The Millennium Bug 20 Years On | How Safe is Cyber in 2020?

Anyone who’s over 30 years old must remember that 20 years ago the world was going to end. The Millennium dawned, and among many apocalyptic prophecies one stood above all others: the Millennium Bug, aka The Year 2000 problem, Y2K problem, the Y2K, the Y2K bug, the Y2K glitch. These names refer to a class of computer bugs related to the formatting and storage of calendar data for dates beginning in the year 2000. Problems were anticipated because many programs represented four-digit years with only the last two digits, making the year 2000 indistinguishable from 1900.

The Millennium Bug 20 Years On | How Safe is Cyber in 2020?

The assumption of a 20th century date in such programs could cause various errors, such as the incorrect display of dates and the inaccurate ordering of automated dated records or real-time events. All sorts of doomsday scenarios were heard all over the globe from nuclear meltdown (due to the computer system’s failure) and planes falling from the skies to communication breakdown and global shutdown.

Fortunately, none of these disaster scenarios materialized. The Y2K bug is now remembered as a moment of hysteria, a funny anecdote in time, much like the incidents that occurred 1000 years before it, when many were certain that the new Millennium would spell doom to them all (spoiler: that also didn’t happen!).

But the importance of The Millennium Bug was that for the first time in history, decision makers and ordinary citizens alike were considering cyber as a serious threat to our way of life. Fast forward 20 years and the internet is everywhere; we all use smartphones and order stuff online that is delivered to us overnight (and very soon by drones and electric vehicles). But with everything that has changed since the dawn of the millennium, are we more or less vulnerable than we have been before? Let’s examine some factors.

Connectivity: Power With a Fatal Weakness

The most notable difference between now and then is just how connected the world has become. In this sense, we are much more vulnerable today than we were before. We cannot imagine our lives without constant connectivity and all its benefits: online shopping, social media and online journalism. If this were taken away from us, even for a short while, panic might well ensue. Just remember the Dyn attacks of 2016 that resulted in “internet blackout” across the US east coast.

Connectivity is the backbone that enables the modern data economy and global commerce, but since we’ve become 100% reliant on it, if something were to happen that prevented our using it, the results would be grave.  

Open Source: Free Software, Free Vulnerabilities

20 years ago many companies were still selling perpetual software licenses, and it was impossible to imagine that free, open source software, developed by a community of hobbyists, would help many organizations run their businesses. But now open source software is an important component of almost every technology stack.

However convenient and cheap, it embodies many risks. For instance, a recent study found that the most copied StackOverflow Java code snippet of all time contains a bug. A Java developer from Big data software company Palantir submitted this code back in 2010, and since then this code has been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet.

Utilizing someone else’s software has never been easier, but in doing so, we’re exposing our products to dependencies that may contain flaws and vulnerabilities as well as risking the possibility of a hard-to-detect supply-chain attack.

Mobiles: Universal Trackers, Universal Attackers

We had mobile phones back then. I mean, there were phones, and they were mobile: you could carry a phone in your pocket and talk to and text people and, well, that’s about all you could do with a phone in the year 2000. Fast forward to today, and it is hard to imagine how we could pass a single day without our smartphones, glued to the screen or broadcasting every aspect of our lives to the entire world in words, pictures and videos.

Unfortunately, this reliance on mobile technology makes us all more vulnerable. Cyber criminals know this and utilize this in myriad ways for fraud, theft and other exploits. In addition, since the mobile phone has become everyone’s “mobile command center” it has become the target of choice for reconnaissance and espionage efforts, which target users with crafted spearphishing and smishing attacks and tailored exploits for Android and iOS.

With mobile devices increasingly used on corporate networks, loaded with apps that are rarely evaluated for vulnerabilities, backdoors or data scraping and with a history of having been connected to a variety of external, possibly insecure networks, they present a rising threat to both personal and enterprise security.

The Cloud of Uncertainty: Who Has My Data?

The cloud represents an even bigger revolution than the smartphone. It was obvious to anyone back in 1999 that mobile phones would become more powerful and serve us to consume and create media. But very few people believed back then that we would all be storing our data on someone else’s Linux server, sitting quietly in some remote location completely unknown to us.

