ClassPass introduces a corporate wellness program

ClassPass has set up yet another revenue stream, signing to a corporate wellness program partners like Facebook, Glossier, Google, Morgan Stanley, Under Armour, Etsy, Southwest Airlines and Gatorade.

The program will give employees at these companies access to the ClassPass network of more than 22,000 studio partners across 2,500 cities around the world, which includes studio brands like Barry’s Bootcamp, Flywheel Sports and CorePower Yoga. Corporate partners also get access to a “large library” of on-demand audio and video workouts.

This comes after ClassPass retooled the ClassPass Live product, in which it invested the resources to build out a new live broadcast studio, and rebuilt it into a library of on-demand video workouts.

The company launched ClassPass Live in 2018 with the hopes that users could workout from home within the ClassPass ecosystem. CEO Fritz Lanman told TechCrunch in June that the company stopped doing live classes in April 2019 and repackaged the content into free, on-demand video classes.

According to the release, one of the issues with corporate wellness programs is that HR departments have to patch together programs based on the regions in which their companies have offices/employees. ClassPass argues that its scale across the country, and in 17 other countries, gives it an edge with corporations that have global workforces.

Moreover, the ClassPass corporate wellness program only charges employers when employees actually use the service, and allows employers to reward good behaviors (going to a certain number of classes per month) by offering additional credits toward ClassPass experiences.

Here’s what Lanman had to say about it in a prepared statement:

The ClassPass Corporate Program enables employers of all sizes to offer the world’s most extensive, one-stop fitness and wellness program to their employees worldwide. ClassPass is the best fitness program ever created for consumers. With this launch, it’s now also the best fitness program ever created for employers and their employees.

AT&T signs $2 billion cloud deal with Microsoft

While AWS leads the cloud infrastructure market by a wide margin, Microsoft isn’t doing too badly, ensconced firmly in second place, the only other company with double-digit share. Today, it announced a big deal with AT&T that encompasses both Azure cloud infrastructure services and Office 365.

A person with knowledge of the contract pegged the combined deal at a tidy $2 billion, a nice feather in Microsoft’s cloud cap. According to a Microsoft blog post announcing the deal, AT&T has a goal to move most of its non-networking workloads to the public cloud by 2024, and Microsoft just got itself a big slice of that pie, surely one that rivals AWS, Google and IBM (which closed the $34 billion Red Hat deal last week) would dearly have loved to get.

As you would expect, Microsoft CEO Satya Nadella spoke of the deal in lofty terms around transformation and innovation. “Together, we will apply the power of Azure and Microsoft 365 to transform the way AT&T’s workforce collaborates and to shape the future of media and communications for people everywhere,” he said in a statement in the blog post announcement.

To that end, they are looking to collaborate on emerging technologies like 5G and believe that by combining Azure with AT&T’s 5G network, the two companies can help customers create new kinds of applications and solutions. As an example cited in the blog post, they could see using the speed of the 5G network combined with Azure AI-powered live voice translation to help first responders communicate instantaneously with someone who speaks a different language.

It’s worth noting that while this deal to bring Office 365 to AT&T’s 250,000 employees is a nice win, that part of the deal falls under the SaaS umbrella, so it won’t help with Microsoft’s cloud infrastructure market share. Still, any way you slice it, this is a big deal.

Southeast Asian cloud communications platform Wavecell acquired by 8×8 in deal worth $125 million

Wavecell, a cloud-communications platform for companies in Southeast Asia, announced today that it has been acquired by 8×8 in a deal worth about $125 million. The acquisition will help San Jose, California-based 8×8 expand in Asia, where Wavecell already has offices in Singapore, Indonesia, the Philippines, Thailand and Hong Kong.

Wavecell’s cloud API platform, which includes SMS, chat, video and voice messaging, is used by companies such as Paidy, Lalamove and Tokopedia. It has relationships with 192 network operators and partners like WhatsApp and claims its infrastructure is used to share more than two billion messages each year.

The terms of the deal includes $69 million in cash and about $56 million in 8×8 common shares. Founded in 2010, Wavecell’s investors included Qualgro VC, Wavemaker Partners and MDI Ventures.

