IT NEWS

“Log-out king” Instagram scammer gets accounts taken down, then charges to reinstate them

A fraudster going by “OBN Brandon” has been defrauding Instagram influencers and entertainment figures out of hundreds of thousands of dollars by taking down their accounts and then asking for money to get them back up again, ProPublica reports. OBN has been successful in his exploits taking advantage of Instagram’s less-than-good customer support, and an easily manipulated account reporting system. The nonprofit believes it may have identified the fraudster as someone in Las Vegas.

Account takedowns for hire

In 2021, Motherboard reported on a booming industry in the digital underground dedicated to banning Instagram accounts at will. Interestingly, some scammers behind ban-as-a-service (BaaS) offerings would also provide account restoration for users who think they have been unfairly suspended.

BaaS offerings are often used by those with “money to throw around,” an ex, a business rival, someone nursing a grudge, or a mix of these. But what opened opportunities for scamming is a system’s tendency for abuse. Meta has developed Instagram’s reporting system to shield users from harmful content on the platform, such as those depicting suicide and self-harm, by taking them down as quickly as possible after receiving a report.

For a fee, scammers use the same system designed to protect as a tool to harass and censor Instagram users purposefully.

“We have been professionally banning since 2020 and have top-tier experience,” reads one advertisement from a scammer group. “We may not have the cheapest prices, but trust me you are getting what you are paying for.”

These groups use several methods to get accounts taken down. One is to fully duplicate a target account and then report the original account for impersonation. Some create scripts or bots to report accounts en masse. Scammers can also use these to file reports against a single Instagram account automatically.

Because reporting is anonymous, fraudsters can earn double by offering their victims a way to restore their accounts. A restoration service would cost $3,500 to $4,000, with a nonrefundable downpayment of $1,500. Victims will never know that the party responsible for their ban is also stepping up to get their accounts back up and running again.

Two years after this story, it appears BaaS has grown more wretched and lucrative.

“Log-out king”

There is no mention of OBN using scripts or bots, but ProPublica says that he “touts software he uses to file false reports that allege an account violated Meta’s community guidelines, triggering a takedown.” Impersonation is part of his repertoire, too. Sometimes, OBN orchestrates a setup by hacking an account himself to post content deemed inappropriate in Instagram’s terms of service (ToS) and then reports the account.

Like the Instascammers featured in Motherboard’s story, OBN also offers to reactivate accounts in tandem with his takedown service. He charges a fee as high as $5,000 (depending on follower count) to get an account back. But days later, victims would find their accounts suspended again. A vicious cycle of banning and reactivation ensues until the victim is bled dry of money or refuses to pay anymore.

OBN calls himsef himself the “log-out king,” boasting of having “deleted multiple celebrities + influencers on Meta & Instagram.” ProPublica has linked the pseudonym to one Edwin Reyes-Martinez (20). Despite appearing like a responsible and hardworking man with a full-time job in a warehouse, clues connect him to OBN. The email address and bank account OBN’s victims send money to bear Reyes-Martinez’s initials.

His social media accounts also show notable items featured on OBN’s profile on Telegram (his primary marketing vehicle), such as his gold and diamond jewelry and what appears to be a white Lamborghini Aventador.

Syenrai, an ex-Instascammer who took credit for memorializing Instagram head Adam Mosseri’s account, has known OBN since 2018. He said Reyes-Martinez “is at least partially responsible” for activities done under the OBN moniker but also welcomes the possibility that others may be involved. ProPublica alleges OBN became so jealous of Syenrai’s fame that he filed a cease-and-desist (C&D) notice against him in 2021.

OBN often targets women who use Instagram to draw people to their OnlyFans pages. Their accounts are deemed vulnerable because what they offer leans toward nudity and pornography—two types of content Instagram and Meta prohibit. OBN would mention working with an insider to ban and recover accounts. While Meta previously disciplined or fired employees for taking bribes, ProPublica’s investigation hasn’t yielded any accomplices. Instead, it shared a story about one of OBN’s victims.

Model and real estate agent Kay Jenkins directly contacted OBN’s “high-level” Europe-based Instagram insider via Telegram, claiming OBN failed to deliver a service as promised. They struck an agreement, and she paid $4,000 twice to reactivate and verify her account. It never came back.

It turns out OBN was posing as the Meta employee, and Jenkins had been paying him all along. The cryptocurrency wallet to which she sends payments belongs to OBN. ProPublica has also traced the IP used by the purported insider to a cellphone not in Europe but in Las Vegas, where Reyes-Martinez is based.

