law enforcement back in 2017:

No matter what our elusive Martinelli friend is up to, rest assured that nothing is going to happen to your phone, your files, or your WhatsApp. Messages like these are often shared by people who are just trying to help; there’s no malicious intent. Other times, messages which look like pranks or hoaxes can dovetail into actual scams.

Should you see a friend or relative posting up a message like the above in group chats, on Facebook, or anywhere else, do some digging. The endless text reuse means you can often pin down a fake warning in seconds. Point them in the direction of the debunking, and let them know you appreciate them trying to make things safer for their friends. 

YouTuber on the run after allegedly swiping $55m from followers

We mostly hear about bogus advertising and offers via compromised accounts on Instagram or Facebook. Strict advertising rules on social media involve making it clear that someone is promoting an ad or offering up a risky venture.

However, sometimes things go wrong on other platforms like YouTube. The immediacy of video content combined with massive audiences make it a perfect place to set up shop with shenanigans.

As it happens, all you need is a niche of your own and a little bit of virality to end up snared in a mess of “flee the country” proportions.

From dancing to running

A popular fashion and dancing YouTuber is on the run. Around $55m USD has allegedly been swiped by popular star Suchata Kongsupachak, AKA “Nutty” to her fans. The last video upload was around six months ago, and most of her content is dance tutorials and make-up promotions. What appears to be missing is the reason she bailed in the first place: Forex trading.

For the last few years, her 840k followers have watched numerous clips of dancing, fancy hotels, expensive cars, and literal bundles of money. The impression is very much of an influencer, with all the assumed wealth that such an endeavour implies.

Things can and do go wrong for YouTubers getting tangled up in advertising promotions or other types of offers on a regular basis. Last year, a streamer found themselves in the middle of an ill-advised skincare range promotion. In 2019, a Louis Vitton bag giveaway went somewhat off the rails.

A $55m Forex scam, though, is definitely taking things to another level in “Oh no YouTube, what have you done” land.

More than 6,000 tales of woe

Nutty faces three charges, including fraud, with police claiming that she encouraged “more than 6,000 victims” to invest in a Forex trading company. The returns on investment were promised to be up to 35% on their contributions. Elsewhere, there’s mention of a guarantee of up to 100% returns. The alarm bells were clearly ringing at this stage, but people were too taken in by the lifestyle videos on display to care.

Police also referenced her various extravagant purchases displayed in her videos as a way of cementing the idea that any investment with her would be a solid deal. When she claimed her money was made via Forex trading, the money from her fans started flooding in from April onwards. Sadly, it all went wrong and just one(!) month later, Nutty posted an apology video on Instagram. It seems all the cash ended up with one broker, and some sort of problem prevented her from being able to retrieve any of the money. She apologised and promised to get everyones’ money back, along with a “free shop review for every victim”, which I’m sure was a thrilling offer for anyone with zero money in the bank.

The fans aren’t happy

Despite the money retrieval promises, Nutty is believed to have fled to Malaysia once a Thai court issued an arrest warrant. The victim currently missing $490,828 USD will presumably have to wait for his free shop review.

As for everyone else, the chance of recovering their money seems slim at this point. Investors have offered a sizable reward for information about her whereabouts, but so far she’s slipped the net.

Her YouTube account links to a variety of other social media channels. Interestingly, the link to Instagram takes you to an account called “Nutty (Scammer)”. Her actual Instagram account, found elsewhere, is the one playing host to the apology video. Did someone compromise the YouTube channel to make this link? Or does Nutty have several Instagram accounts, one of which has been hijacked?

Avoiding “Too good to be true” deals on YouTube

Social media is awash with scams and fake outs. Even if the individual working as the face of a promotion is on the level, that doesn’t mean they too haven’t been hoodwinked by people behind the scenes. You need to be incredibly careful where the below YouTube activities are concerned, as it’s easy to lose an awful lot of money in the fallout.

  1. Comment spam tailored to content in the video. Typically based around “free” gifts or other promotions, you could end up spending a small fortune for supposed shipping costs.

  2. Investment of any kind. There’s a reason people in suits with certificates on the wall tend to be the go-to source for investment opportunities, as opposed to your favourite YouTuber who is good at dancing. Whether it’s YouTube, Instagram, or anywhere else, promises of 100% return on your investment should be given the very widest of berths.

  3. Riches on display. Influencers have a non-stop supply of expensive travel and lifestyle videos. This may well encourage you to get onboard with any deal, offer, or promotion. But consider this: Much of what you see is simply fake. In many cases, the person holding or using an item doesn’t own it; It’s a promotional video for the benefit of both YouTuber and product maker. That fancy looking private jet used as the launchpad for someone’s latest promotion launch? It’s not a private jet.

You may not have considered having to question the very nature of reality in order to avoid Forex trading scams, but it’s definitely needed. Stay safe out there!

Instagram receives record fine of $400M for abuse of children’s data

Ireland’s Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M—roughly equivalent to $402M—following an investigation on how the company handled children’s data. 

In the investigation that started in 2020, the DPC found Instagram had allowed children between the ages of 13 and 17 to operate business accounts. That meant their phone numbers and email addresses were made public, which is a clear violation of their privacy.

The DPC also found that some Instagram accounts owned by children were set as “public” by default, instead of “private.”

A spokesperson from Meta said in a statement:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

A DPC spokesperson confirmed the fine with Reuters. He said that full details of the decision will be published next week.

This is the highest fine ever issued by the regulator, easily eclipsing the $267M fine to WhatsApp in 2021 and the $18.6M fine to Facebook in March 2022.

According to Politico, which first covered the story, the DPC has at least six investigations into other companies owned by Meta involving privacy violations.

A week in security (August 29 – September 4)

Last week on Malwarebytes Labs:

Stay safe!