In a prepared statement, 8×8 CEO Vik Verma said “8×8 is now the only cloud provider that owns the full, global-scale, cloud-native, technology stack offering voice, video, messaging, and contact center delivered both as pre-packaged applications and as enterprise-class APIs. We’re excited to welcome the Wavecell employees to the 8×8 family. We now have a significant market presence in Asia and expect to continue to expand in the region and globally in order to meet evolving customer requirements.”

Party Like a Russian, Carder’s Edition

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

Workplace, Facebook’s service for business teams, is raising its prices for the first time since launch

Three years into its life with 2 million paying users signed up, Workplace — Facebook’s platform for businesses and other organizations to build internal communities and communications — is about to make a significant business shift of its own. Come September 2, Workplace is changing its pricing tiers, how it charges its users and the services that it provides customers.

Up to now, Facebook has taken a very simple approach to how it charges for Workplace, unique not just because of it being a paid service (unlike Facebook itself, which is free), but for how it modeled its pricing on the basic building block of Facebook-the-consumer product: a basic version was free, with an enhanced premium edition costing a flat $3 per active user, per month.

In September, that will change. The standard (basic) tier is getting rebranded as Workplace Essential, and will still be free to use. Meanwhile, the premium tier is being renamed Workplace Advanced and getting charged $4 per person, per month. And Facebook is introducing a new tier, Workplace Enterprise, which will be charged at $8 per person, per month, and will come with a new set of services specifically around guaranteed, quicker support and first-look access at new features. (Those who are already customers have the option of being grandfathered for a year, the company said, before switching to a new plan.)

Screenshot 2019 07 16 at 14.16.02

Those are not the only changes. Two other notable shifts are getting introduced with these new tiers. First, these prices will be for all users, regardless of whether they are active in the month.

And second, they are specifically prices for people who access Workplace as general “knowledge workers” — marked by having email addresses and specific job functions. Frontline workers — for example, cashiers or baristas or others mostly on their feet all day helping customers — will be an add-on at $1.50 per person per month, also regardless of whether they are active or not.

For now, the rest of the features in the different tiers are remaining the same.

Screenshot 2019 07 16 at 14.16.33

The changes at Workplace come amid a number of other developments among workforce collaboration and communication platforms.

First and foremost, Slack has gone public, subjecting it and its ups and downs to a lot more public scrutiny, but also putting it on the map as a business of some standing, helping it make a bigger move into brokering more deals with the larger enterprises that Workplace has been winning over. The latter’s customers include the likes of Walmart, the world’s biggest employer; as well as Nestlé, Vodafone, GSK, Telefonica, AstraZeneca and Delta Airlines, and Facebook says there are more than 150 companies signed up with more than 10,000 employees each.

Teams, meanwhile, has now passed Slack in user numbers, and in a way is a more direct competitor: it has positioned itself (like Workplace) as a tool for both knowledge and frontline workers, helping with actual back-office collaboration, as well as a way to broadcast communications to a wider group of employees.

Julien Codorniou, the VP of Workplace, said the changes in pricing tiers was not a reaction to competition, but rather a reaction to customers. Although the pricing for Workplace was an interesting twist on how enterprises tend to procure IT, it turned out to be too novel by half: it turned out that most actually like the predictability of paying the same amount for a service upfront, rather than having the pricing change each month depending on usage.

“Today, customers’ bills change every month, for example when a co-worker goes on vacation or whatever,” he said. “It’s a nightmare for the accounting department, who needs to know how much to pay two years out.”

He added that this doesn’t mean you can’t change how much you pay: you could change the pricing each month if necessary.

So far, no one has made the shift to the new tiers, so it will be interesting to see how and if they have much of an impact. I do know that from retail theory, customers in stores are more likely to select a middle-priced product if they are given an option of something cheap and something expensive at either end, and so this could be an interesting way to drive more users to Workplace’s paid tier.

What is more clear is that this is also a way for Facebook to raise its prices for the first time since the service launched, and lays the groundwork for more differentiation between different kinds of offerings.

Qualtrics’ Julie Larson-Green will talk experience management at TC Sessions: Enterprise

We’re less than two months out from our first TC Sessions: Enterprise event, which is happening in San Francisco on September 5, and did you know our buy-one-get-one-free sale ends today too! Among the many enterprise and startup executives that’ll join us for the event is Qualtrics’ Julie Larson-Green. If that name sounds familiar to you, it’s most likely because you remember her from her 25 years at Microsoft. After a successful career in Redmond, Larson-Green left Microsoft in 2017 to become the chief experience officer at SAP’s Qualtrics .