“Once you’re put on Brandon’s radar, whether someone’s paying him or not, he has this personal investment in making sure that your life is miserable and that he’ll try and get as much money out of you as he possibly can.”

Cease and desist

Meta claims to have banned Reyes-Martinez from its platforms after ProPublica handed over details linking him to OBN. The company also sent him a cease and desist order, refraining from conducting any more BaaS offerings.

“I’m done with banning if you mention anything about bans I’ll block you,” OBN writes to his followers on Telegram. This doesn’t mean he’s entirely out of the game, though.

“Only doing instagram claims & verification, and C&Ds only for high paying nothing less let’s work,” he says.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ChatGPT helps both criminals and law enforcement, says Europol report

In a report, Europol says that ChatGPT and other large language models (LLMs) can help criminals with little technical knowledge to perpetrate criminal activities, but it can also assist law enforcement with investigating and anticipating criminal activities.

The report aims to provide an overview of the key results from a series of expert workshops on potential misuse of ChatGPT held with subject matter experts at Europol. ChatGPT was selected as the LLM to be examined in these workshops because it is the highest-profile and most commonly used LLM currently available to the public. 

These subject matter experts were asked to explore how criminals can abuse LLMs such as ChatGPT, as well as how they may assist investigators in their daily work. While the wide range of collected practical use cases are not exhaustive, they do provide a glimpse of what is possible. The purpose of the exercise was to observe the behavior of an LLM when confronted with criminal and law enforcement use cases.

Currently the publicly available LLMs are restricted. For example, ChatGPT does not answer questions that have been classified as harmful or biased.

But there are other points to consider when interpreting the answers:

  • The training input is dated, the vast majority of ChatGPT’s training data dates back to September 2021.
  • Answers are provided with an expected degree of authority, but while they sound very plausible, they are often inaccurate or wrong. Also, since there are no references included to understand where certain information was taken from, wrong and biased answers may be hard to detect and correct.
  • The questions and the way they are formulated are an important ingredient of the answer. Small changes in the way a question is asked can produce significantly different answers, or lead the model into believing it does not know the answer at all.
  • ChatGPT typically assumes what the user wants to know, instead of asking for further clarifications or input.

But, basically because we are still in early stages of trialing LLMs there are various ways to jailbreak them. A quick roundup of methods to circumvent the built-in restrictions shows that they all boil down to creating a situation where the LLM thinks it’s dealing with a hypothetical question rather than something that it’s not allowed to answer.

  • Have it reword your question in an answer.
  • Make it pretend it’s a persona that is allowed to answer the questions.
  • Break down the main question in small steps which it does not recognize as problematic.
  • Talk about fictional places and characters that are in reality existing situations, but the LLM does not recognize them as such.

So what can LLMs do that could help cybercriminals?

LLMs excel at producing authentic sounding text at speed and scale. Like an excellent actor or impersonator they are able to detect and re-produce language patterns. This ability can be used to facilitate phishing and online fraud, but it can also generally be used to impersonate the style of speech of specific individuals or groups. This capability can be abused at scale to mislead potential victims into placing their trust in the hands of criminals. Potential abuse cases for this ability can be found in the area of terrorism, propaganda, and disinformation.

While on the subject of impersonating, Europol considered a possible integration with other existing AI services, such as deepfakes, which could open up an entirely new dimension of potential misinformation. To counter impersonation, current efforts aimed at detecting text generated by AI-models are ongoing and may be of significant use in this area in the future. At the time of writing the report, however, the accuracy of known detection tools was still very low.

ChatGPT is capable of explaining, producing, and improving code in some of the most common programming languages (Python, Java, C++, JavaScript, PHP, Ruby, HTML, CSS, SQL). Which brings us to worries around malware creation, the safeguards preventing ChatGPT from providing potentially malicious code only work if the model understands what it is doing. If prompts are broken down into individual steps, it is trivial to bypass these safety measures. And newer models will even be better at understanding the context of the code, as well as at correcting error messages and fixing programming mistakes. The worry here is that an advanced user can exploit these improved capabilities to further refine or even automate sophisticated malicious code.

Another worry for the future are what Europol calls “Dark LLMs”, which it defines as LLMs hosted on the Dark Web to provide a chat-bot without any safeguards, as well as LLMs that are trained on particular – perhaps particularly harmful – data. Dark LLMs trained to facilitate harmful output may become a business model for cybercriminals of the future.