Moreover, no one would have believed that enterprises and governments would also utilize this same infrastructure to host data and run applications. And yet, thanks to Amazon and Microsoft, the traditional IT infrastructure (which required a chilled data center at every physical location) has been replaced by a virtual infrastructure hosted somewhere in a huge data center on the other side of the world.

Our dependency on cloud services is complete. We cannot operate the global commerce and knowledge economy without it, but when an outage occurs like that which happened to MS Azure back in November – resulting in outage of several Microsoft services including Office 365, Xbox App, Xbox Live, Skype, Microsoft Azure – or the AWS outage of September, it has a tremendous impact on individuals, businesses and governments.

When mission critical services rely on data held outside our own immediate control, the notion of ‘security’ becomes an article of faith. Who is to say if those remote servers won’t lock us out unexpectedly? How are we to know who else has access to our data or whether the devices holding it have been compromised without our knowledge?

The Internet of Things: Network Entry Points, Everywhere

The cloud is also the enabler of the next revolution, that of connected ‘smart’ devices, aka ‘Machine to Machine (M2M) or ‘Internet of Things’ (IoT) devices. This connectivity bridges the divide between the physical and the online world and enables wired devices to “sense” their environment and then “talk” to other devices, or, through the cloud, with their owners.

This kind of connectivity is being brought to everything from garbage cans to street lights to autonomous vehicles and aviation. However, it also enables nefarious cyber activities on a scale we’ve never seen before, like the Mirai botnet that generated the largest DDoS attack the world had seen to that point, and other huge botnets, sometimes comprising as many as 850,000 computers, that are then used for cryptocurrency mining.

IoT devices bring security risks and privacy risks. Increasingly, wired ‘Smart’ devices are being recruited by botnets to gain entry into networks, and many devices leak personally identifiable information.

Meet Cybercrime: The New ‘Cost of Doing Business’

As we’ve seen, the changes that have taken place over the last 20 years have given various threat actors fertile ground on which to flourish, and flourish they have. Cybercrime has become a truly global phenomenon which impacts most industries and is expected to cost the world over $6 trillion annually by 2021.

On the defenders side, cybersecurity-related spending is predicted to reach $133 billion in 2022, and the market has grown more than 30x in the last 20 years, adding to the overall financial burden on companies and governments, most of which see the money invested in cyber as a loss or “cost of doing business”, as it is generally viewed as an expense that does not yield profit or generate revenue.

However, this ‘new’ cost of doing business is a reality that no modern enterprise can afford to ignore. From script kiddies with ransomware projects to sophisticated attackers targeting universities, the only way to do business in 2020 is with cybersecurity firmly factored in to the operational budget.

From the smallest business to the largest multinational organization, being part of the connected world in 2020 exposes you to risks that simply didn’t exist in the year 2000.

Final Thoughts…

December 1999 feels like a log time ago. Indeed, it really is closer in nature to the remnant of the previous century and even millennia than to our time today. It is highly unlikely that a single point of failure (like the Millennium Bug) could lead to the “end of the world”. But on the other hand, our hyper-connected environment makes us more vulnerable on so many levels, in our offices, cars and even our homes. Luckily, the technology hasn’t stood still and modern security mechanisms now exist that are capable of dealing with these threats across platforms, including IoT, using the latest in our tech arsenal, leveraging AI and machine learning. The Y2K bug hasn’t taken us back to the analogue world, and if we continue to safeguard our connected way of living, neither will the hackers.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

VMware completes $2.7 billion Pivotal acquisition

VMware is closing the year with a significant new component in its arsenal. Today it announced it has closed the $2.7 billion Pivotal acquisition it originally announced in August.

The acquisition gives VMware another component in its march to transform from a pure virtual machine company into a cloud native vendor that can manage infrastructure wherever it lives. It fits alongside other recent deals like buying Heptio and Bitnami, two other deals that closed this year.

They hope this all fits neatly into VMware Tanzu, which is designed to bring Kubernetes containers and VMware virtual machines together in a single management platform.