In that role, she’s perfect for our panel about — you guessed it — experience management.

Larson-Green joined Microsoft as a program manager for Visual C++ back in 1993. After moving up the ladder inside the company, she oversaw the launch of Windows 7 and became the co-lead of Microsoft’s hardware, games, music and entertainment division in 2013. At the time, she was seen as a potential replacement for then-CEO Steve Ballmer .

Later, during a period of reshuffling at the company in the wake of the Nokia acquisition, she became the chief experience officer of Microsoft’s Applications and Services group.

Larson-Green joined Qualtrics before it was acquired by SAP for $8 billion in cash. Qualtrics offers a number of products that range from customer experience tools to brand tracking and ad testing services, as well as employee research products for gathering feedback about managers, for example. At the core of its product is an analytics engine that helps businesses make sense of their employee and customer data, which in turn should help them optimize their customer experience scores and reduce employee attrition rates.


Our buy-one-get-one-free ticket deal ends today! Book a ticket for just $249 and you can bring a buddy for free. Book here before this deal ends.

We’re still selling startup demo tables, and each package comes with four tickets. Learn more here.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-57cf0ce86e96afe191659be3de9a8ed9’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-57cf0ce86e96afe191659be3de9a8ed9’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

ContractPodAi scores $55M for its ‘AI-powered’ contract management software

ContractPodAi, a London-based startup that has developed what it describes as AI-powered contract lifecycle management software, is disclosing $55 million in Series B funding. The round is led by U.S.-based Insight Partners, with participation from earlier backer Eagle Investment.

Founded in 2012, ContractPodAi offers an “end-to-end” solution spanning the three main aspects of contract management: contract generation, contract repository, and third-party review. Its AI offering, which uses IBM’s Watson, claims to streamline the contract management process and reduce the burden on corporate in-house legal teams.

“The legal profession has been historically behind the curve in technology adoption and our objective here is to support to digital transformation of legal departments via our contract management platform,” ContractPodAi co-founder and CEO Sarvarth Misra tells TechCrunch.

“Our business focusses on providing in-house counsel of corporations across the world with an easy to use, out of the box and scalable end to end contract management platform at a fixed fee SaaS licence model”.

With regards to ContractPodAi’s target customer, Misra says its solution is industry agnostic but is typically sold to large international businesses, including FTSE 500 and Fortune 2000 corporations. Customers include Bosch Siemens, Braskem, EDF Energy, Total Petroleum, Benjamin Moore and Freeview.

Armed with new capital, ContractPodAi says it plans to “significantly” scale up its product development, sales, and customer success teams globally. The company already has offices in San Francisco, New York, Glasgow and Mumbai, in addition to its London HQ.

Adds Misra: “We believe that market for contract management solutions is fragmented with providers focussing one or two aspects of contract management functionality. ContractPodAi’s objective has been to provide one contract management ecosystem which covers all aspects of contract management functionality… This, along with our fixed, transparent pricing and ability to provide full implementation as part of the annual SaaS, differentiates us the from the rest of the providers”.

AlphaSense, a search engine for analysis and business intel, raises $50M led by Innovation Endeavors

Google and its flagship search portal opened the door to the possibilities of how to build a business empire on the back of organising and navigating the world’s information, as found on the internet. Now, a startup that’s built a search engine tailored to the needs of enterprises and their own quests for information has raised a round of funding to see if it can do the same for the B2B world.

AlphaSense, which provides a way for companies to quickly amass market intelligence around specific trends, industries and more to help them make business decisions, has closed a $50 million round of funding, a Series B that it’s planning to use to continue enhancing its product and expanding to more verticals.

Today, the company today counts some 1,000 clients on its books, with a heavy emphasis on investment banks and related financial services companies. That’s in part because of how the company got its start: Finnish co-founder and CEO Jaakko (Jack) Kokko he had been an analyst at Morgan Stanley in a past life and understood the labor and time pain points of doing market research, and decided to build a platform to help shorted a good part of the information gathering process.