“Law enforcement agencies need to understand this impact on all potentially affected crime areas to be better able to predict, prevent, and investigate different types of criminal abuse.”

The recommendations the report provides are all about better understanding what LLMs are capable of, how they can be used to forward investigations, how their work can be recognized, and how to set up legislation to provide better defined and hard to jailbreak limitations.

The European Union is working on regulating AI systems under the upcoming AI Act. While there have been some suggestions that general purpose AI systems such as ChatGPT should be included as high risk systems, and meet higher regulatory requirements, uncertainty remains as to how this could practically be implemented.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fake DDoS services set up to trap cybercriminals

The “online criminal marketplace” has been disrupted via several fake Distributed Denial of Service (DDoS) tools, according to an announcement from The British National Crime Agency (NCA). 

Not everyone on an underground forum is up to no good. Some folks register on hacking sites and services out of curiosity. It’s not uncommon for people to register on a breach forum to check if their own data is included in whatever latest disaster is unfolding in the news. Even so, certain types of service exist which are most definitely going to get users in some form of trouble no matter the supposed intention.

This is the case with DDoS tools. A DDoS attack occurs when someone decides to effectively flood a service or site with more traffic than it can handle. The site becomes overloaded, and can no longer function correctly which leads to downtime.

It can happen to websites and gaming services, and even individual gamers in some sessions have been targeted and taken down. Paid for DDoS tools have been around for many years, and are a very popular service for people who want to quickly perform a DDoS attack without much legwork.

However, attacks like these are illegal in the UK under the Computer Misuse Act 1990. And, as it turns out, the focal point for the NCA’s participation in a worldwide operation designed to disrupt and panic criminal elements.

Registering for a very bad day

From the NCA’s announcement:

DDoS-for-hire or ‘booter’ services allow users to set up accounts and order DDoS attacks in a matter of minutes. Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services.

All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

Once an individual registers on the fake sites, they’re not given access to DDoS tools as they may have expected. Instead, their data is collected by the NCA. For anyone registered living in the United Kingdom, they can expect to be contacted by the NCA at a later date and given a warning about the consequences of engaging in cybercrime. Individuals outside the UK will find that their details are passed to international law enforcement.

Powering up Operation Power Off

This is all a continuation of a project called Operation Power Off, which has been running for some years now. DDoS tools are a big focus for these operations, as they’re one of many gateway entry points into the world of illegal activity.

Back in December, this same project was responsible for 48 major booter services being taken offline permanently alongside multiple arrests in the UK and US. As the NCA points out, this kind of activity helps to undermine trust in the criminal market and also makes such sites feel quite a bit less safe and anonymous. You can never really trust an underground marketplace, and that’s before you throw the spectre of law enforcement into the mix.

Indeed, a well known forum for trading stolen data recently shut down for precisely that reason. If you’re at all curious about signing up for rogue services, take the safer option. Close that browser tab, and have a good read of the oft-linked NCA Cyber Choices page. Parents, teachers, and children of all ages can see what the risks are, how someone could get into trouble, and why it’s better to put digital talents to use in favour of something more productive.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Bogus Chat GPT extension takes over Facebook accounts

If you’re particularly intrigued by the current wave of interest in AI, take care. There’s some bad things lurking in search engine results waiting to compromise your Facebook account.

A rogue Chrome extension deployed in a campaign targeting Facebook users is “hitting thousands a day” according to researchers who made this discovery. The scam is based around Chat GPT-4. This is the latest iteration of what is essentially a supposedly very smart AI chatbot. As per the link, in addition to holding conversations with a user, it can also in theory “create” forms of content like works of fiction.

Whether we’re talking AI generating works of visual art, music, or even just fielding customer support questions, it’s increasingly becoming a topic you can’t avoid. Scammers are more than well positioned to take advantage of this trend, and this is a very strong hook given how many people want to see what all of the fuss is about.

The flow of attack from initial search to infection and compromise is as follows:

  • You search for Chat GPT-4 in Google, and the search returns a sponsored ad result.
  • The destination site claims to offer a form of Chat GPT inside of your search results.
  • This site eventually directs you to a Chrome extension download from the official extension store.

At this point, you may expect some malicious behaviour to happen while the actual extension itself is nothing like what it claims to be. After all, most scams offer up fake games, software, apps, and these programs typically do nothing because they’re an empty shell. In this case, the tool actually does integrate Chat GPT into search results. This is because the people behind it made use of a legitimate open-source product and created their own version of it instead.

If that was all the extension did, that would likely be the end of it.

However, the real aim of the game here is to compromise Facebook accounts. When the extension fires up, it tries to engage in a spot of cookie theft. If a malware author is able to steal your authentication cookie from your browser during a session, they can try and log in to the website they stole the cookie for.

Here, the extension filters for Facebook cookies specifically before sending the stolen cookie(s) on to the extension author’s server. Before sending the stolen cookies, they are encrypted as a way to try and discreetly get them off the target system. The act of encryption tries to ensure certain types of security tools fail to notice that something is amiss.

Once the extension authors have control of the Facebook account, they change the login details, profile image and name before posting whatever they need to in order to make their campaign a success. Examples given by the researchers include ISIS propaganda photographs and more generic allusions to spam and bogus services.

At time of writing, both the adverts and the extension itself have been taken down by Google, although that’s not to stop the people behind the campaign from simply trying again down the line.

Tips for avoiding rogue extensions

  • Download extensions from  the official store. Yes, this one was found on the official store. On the other hand, if you’re downloading anyway you may as well stick to genuine sources given they come with additional information you can use to make an informed decision.
  • Read the reviews. People tend to find out pretty quickly if something is amiss.
  • Check developer authenticity. Some developers have a tick next to their name, along with a userbase tally and mention of their “good record” for uploading non-malicious content.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware gunning for transport sector’s OT systems next

ENISA (the European Union Agency for Cybersecurity) has reason to believe that ransomware gangs will begin targeting transportation operational technology (OT) systems in the foreseeable future. This finding is further explored in the agency’s 50-page report entitled ENISA Threat Landscape: Transport Sector.

The transportation sector, which comprises the aviation, maritime, railway, and road industries, is a subgroup under the industrial sector, according to the Global Industry Classification Standard (GICS). It doesn’t only deal with the movement of people but also of products. An OT system ensures transport services are safe, reliable, and available.

An OT system refers to the hardware and software directly involved in detecting, monitoring, and controlling processes and equipment. It interfaces with the physical world and is often part of a nation’s critical infrastructure. Examples are Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control Systems (DCS). These systems have been targeted and attacked by the WannaCryStuxnet, and Triton malware, respectively.

ENISA says the three dominant threats to the transportation sector are ransomware (38 percent), data-related threats (30 percent), and malware (17 percent). However, each subgroup has reported experiencing other attack types than ransomware.

The aviation industry, for example, has dealt with more data-related threats than others. Airline customer data and proprietary information of original equipment manufacturers (OEM)—companies that provide parts for another company’s finished product—are the primary targets of attackers in this subgroup.

ENISA notes that most threat actors target IT systems, which can cause operational disruption. However, reports of OT being targeted have been rare. The agency believes this will change soon because of many factors, including ongoing digitization efforts within the industry that increase IT and OT connectivity, the high probability of companies paying ransom demands to avoid critical business and social impacts, and the increasing number of identified vulnerabilities within OT environments.

The report also listed a number of observed cyberattack trends, such as the following, within the transportation industry:

  • Ransomware attacking industries within the transport sector has been on an uptick.
  •  Fifty-four percent of the time, cybercriminals are responsible for attacks against the sector and its subgroups.
  •  Hacktivist and DDoS (distributed denial of service) attacks will likely continue due to geopolitical tensions and ideological motives.
  •  Hacktivists in the EU primarily targeted airports, railways, and transport authorities.
  •  The top motivators for attacking the transport industry are financial gain (38 percent) and operational disruption (20 percent).

From the report:

“The transport sector is considered a lucrative business for cybercriminals, with customer data considered a commodity and with highly valuable proprietary information when transport supply chain is being targeted.” …

“While we have not observed notable attacks on global positioning systems [emphasis theirs], the potential effect of this type of threat to the transport sector remains a concern. Jamming and spoofing of geolocation data could affect their availability and integrity, affecting transport sector operations. This type of attack requires further analysis in the future.”

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

GitHub accidentally exposes RSA SSH key

Late last week, GitHub tweeted that it had replaced its RSA SSH “out of an abundance of caution,” after accidentally exposing the key on a publicly accessible repository. 

Tweet by GitHub about the key replacement

How the accidental exposure managed to happen is unknown, but it means that anyone that happened to notice it and was able to copy the key could impersonate GitHub or eavesdrop on Git operations over SSH.

SSH (Secure Shell) keys are access credentials that are used in the SSH protocol and they are instrumental for the safe use of platforms such as GitHub, which is used for storing, tracking, and collaborating on software projects. The SSH protocol is widely used to login remotely from one system into another, and its strong encryption makes it ideal to carry out tasks such as issuing remote commands and remotely managing network infrastructure and other vital system components.

An RSA key pair includes a private and a public key. The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. GitHub.com’s RSA SSH private key was the one that was, briefly, exposed in a public GitHub repository.

What do GitHub users need to do?

If you are using GitHub’s ECDSA or Ed25519 keys, you won’t notice any change and no action is required. If you receive a warning that starts by saying that the remote host identification has changed, you’ll need to remove the old key by running this command:

$ ssh-keygen -R github.com

Then, you can manually add the following line to add the new RSA SSH public key entry to your ~/.ssh/known_hosts file:

github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=

Alternatively you can automatically update GitHub.com’s RSA SSH key in your ~/.ssh/known_hosts, by running the following in your terminal:

$ ssh-keygen -R github.com

$ curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

You can verify that your hosts are connecting via our new RSA SSH key by confirming that you see the following fingerprint:

 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s

For more information, please visit the official documentation on GitHub’s SSH public key fingerprints, or follow the more elaborate instructions in the article about the update.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Solving the password’s hardest problem with passkeys, featuring Anna Pobletts

How many passwords do you have? If you’re at all like our Lock and Code host David Ruiz, that number hovers around 200. But the important follow up question is: How many of those passwords can you actually remember on your own? Prior studies suggest a number that sounds nearly embarrassing—probably around six. 

After decades of requiring it, it turns out that the password has problems, the biggest of which is that when users are forced to create a password for every online account, they resort to creating easy-to-remember passwords that are built around their pets’ names, their addresses, even the word “password.” Those same users then re-use those weak passwords across multiple accounts, opening them up to easy online attacks that rely on entering the compromised credentials from one online account to crack into an entirely separate online account. 

As if that weren’t dangerous enough, passwords themselves are vulnerable to phishing attacks, where hackers can fraudulently pose as businesses that ask users to enter their login information on a website that looks legitimate, but isn’t. 

Thankfully, the cybersecurity industry has built a few safeguards around password use, such as multifactor authentication, which requires a second form of approval from a user beyond just entering their username and password. But, according to 1Password Head of Passwordless Anna Pobletts, many attempts around improving and replacing passwords have put extra work into the hands of users themselves:

“There’s been so many different attempts in the last 10, 20 years to replace passwords or improve passwords and the security around. But all of these attempts have been at the expense of the user.”

For Pobletts, who is our latest guest on the Lock and Code podcast, there is a better option now available that does not trade security for ease-of-use. Instead, it ensures that the secure option for users is also the easy option. That latest option is the use of “passkeys.” 

Resistant to phishing attacks, secured behind biometrics, and free from any requirement by users to create new ones on their own, passkeys could dramatically change our security for the better. 

Today, we speak with Pobletts about whether we’ll ever truly live in a passwordless future, along with what passkeys are, how they work, and what industry could see huge benefit from implementation. Tune in now. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Food giant Dole reveals more about ransomware attack

Fruit and vegetable producer Dole has confirmed attackers behind its February ransomware attack accessed employee data. The company hasn’t revealed the number of staff impacted.

In an annual report filed to the US Securities and Exchange Commission (SEC) last week, Dole said:

“In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information. Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.”

“Limited impact” maybe, but according to CBS, customers complained on social media about delays and shortages of Dole products on store shelves for more than a week. The company also temporarily shut down production plants in North America and stopped delivery to stores.

Stewart’s Food Store in Texas was prompted by querying customers to post the memo it received from Dole on social media.

easset upload file42382 262529 e
The Dole memo Stewart’s received and posted on its Facebook Page. (Source: Stewart’s)

It isn’t clear how long the company had to keep production offline. The company has also declined to comment when pressed for more details about the ransomware attack. When asked if it can recover the disruption cost through supplier recovery or insurance coverage, CEO Rory Byrne said, “I suppose the simple answer on that is no we don’t expect to recover on either of those categories.”

Byrne adds that getting insurance in North America now is “prohibitive.”

Dole employs more than 35,000 staff worldwide across 75 countries. It reports a $9.3B revenue for 2022 after being acquired by Total Produce, creating Dole PLC in 2021.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Zero-day spells disaster for Bitcoin ATM

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency realm.

As Ars Technica notes, a particular feature of the affected ATMs is the ability to upload video. It’s not mentioned what these videos are used for (presumably security cameras), but the master server interface allowing for the video uploads is where things went horribly wrong.

From the General Bytes statement regarding the March 18 incident:

The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1). We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.

To make use of the exploit, the attacker uploaded a custom made application to the ATM application server used by the administration interface. In a nod to the evergreen security tip “Don’t allow things to autorun if you don’t need them to”, the application server allowed applications to start by default.

With this in place, the attacker was able to perform the below:

  • Ability to access the database.
  • Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
  • Send funds from hot wallets.
  • Download user names and their password hashes, and turn off 2FA.
  • Ability to access terminal event logs, which can include private keys at the ATM.

56 bitcoins are currently worth a cool $1.5 million. It is very unlikely all of the stolen coins belonged to one person, but this is scant consolation for anyone affected. For now, General Bytes is collecting information on everyone affected to “validate losses”. It remains to be seen if anyone is able to recover their funds, but losing money in any cryptocurrency scenario is always a very risky business because  they are generally, by design, unable to roll back fraudulent transactions.

Interestingly, the affected company has a call to any security companies and individuals who feel they can assist in making the product safer.

Keeping your hot wallet safe

Your cryptocurrency wallet type is an article all to its own, but in most cases you’re going to have a wallet which is hot or cold. A cold wallet is not connected to the Internet and is therefore the safest possible choice. A hot wallet comes with some form of connectivity built in, which is much more convenient. You’re able to send funds, for example, and engage with cryptocurrency exchanges. In this case, the compromised wallets are considered to be hot. Without this functionality, the ATM would be rather useless for the user’s needs.

You can’t prepare for every eventuality. If an exchange (or, in this case, a connected ATM) is compromised then your funds could still vanish no matter what security plans you have in place. Even so, here’s what you can do from your end to keep things secure.

  • Enable two-factor authentication. If it’s available for your flavour of wallet, then make sure to turn it on. Hardware keys are safest, then authenticator apps, and lastly SMS.
  • Keep your recovery passphrase safe. Never hand over your recovery phrase to any site or individual, this is a common scam deployed by phishers.
  • Be sceptical of airdrops. This is another way to entice potential victims with phishing tactics. As per the above, asking for your recovery phrase is the ultimate aim.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

USB bombs sent to news organizations

We’ve warned about the possible dangers arising from plugging in unknown USB sticks before, but the dangers we’re concerned with are normally confined to your data.

However, this week we learned a far more serious threat. No fewer than five different news agencies in Ecuador were sent parcels containing a USB stick. In the one instance where a stick was plugged into a PC by a journalist, the device exploded, injuring a presenter in the news room. At least one of the devices had been loaded with a “military type explosive“.

Law enforcement is currently investigating, but for now we have to hope that no additional devices were sent out, just waiting to be inserted into a PC. While this scenario is almost guaranteed to be one that you will not face, that doesn’t mean there aren’t USB stick related perils out there in the wild.

A sticky malware threat

Malware authors are big fans of sending out infected USB sticks to potential victims. Just last year, slick looking Microsoft boxes supposedly containing Office 365 loaded onto USB sticks were sent out by tech support scammers. When inserted into a PC, a phone number would appear and callers would find themselves asked to install remote access tools on their devices. Elsewhere, infected USB Sticks came bearing the gift of ransomware.

USB sticks are also easy to lose: Sometimes people find them lying around in the street, full of potentially sensitive data, as opposed some kind of horrible malware.

Our willingness to insert sticks into computers is helped along by USB sticks being a commonplace giveaway at events, conferences, and even a staple of certain performance art pieces. If you have children, your school may well hand out digital copies of school photographs on USB sticks. Many people will insert those sticks into their computer without a second thought because they’re from a trusted source, the school. Even so, the stick is actually from a totally unrelated third party photographer. Can we guarantee that the photographer is following safety rules, if they even exist?

We never really know for sure, and that can be a problem. However, there are a few things you can do to help keep yourself safe from USB harm.

Tips for USB security

  • Don’t autorun files. If Autorun is enabled on your device, it’s time to consider turning it off.
  • Restrict access. If people in your workplace don’t need to use USB sticks, turn off USB access on their devices and block the USB ports.
  • Occasional access. For times when someone needs to use a USB stick, consider using those sticks on a non-networked PC running a virtual machine.
  • Fire up those security tools. Always scan the contents of a USB stick. Your Endpoint Detection and Response should be equipped to deal with USB threats.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW