When ex-workers attack (again): man used Trojan to cause havoc

Jonathan Lee Eubanks, a 29-year-old Florida man, has been sentenced to seven years in federal prison after he used a remote access Trojan (RAT) to rain down cyber fire and brimstone on his former employer.

His crimes: rerouting visitors to his former employer’s website to a rival’s site; deleting all the files on the company server; hacking into an email account and masquerading as a former colleague in order to send messages full of criticism and accusations of corporate malfeasance; and stealing three credit cards from a security company software maker and using them to order rifle scopes, electronics and survivalist gear.

The recipient of his felonious wrath was Navarro Security Group, a private security services company in Florida.

According to the US State Attorney’s Office in the Southern District of Florida, after he quit his job, on January 27 2013, Eubanks used the RAT to delete all of the files on one of the company’s servers, including databases of client and employee information and files necessary for scheduling and tracking employee shifts.

On the same day, he also rerouted visitors to the company’s website.

The next day, he sent out the disparaging email containing accusations of the company’s illegal practices in a former co-worker’s name. Several weeks later, he used credit cards he stole from the computers of a company that made software for private security firms to order the rifle scopes, survivalist gear and electronics.

In April, Eubanks was convicted of one count of intentionally causing damage to a protected computer without authorization, one count of access device fraud, and three counts of aggravated identity theft.

There might be news of still more misdeeds to come: one of the pre-sentencing documents viewed by the Miami Herald noted that a bank account for Eubanks’ computer repair company, Elite PC, mysteriously received 26 tax refunds totaling $58,000 in names that were not that of Eubanks himself. Two years later, a bank account for Eubanks’ Aventura Multiservice – a tax preparation business – also picked up 15 tax returns worth $18,000.

Eubanks has sent two contrite letters to the judge who sentenced him to 84 months. In them, he apologized to the judge for not taking a plea deal and thus making the court waste its time on his trial. He also apologized to Navarro employees for “all that I’ve put them through”.

He blamed his crimes, at least in part, on heavy drinking:

I gave up on myself.

…and told the judge that he’s given up on computers and instead found God:

Since 2013, I don’t care for or find interest in firearms or computers. I took a trip to Tennessee to find a new path in life. The Bible Belt. Since then, I have been saved and become a child of God.

I wish you the best of luck with your computer-less future, Mr Eubanks. As for Navarro, I have to ask what we’ve asked of other companies that have lost all their files thanks to a rogue ex-employee.

Namely, where were your backups? Your daily (best), weekly (not bad), or monthly (better than nothing) backups, in a secure, off-site facility, and not in the cloud or a cabinet in the LAN room?

A commenter on another sysadmin-attack story suggested one more safeguard that’s worth passing along. Namely, segregation of duties:

Moral of the story: have a separate backup operator position and do not allow the production sysadmins to access the backup repository. At that point, at least two employees would have to conspire, improving the ability to prove and prosecute malice. It also reduces the likelihood of these events, as it would require one bad actor to recruit another, which would slow the process and deter simple impulsive (or accidental) action.

Smaller companies who feel they “can’t afford” a separate additional employee could permit sysadmins to add and read files to and from the backup repository, without access to delete, modify, or overwrite existing files in the repository. A manager could control the account with modify, delete, and overwrite permissions, as these actions are rarely required.