“My experience as an analyst on Wall Street showed me just how fragmented information really was,” he said in an interview, citing as one example how complex sites like those of the FDA are not easy to navigate to look for new information an updates — the kind of thing that a computer would be much more adept at monitoring and flagging. “Even with the best tools and services, it still was really hard to manually get the work done, in part because of market volatility and the many factors that cause it. We can now do that with orders of magnitude more efficiency. Firms can now gather information in minutes that would have taken an hour. AlphaSense does the work of the best single analyst, or even a team of them.”

(Indeed, the “alpha” of AlphaSense appears to be a reference to finance: it’s a term that refers to the ability of a trader or portfolio manager to beat the typical market return.)

The lead investor in this round is very notable and says something about the company’s ambitions. It’s Innovation Endeavors, the VC firm backed by Eric Schmidt, who had been the CEO of none other than Google (the pace-setter and pioneer of the search-as-business model) for a decade, and then stayed on as chairman and ultimately board member of Google and then Alphabet (its later holding company) until just last June.

Schmidt presided over Google at what you could argue was its most important time, gaining speed and scale and transitioning from an academic idea into full-fledged, huge public business whose flagship product has now entered the lexicon as a verb and (through search and other services like Android and YouTube) is a mainstay of how the vast majority of the world uses the web today. As such he is good at spotting opportunities and gaps in the market, and while enterprise-based needs will never be as prominent as those of mass-market consumers, they can be just as lucrative.

“Information is the currency of business today, but data is overwhelming and fragmented, making it difficult for business professionals to find the right insights to drive key business decisions,” he said in a statement. “We were impressed by the way AlphaSense solves this with its AI and search technology, allowing businesses to proceed with the confidence that they have the right information driving their strategy.”

This brings the total raised by AlphaSense to $90 million, with other investors in this round including Soros Fund Management LLC and other unnamed existing investors. Previous backers had included Tom Glocer (the former Reuters CEO who himself is working on his own fintech startup, a security firm called BlueVoyant), the MassChallenge incubator, Tribeca Venture Partners and others. Kokko said AlphaSense is not disclosing its valuation at this point. (I’m guessing though that it’s definitely on the up.)

There have been others that have worked to try to tackle the idea of providing more targeted, and business focused search portals, from the likes of Wolfram Alpha (another alpha!) through to Lexis Nexis and others like Bloomberg’s terminals, FactSet, Business Quant and many more.

One interesting aspect of AlphaSense is how it’s both focused on pulling in requests as well as set up to push information to its users based on previous search parameters. Currently these are set up to only provide information, but over time, there is a clear opportunity to build services to let the engines take on some of the actions based on that information, such as adjusting asking prices for sales and other transactions.

“There are all kinds of things we could do,” said Kokko. “This is a massive untapped opportunity. But we’re not taking the human out of the loop, ever. Humans are the right ones to be making final decisions, and we’re just about helping them make those faster.”

Meet the World’s Biggest ‘Bulletproof’ Hoster

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from Cisco and cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishanda,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwaters said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwaters said, somehow an individual using the nickname “Sosweet” who was connected to another bulletproof hoster that occurred around the same time as Avalanche got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwaters said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

eCommerce Security: 13 Best Practices to Prevent Threats

Ecommerce retail sales are predicted to account for nearly 14% of global retail sales this year: that’s around $500bn of sales conducted across an estimated 18 million ecommerce sites, worldwide. With such vast amounts of data and money flowing through internet retailers, it’s no surprise that ecommerce platforms like Shopify and Magento have become an attractive target for hackers and cybercriminals. In this post, we review some of the most important ecommerce security issues and suggest best practices for retailers to prevent those threats affecting your online retail payments.

eCommerce Security_ 13 Best Practices to Prevent Threats

Why are Hackers Attacking Ecommerce Sites?

Ecommerce sites store customer data such as credit card and bank account information, as well as PII (personally identifiable information) data that typically includes at the minimum a home address, email and phone number that can be used for fraud and identity theft. 

In contrast to physical stores, digital retail stores are highly susceptible to fraudulent transactions since fraudsters incur a much lower risk of discovery. Also, the same advantages that make ecommerce attractive to customers make it equally attractive to hackers: access outside of regular business hours and the ability to connect from any location.

As technology becomes more complex, it is also increasingly harder for retailers to ensure they’ve locked down every vulnerability. At the same time, more powerful malware and exploit kits are falling into the hands of cybercriminals lowering the barrier to entry for those with malicious intent.

How are Hackers Attacking Ecommerce Sites?

Like other businesses, ecommerce sites are vulnerable to the usual infection vectors, but the aim is often very specific: to skim payment details that can then be sold on the dark net. Online skimming can occur without either the customer or provider being aware for many months, perhaps not until the customer notices their payment details being used for unauthorized transactions on a completely different site. Online scams have affected digital payment sites across all sectors, from auto makers like Audi, fashion outlets like Guess, NGOs such as the Washington Cathedral Science Museum and even the Malaysian government. Some of the biggest names in retail like Macy’s, Adidas, and Sears have also fallen victim.

The primary aim of an attack on an ecommerce payment platform is to infect the payment provider’s servers with malware that can scrape live payment data from users as they engage in a transaction. An encoded script like this is likely to go unnoticed by untrained or unaware site admins.

image of encoded magento malware

A bit of reverse engineering by one researcher shows the script for what it really is, an attempt to scrape the card details and PII from any customer making an online purchase:

image of decoded magento malware

And it’s not just the “big box” retailers that are targeted. With many small businesses using low-cost or open-source platforms like the Adobe-owned Magento, failing to maintain and patch these platforms can make any business the low-hanging fruit for criminals. 

The Magecart campaign, first seen in 2015 and still going strong, exploits known vulnerabilities in the popular open source Magento platform. In the final quarter of last year, researchers reported that at least 40,000 online stores had fallen victim to Magecart.

image of tweet about 40 thousand magento infections

Earlier this month, 900 unique infections were detected by security researchers using web bots or crawlers to hunt for malicious Magecart scripts.

image of 900 new magento infections

The same researchers have pointed out that the number of hacked stores using Magento 2 has been rising rapidly since April 2019, with their detections increasing from 50 in April to 100 in May and to nearly 300 in June.

The most recent security vulnerability in Magento, CVE-2019-7139, allowed an unauthenticated user to execute arbitrary code via an SQL injection that resulted in data leakage. While that was patched in Magento 2.3.1, 75 further security enhancements were announced with the release of the latest version, 2.3.2, just last month. These figures underline the necessity of keeping up with regular security updates and applying them in a timely fashion. 

Magento is not the only platform that has vulnerabilities. An API flaw, publicly disclosed in April of this year but patched last November, made it possible for hackers to access revenue data from thousands of stores running Shopify, arguably the most popular ecommerce payment platform in use.

What is the True Cost of a Data Breach?

The situation for online retailers has got more serious with regulatory authorities increasing fines for companies that do not secure their users’ data. The European Union’s GDRP (General Data Protection Regulation), which came into force in 2018, has been used to punish companies that fail to comply with heavy fines.

While companies such as Sony, Yahoo, and Facebook have faced fines in the region of $300,000 – $500,000, the most recent case involving British Airways could see the company face a fine in the region of $200 million. In a breach of British Airways’ online payment site last year, users were diverted to a fraudulent site where hackers harvested up to 500,000 customer payment details. Stolen information included names, email addresses, credit card numbers, expiry dates and the three-digit CVV code used to verify the card’s authenticity during online shopping. 

Aside from financial loss incurred by regulatory fines, an ecommerce security breach can also negatively affect your brand reputation and cause a loss of consumer confidence. 

13 Common Ecommerce Threats and Solutions

Consumers provide retailers with a lot of valuable PII during online payment transactions, which they expect to be kept safe. Keeping your online digital payments secure, and avoiding the pains of a breach, is less of a burden if you follow these best practices to avoid ecommerce security issues.

1. HTTPS is the Default, Not the Ultimate Defence

Any online payment system needs to be using the secure https protocol, but it’s a mistake to think that just because you’re using an encrypted connection that your security concerns are met. All of the breaches noted above occurred on sites that were also using https, so while it’s a mandatory requirement, there’s still a lot more you need to do.

2. Secure Your Servers and Admin Panels

Ensure you lock down your cPanels and check that directories and folder have the correct permissions. Nothing on your site should have 777 permissions, which allow anyone to read, write and execute. Permissions for directories should never exceed 755 or rwxr-xr-x, while for most if not all files 644 or rw-r--r-- should be sufficient.

Your cPanels should not be accessible from just any IP address whatsoever. You can lock down access to your cPanel and other services so that only certain IP addresses are allowed to use it.

3. Payment Gateway Security

Payment gateways stand between your website and the payment processor – the bank or credit card company that will ultimately authorize the payment. The payment gateway’s job is to ensure that the transaction is secure and that you are not defrauded by customers without the ability to pay.

Your payment gateway should be using point-to-point encryption (P2PE), tokenization to reduce payment fraud from stolen data, and be PCI DSS compliant.

4. Antivirus and Anti-Malware Software

Malware attacks can’t be stopped by legacy Anti-Virus solutions any more, as attackers’ tools have become more sophisticated than the software many enterprises are using to detect them. Fileless malware that doesn’t drop executables for AV scanner’s to check, living off the land techniques that use trusted operating system processes to do the malware’s “dirty work” and escape detection, along with supply chain attacks and other tricks, means ecommerce needs more sophisticated security solutions with behavioral AI detection and autonomous response capabilities.

5. Use Firewall Control

Application firewalls can keep out communications from known malicious domains, and a good security solution should also allow you fine-grained control of both incoming and outgoing traffic. This is security 101, so make sure your security software both supports it and makes it easy to do.

6. Secure Your Site with SSL Certificates

Like using https, this should be a default on any site that’s engaged in internet commerce. Be sure that all your logins including to the backend require users to use SSL or TLS. Specifically, avoid logins over ports 2082 ,2086 or 2095, which send passwords in clear text, making them ripe for theft.

7. Employ Multi-Layer Security

We’ve said it before, but it never gets old: defence in depth is the only way to protect against modern malware and threat actors. Even technologically unsophisticated criminals are obtaining nation state level malware, and the idea that you can plug every whole with a subscription to a legacy AV vendor is asking for trouble. The threat landscape is complex, from malicious insiders to supply chain attacks, to known bypasses of common AV security products. Good security means avoiding the pitfall of a single point of failure. 

8. Use Security Plugins

Whether you’re using Shopify, Magento or some other platform, there should be a range of security plugins available that can fortify your ecommerce platform. Plugins can do specific tasks to beef up your defenses like detect bots, blacklist visitors from particular locations and even protect the content on your webpages by preventing things like right-click interactions or drag-and-drop actions.

9. Backup Your Data

The recent spate of ransomware attacks on City council’s, hospitals and other public services should have put this basic security principle at forefront of everybody’s mind by now. Use the 3-2-1 principle: have at least three recent backups at all times, keep two of those on different storage media, and ensure that one of them is located off-site.

10. Stay Updated

As the recent Magecart campaign and MagentoCore malware attacks show, you need to patch often and patch early. With 75 security vulnerabilities fixed in the most recent Magento 2 update, you can’t afford complacency when it comes to staying ahead of hackers.

11. Opt for a Hosted Ecommerce Platform

You can solve a lot of security problems by choosing a hosted ecommerce platform rather than trying to roll your own. Choose a PCI compliant hosting provider to get the best protection. That of course comes at a cost, but that could actually turn out to be a huge saving if you’re not prepared to deal with the added security issues that come with self-hosting. 

12. Train Your Staff Better

Educating your staff about security is one of the best “soft” defences that you can employ and will reap benefits for both the business and your customers. Be aware most vectors that result in online skimming malware infecting your system come through phishing attacks. 

Spammers may leave phishing links in your site’s blog comments or contact forms to tempt your customer service staff. Likewise, your customer-facing teams can be prone to phishing and spear-phishing attacks that urge them to “take actions” or to enrol in some vital HR exercise. Simulated phishing campaigns can help raise awareness, as can directing your staff to articles like this in your workplace communication channels.

13. Keep an Eye Out for Malicious Activity

Detection is required in the modern enterprise, and aside from using a capable NGAV solution as mentioned above, consider devoting resources to actively engaging in threat hunting. This is a methodical process in which your IT or security team look for gaps in your layered defenses, with the aim of spotting any malware that has evaded your other layers early enough to prevent it from reaching its objective.

Conclusion

Implementing ecommerce security measures such as those described above is vital to any business that is engaged in online retailing and digital payments. Exploiting ecommerce security issues can reward hackers with a treasure trove of information to be sold on the dark net or on “carder” trading forums, and it can lead to hefty punishments for businesses that have failed to secure customer data from electronic theft. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security