“VMware Tanzu is built upon our recognized infrastructure products and further expanded with the technologies that Pivotal, Heptio, Bitnami and many other VMware teams bring to this new portfolio of products and services,” Ray O’Farrell, executive vice president and general manager of the Modern Application Platforms Business Unit at VMware, wrote in a blog post announcing the deal had closed.

Craig McLuckie, who came over in the Heptio deal and is now VP of R&D at VMware, told TechCrunch in November at KubeCon that while the deal hadn’t closed at that point, he saw a future where Pivotal could help at a professional services level, as well.

“In the future when Pivotal is a part of this story, they won’t be just delivering technology, but also deep expertise to support application transformation initiatives,” he said.

Up until the closing, the company had been publicly traded on the New York Stock Exchange, but as of today, Pivotal becomes a wholly owned subsidiary of VMware. It’s important to note that this transaction didn’t happen in a vacuum, where two random companies came together.

In fact, VMware and Pivotal were part of the consortium of companies that Dell purchased when it acquired EMC in 2015 for $67 billion. While both were part of EMC and then Dell, each one operated separately and independently. At the time of the sale to Dell, Pivotal was considered a key piece, one that could stand strongly on its own.

Pivotal and VMware had another strong connection. Pivotal was originally created by a combination of EMC, VMware and GE (which owned a 10% stake for a time) to give these large organizations a separate company to undertake transformation initiatives.

It raised a hefty $1.7 billion before going public in 2018. A big chunk of that came in one heady day in 2016 when it announced $650 million in funding led by Ford’s $180 million investment.

The future looked bright at that point, but life as a public company was rough, and after a catastrophic June earnings report, things began to fall apart. The stock dropped 42% in one day. As I wrote in an analysis of the deal:

The stock price plunged from a high of $21.44 on May 30th to a low of $8.30 on August 14th. The company’s market cap plunged in that same time period falling from $5.828 billion on May 30th to $2.257 billion on August 14th. That’s when VMware admitted it was thinking about buying the struggling company.

VMware came to the rescue and offered $15.00 a share, a substantial premium above that August low point. As of today, it’s part of VMware.

Seed investors favor enterprise over consumer for first time this decade

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

It’s the second to last day of 2019, meaning we’re very nearly out of time this year; our space for repretrospection is quickly coming to a close. Before we do run out of hours, however, I wanted to peek at some data that former Kleiner Perkins investor and Packagd founder Eric Feng recently compiled.

Feng dug into the changing ratio between enterprise-focused Seed deals and consumer-oriented Seed investments over the past decade or so, including 2019. The consumer-enterprise split, a loose divide that cleaves the startup world into two somewhat-neat buckets, has flipped. Feng’s data details a change in the majority, with startups selling to other companies raising more Seed deals than upstarts trying to build a customer base amongst folks like ourselves in 2019.

The change matters. As we continue to explore new unicorn creation (quick) and the pace of unicorn exits (comparatively slow), it’s also worth keeping an eye on the other end of the startup lifecycle. After all, what happens with Seed deals today will turn into changes to the unicorn market in years to come.

Let’s peek at a key chart from Feng, talk about Seed deal volume more generally, and close by positing a few reasons (only one of which is Snap’s IPO) as to why the market has changed as much as it has for the earliest stage of startup investing.

Changes

Feng’s piece, which you can read here, tracks the investment patterns of startup accelerator Y Combinator against its market. We care more about total deal volume, but I can’t recommend the dataset enough if you have the time.

Concerning the universe of Seed deals, here’s Feng’s key chart:

Chart via Eric Feng / Medium

As you can see, the chart shows that in the pre-2008 era, Seed deals were amply skewed towards consumer-focused Seed investments. A new normal was found after the 2008 crisis, with just a smidge under 75% of Seed deals focused on selling to the masses for nearly a decade.

In 2016, however, a new trend emerged: a gradual decline in consumer Seed deals and a shift towards enterprise investments.

This became more pronounced in 2017, sharper in 2018, and by 2019 fewer than half of Seed deals focused on consumers. Now, more than half are targeting other companies as their future customer base. (Y Combinator, as Feng notes, got there first, making a majority of investments into enterprise startups since 2010, with just a few outlying classes.)

This flip comes as Seed deals sit at the 5,000-per-quarter mark. As Crunchbase News published as Q3 2019 ended, global Seed volume is strong:

So, we’re seeing a healthy number of deals as the consumer-enterprise ratio changes. This means that the change to more enterprise deals as a portion of all Seed investments isn’t predicated on their number holding steady while Seed deals dried up. Instead, enterprise deals are taking a rising share while volume appears healthy.

Now we get to the fun stuff; why is this happening?

Blame SaaS

As with many trends long in the making, there is no single reason why Seed investors have changed up their investing patterns. Instead, there are likely a myriad that added up to the eventual change. I’m going to ping a number of Seed investors this week to get some more input for us to chew on, but there are some obvious candidates that we can discuss today.

In no particular order, here are a few:

  • Snap’s IPO: Snap went public in early 2017 at $17 per share. Its equity quickly spiked to into the high 20s. By July of that same year, Snap slipped under its IPO price. Its high-growth, high-spend model was under attack by both high costs and slim gross margins. Snap then went into a multi-year purgatory before returning to form — somewhat — in 2019. It’s not great for a category’s investment pace if one of its most prominent companies stumble very publicly, especially for Seed investors who make the riskiest bets in venture.

Daily Crunch: VMware completes Pivotal acquisition

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. VMware completes $2.7 billion Pivotal acquisition

VMware is closing the year with a significant new weapon in its arsenal. (I restrained myself from using a “pivotal” pun here. You’re welcome.)

The acquisition — first announced in August — helps the company in its transformation from a pure virtual machine supplier into a cloud native vendor that can manage infrastructure wherever it lives. It fits alongside the acquisitions of Heptio and Bitnami, two other deals that closed this year.

2. Spotify to ‘pause’ running political ads, citing lack of proper review

The company told us that starting early next year, it will stop selling political ads: “At this point in time, we do not yet have the necessary level of robustness in our processes, systems and tools to responsibly validate and review this content.”

3. ‘The Mandalorian’ returns for Season 2 on Disney+ in fall 2020

The last episode of the first season of “The Mandalorian” went live on Disney+ on Friday, and showrunner Jon Favreau wasted very little time confirming when we can expect season two of the smash hit to land: next fall.

4. 2019 Africa Roundup: Jumia IPOs, China goes digital, Nigeria becomes fintech capital

The last 12 months served as a grande finale to 10 years that saw triple-digit increases in startup formation and VC on the continent. Here’s an overview of the 2019 market events that capped off a decade in African tech.

5. Maxar is selling space robotics company MDA for around $765 million

Maxar’s goal in selling the business is to help alleviate some of its considerable debt. The purchasing entity is a consortium of companies led by private investment firm Northern Private Capital, which will acquire the entirety of MDA’s Canadian operations — responsible for the development of the Canadarm and Canadarm2 robotic manipulators used on the Space Shuttle and the International Space Station, respectively.

6. Cloud gaming is the future of game monetization, not gameplay

Lucas Matney argues that as is so often the case with the next big thing in tech, cloud streaming is much more likely to become the next big feature of a more traditional platform, rather than the entire platform itself. (Extra Crunch membership required.)

7. This week’s TechCrunch podcasts

Equity took the week off, but we kept Original Content going with a review of Netflix’s new fantasy show “The Witcher.”

Happy 10th Birthday, KrebsOnSecurity.com

Today marks the 10th anniversary of KrebsOnSecurity.com! Over the past decade, the site has featured more than 1,800 stories focusing mainly on cybercrime, computer security and user privacy concerns. And what a decade it has been.

Stories here have exposed countless scams, data breaches, cybercrooks and corporate stumbles. In the ten years since its inception, the site has attracted more than 37,000 newsletter subscribers, and nearly 100 million pageviews generated by roughly 40 million unique visitors.

Some of those 40 million visitors left more than 100,000 comments. The community that has sprung up around KrebsOnSecurity has been truly humbling and a joy to watch, and I’m eternally grateful for all your contributions.

One housekeeping note: A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

Just a reminder that KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

Last but certainly not least, thank you for your readership. I couldn’t have done this without your encouragement, wisdom, tips and support. Here’s wishing you all a happy, healthy and wealthy 2020, and for another decade of stories to come.

The Good, the Bad and the Ugly in Cybersecurity – Week 52

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

This week, three of the individuals found to be behind the GozNym family of malware were sentenced following their capture earlier this year. Krasimir Nikolov, Alexander Konovolov and Marat Kazandjian were each sentenced this past week for their roles in long-running campaigns which were all reliant on the GozNym banking trojan and supporting infrastructure. Nikolov (arrested in 2016) received credit for time served, and will now be transferred to Bulgaria. Alexander Konovolov, thought to be one of the leaders of the group, was sentenced to seven years in prison, with Kazandjian receiving a sentence of 5 years.

Starting in 2012, GozNym grew into a highly prolific and successful malware toolset. The threat came to incorporate core banking trojan features (Gozi) along with additional offshoots able to function as ransomware and a backdoor (Nymaim). The trojans were primarily spread via email spam campaigns and were used heavily to steal banking credentials and redirect funds from numerous victims.

On the slightly lighter side of things…it seems Ryuk is giving WSL (Windows Subsystem for Linux) a bit of a break in recent variants. After analyzing recent samples, researcher Vitali Kremez noted that there are hard-coded exclusions for specific folder names and structures that are inherent to most *nix installations. At first, this was a tad perplexing as there is no “known” *nix variant of Ryuk ransomware, nor is it common for the entire Linux file structure to be shared amongst infectible Windows clients. That being said, further review suggests that the exclusions are meant to accommodate WSL and associated folders. At the end of the day, ransomware authors need their victims’ machines to work to close the circle and facilitate payment. It is believed this is the motivation behind the feature.

image of Ryuk tweet

The Bad

Things have certainly not slowed down for the ‘Maze Crew’. The actors behind Maze (covered here recently) have continued to deliver on their threat of releasing data from non-compliant victims. Over the last week, additional data from Busch’s and the City of Pensacola was released. While this represents but a small sliver of what the attackers have claimed to exfiltrate from these targeted environments, it serves as an ongoing reminder of how serious the issue of ransomware and related extortion is. As we have stated previously, prevention is critical, the only way to truly be safe from these multi-pronged campaigns is to prevent them in the first place. Targeted environments that were able to restore their encrypted data while circumventing the attackers demands are still at risk due to the data-release component being used here.

Researchers at Positive Technologies recently disclosed details around a critical security bypass vulnerability affecting multiple Citrix products and technologies. The flaw allows for any unauthenticated attacker to remotely access internal network resources by way of the affected Citrix components. Once inside a network, attackers can continue to move laterally or attack and establish a presence on nodes deeper in the target network. According to Positive Technologies, this issue stands to affect 80,000+ companies, spread across the world. The flaw has been assigned CVE-2019-19781, and Citrix has released a fix, coupled with notice to consider application of the fix a high/critical priority.

image of Citrix CVE-2019-19781 vulnerability
Source

The Ugly

Advanced Persistent Threat group APT20 (aka Violin Panda) has been shifting focus onto themselves as a result of recent campaigns in which they successfully defeat 2FA. Choosing to target mainly MSPs (managed service providers) and government entities, the group has been locating vulnerable implementations of the Java application server platform JBoss. Once they have a foothold on the exposed web servers, they proceed to install web shells and further infiltrate the victim’s network. Part of this process included gaining access to RSA SecurID software tokens, allowing the attackers to successfully proceed though 2FA challenges. This method was used also to authenticate to 2FA-protected VPN accounts.

image of operation wocao
It is reported that the attackers were able to make small modifications to the software token mechanisms so as to allow them to generate valid tokens without validation of the specific systems. These tactics were said to be a small component of the broader Operation Wocao.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Revenue train kept rolling all year long for Salesforce

Salesforce turned 20 this year, and the most successful pure enterprise SaaS company ever showed no signs of slowing down. Consider that the company finished the year on an $18 billion run rate, rushing toward its 2022 revenue goal of $20 billion. Oh, and it also spent a tidy $15.7 billion to buy Tableau this year in the most high-profile and expensive acquisition it’s ever made.

Co-founder, chairman and CEO Marc Benioff published a book called Trailblazer about running a socially responsible company, and made the rounds promoting it. In fact, he even stopped by TechCrunch Disrupt in San Francisco in September, telling the audience that capitalism as we know it is dead. Still, the company announced it was building two more towers in Sydney and Dublin.

It also promoted Bret Taylor just last week, who could be in line as heir apparent to Benioff and co-CEO Keith Block whenever they decide to retire. The company closed the year with a bang with a $4.5 billion quarter. Salesforce, for the most part, has somehow been able to balance Benioff’s vision of responsible capitalism while building a company makes money in bunches, one that continues to grow and flourish, and that’s showing no signs of slowing down anytime soon.

All aboard the gravy train

The company just keeps churning out good quarters. Here’s what this year looked like:

Ransomware at IT Services Provider Synoptek

Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.

Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries, including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site.

A now-deleted Tweet from Synoptek on Dec. 20 warned against the dangers of phishing-based cyberattacks, less than three days prior to their (apparently phishing-based) Sodinokibi ransomware infestation.

News of the incident first surfaced on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the outage. The only official statement about any kind of incident came late Friday evening from the company’s Twitter page, which said that on Dec. 23 it experienced a “credential compromise which has been contained,” and that Synoptek “took immediate action and have been working diligently with customers to remediate the situation.”

Synoptek has not yet responded to multiple requests for comment. But two sources who work at the company have now confirmed their employer was hit by Sodinokibi, a potent ransomware strain also known as “rEvil” that encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems. Those sources also say the company paid their extortionists an unverified sum in exchange for decryption keys.

Sources also confirm that both the State of California and the U.S. Department of Homeland Security have been reaching out to state and local entities potentially affected by the attack. One Synoptek customer briefed on the attack who asked to remain anonymous said that once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems.

Much like other ransomware gangs operating today, the crooks behind Sodiniokibi seem to focus on targeting IT providers. And it’s not hard to see why: With each passing day of an attack, customers affected by it vent their anger and frustration on social media, which places increased pressure on the provider to simply pay up.

A Sodinokibi attack earlier this month on Colorado-based IT services firm Complete Technology Solutions resulted in ransomware being installed on computers at more than 100 dentistry practices that relied on the company. In August, Wisconsin-based IT provider PerCSoft was hit by Sodinokibi, causing outages for more than 400 clients.

To put added pressure on victims to negotiate payment, the purveyors of Sodinokibi recently stated that they plan to publish data stolen from companies infected with their malware who elect to rebuild their operations instead of paying the ransom.

In addition, the group behind the Maze Ransomware malware strain recently began following through on a similar threat, erecting a site on the public Internet that lists victims by name and includes samples of sensitive documents stolen from victims who have opted not to pay. When the site was first set up on Dec. 14, it listed just eight victims; as of today, there are more than two dozen companies named.

7 Scams of Holiday Season Cyber Criminals

It’s that time of the year again when we’re all doing the two things that cyber criminals love most: spending money and giving generously. Those who seek ill-gotten gains from others have come up with plenty of ways to dupe, manipulate and steal during the holiday season. In this post, we cover seven scams to keep an eye out for.

image of 7 scams cyber criminals

1. Juice Jacking

The holiday season inevitably involves a lot of us traveling to and from distant friends and relatives, and that can mean visiting unfamiliar public places while in transit as well as seeking out the last drop of battery power from our mobile devices. Los Angeles County District Attorney has warned that criminals are taking advantage of this by loading malware into public USB power charging stations located in places like airports and hotels.

“Juice Jacking”, aka the USB Charger Scam, can take several forms. Fraudsters may install malware onto your device through an infected USB port or cable left hanging in a public charge point, or they may try to give away malicious USB cables as “free gifts” that are loaded with credential-stealing malware. The intent is to export personal data and passwords so that the cybercriminals can drain your bank accounts or commit identity theft.

To stay safe, never use a cable that’s been left in a charging station and don’t accept cables given away as promotional gifts.

Ideally, carry your own cables and a “power bank” charging pack. When charging on the move, find an AC outlet and plug your own charger directly into it.

2. Poisoned Public Wifi

We all love to stay connected while on the move, and retailers, coffee shops and bars know that a free, public wifi hotspot is good for business. Unfortunately, it’s easy for attackers to impersonate these or snoop other users on the same Wifi network.

Snooping means that other users of the network can see your unencrypted traffic – what websites you visit and any clear text data you send through the public hotspot, including what you type into web forms on unencrypted sites. Impersonation occurs when a threat actor sets up a malicious hotspot or rogue access point with an SSID the same as or very similar to the one that you intend to connect to.

In order to stay safe, avoid connecting to public Wifi networks where possible and disable any network discovery settings that allow your device to automatically join public hotspots. Where you do need access, ask staff to confirm the correct Wifi network name (SSID), ensure you’re only browsing sites that begin with https or display the green padlock icon.

Importantly, even if using https, avoid connecting to personal banking or other highly-sensitive, password-protected sites while on public Wifi. Save that kind of work for when you’re connected to a known, trusted network.

3. Holiday Charity Scams

The festive season draws out the best in many of us, but the worst in some, too. There are a number of known scams that target people’s generosity during the holiday season. Some fraudsters spoof the phone numbers of legitimate charities, making it appear on your caller ID that the incoming call is from a charitable organization – and use robocalls and texts to target unwitting consumers. Others go so far as to set up fake charities or pretend to be agents of legitimate organizations.

To stay safe, refuse solicitations from callers either online, on your phone or at your door claiming to represent a charity. If you wish to donate to an organization, approach them directly and check their credentials by visiting their official website.

Never give out personal information to an unsolicited caller, as they may use this to commit identity theft.

4. Seasonal Phishing Scams

The holiday season makes an ideal time for phishing scams as many of us are in a rush and desperate to buy gifts at bargain prices. Meanwhile, genuine online stores are bombarding our inboxes with holiday discounts and special offers. Prime conditions for spammers to hook victims with phishing links to malicious websites that may be clones of the real thing but are really intended to drop malware or phish login and password credentials.

These scams may take the form of special offers, gifts and coupons, or claims that you’ve been invoiced for something you didn’t order and that you need to click a link to “report a problem”. Some bad actors embed malware in images as well as attached documents, while one notorious malware platform has been spotted conducting a seasonal phishing campaign by inviting targets to accept an invitation to the staff Christmas party.

image of emotet xmas email

Of course, all these are just prompts to get the user to either download a malicious file, click a fraudulent link or enter credentials on a fake website.

To stay safe, use trusted security software to block malware. Disable the loading of remote content in your email client preferences, and inspect link addresses before clicking on them. Look out for simple tricks where the scammer users what looks like a real address, say google.com and replaces one or more letters with a homograph or punctuation, like go0gle.com or goo.gle.com. Such tricks may seem obvious on inspection, but are easily overlooked when only glanced at. When you do land on a website, pay attention to what’s in the address bar.

It helps to ensure your browser preferences show full website addresses and that your Safe Browsing prefs in ‘Privacy & Security’ are turned on.

A Gif showing how to make your Chrome browser private by typically going to Advanced or Privacy and clicking on Safe Browsing or Phishing and Malware Protection.

5. Fake Updates

Keen to share and join in the fun, we’re all prone to clicking on a video shared across social media, text message or email, particularly during the festive season. But beware of those that pop up a message telling you that you need to update or download some kind of media player – fake Flash players are a favorite of adware and malware scammers – in order to view it.

These are almost always the first sign of a scam in which the fraudsters aim is to infect your device either with a PUP/adware installer or a more serious Emotet, Trickbot or other trojan platform.

image of fake media player

To stay safe from these kinds of threats, always dismiss any such pop-up alerts. Launch your usual media player from the Dock or Taskbar and check if it really needs an update.

Note that if your media player won’t play the media file of a type it should, assume the offending file is malicious and send it to the Trash. Again, a good security solution can protect you from this kind of threat.

6. Fake Coupon & Discount Apps

Fraudsters don’t only restrict themselves to setting up fake websites; they’ll even build entire fake applications and distribute those through unofficial app repositories in the aim of getting users to download malware. These apps typically offer users multiple discounts or coupons promising great deals on many popular products.

In general, you’re safer sticking to apps distributed from reputable app stores, but it’s worth bearing in mind that these have also become increasingly targeted by malicious actors. Apple’s iOS App Store has had a few high-profile cases of data exfiltrating malware and spyware, and problems with Google’s Play Store are a common news item.

To stay safe, only download and install applications that you have a genuine need for, and always check out the details of the developer.

Most ‘free apps’, particularly those offering shopping discounts are going to be at best plaguing you with in-app advertisements in order to generate their income. At worst, they may be delivering malware or stealing you data.

7. Fraudulent Ads

Encountered all year round but descending like a plague between November and January, scam ads can be found not only on sketchy websites but also circulated through social media like Facebook, Twitter, and other sharing platforms. With billions of users, these platforms make attractive targets for ads containing malicious links.

In some cases, these fake ads may show multiple items, with several listed at normal prices but one item at some incredibly low price. They may even contain text such as “Due to a pricing error, this item is now on sale at half it’s RRP, but it won’t be for long!” The aim is to make people click immediately to take advantage of what they think is a mistake. Of course, it’s all a scam and the link takes the user to a fake sale site with credit card skimmers embedded in the code.

Ads run by scammers can be difficult to spot, since they use many of the same marketing tricks as legitimate ads. And although there is a breed of such ads that use poor quality, blurred images, others simply steal glossy, highly-produced photos from real products. If you are tempted into clicking on an ad placed through social media, check all the details carefully. Does the website offer comprehensive information about product details, shipping costs, returns and customer support? Is the language on the website error-free?

Use a whois lookup to see how long the website has been around (scam sites are usually less than a few months old). And ultimately, is the deal “too good to be true?” The best defence against fraudulent ads is buyer caution.

Conclusion

The holiday season is a time for giving and reflection, and not a little relaxation. Unfortunately, there’s plenty of scammers and fraudsters out there intent on selfishly exploiting this time of year for their own ends and ruining the festivities for others. We hope that the tips above will help you to avoid becoming a victim and wish everyone a safe and happy festive season.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Public investors loved SaaS stocks in 2019, and startups should be thankful

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

Today, something short. Continuing our loose collection of looks back of the past year, it’s worth remembering two related facts. First, that this time last year SaaS stocks were getting beat up. And, second, that in the ensuing year they’ve risen mightily.

If you are in a hurry, the gist of our point is that the recovery in value of SaaS stocks probably made a number of 2019 IPOs possible. And, given that SaaS shares have recovered well as a group, that the 2020 IPO season should be active as all heck, provided that things don’t change.

Let’s not forget how slack the public markets were a year ago for a startup category vital to venture capital returns.

Last year

We’re depending on Bessemer’s cloud index today, renamed the “BVP Nasdaq Emerging Cloud Index” when it was rebuilt in October. The Cloud Index is a collection of SaaS and cloud companies that are trackable as a unit, helping provide good data on the value of modern software and tooling concerns.

If the index rises, it’s generally good news for startups as it implies that investors are bidding up the value of SaaS companies as they grow; if the index falls, it implies that revenue multiples are contracting amongst the public comps of SaaS startups.*

Ultimately, startups want public companies that look like them (comps) to have sky-high revenue multiples (price/sales multiples, basically). That helps startups argue for a better valuation during their next round; or it helps them defend their current valuation as they grow.

Given that it’s Christmas Eve, I’m going to present you with a somewhat ugly chart. Today I can do no better. Please excuse the annotation fidelity as well: