Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.

The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.

Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.

Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).

A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, New Jersey, Virginia and the District of Columbia.

According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.

“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”

Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.

Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.

Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants.

A number of recent high-profile nationwide card breaches at main street merchants have been linked to large numbers of cards for sale at Joker’s Stash, including breaches at supermarket chain Hy-Vee, restaurant chains Sonic, Buca di Beppo, Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s, retailers like Bebe Stores, and hospitality brands such as Hilton Hotels.

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

The United States is the last of the G20 nations to make the shift to more secure chip-based cards, which are far more expensive and difficult for criminals to counterfeit. Unfortunately, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.

According to stats released in November by Visa, more than 3.7 million merchant locations are now accepting chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 81 percent in June 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants, a trend seen in virtually every country that has already made the switch to chip-based cards.

Many filling stations are upgrading their pumps to include more cyber and physical security — such as end-to-end encryption of card data, custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use and in some cases mandated by other G20 nations.

But these upgrades are disruptive and expensive, and many fuel station owners are putting them off until it is absolutely necessary. Prior to late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip.

Yet in December 2016, Visa — by far the largest credit card network in the United States — delayed the requirements, saying fuel station owners would be given until October 1, 2020 to meet the liability shift deadline.

Either way, Wawa could be facing steep fines for failing to protect customer card data traversing its internal payment card networks. In addition, at least one class action lawsuit has already been filed against the company.

Finally, it’s important to note that even if all 30 million of the cards that Joker’s Stash is selling as part of this batch do in fact map back to Wawa locations, it’s highly unlikely that more than a small percentage of these cards will actually be purchased and used by fraudsters. In the 2013 megabreach at Target Corp., for example, fraudsters stole roughly 40 million cards but only ended up selling between one to three million of those cards.

Pantheon bets on WebOps as it charts a course to an IPO

It has been 10 years since Pantheon launched. At the time, it was mostly a hosting service for Drupal sites, but about six years ago, it added WordPress hosting to its lineup and raised more VC money as some of its competitors did the same. After its 2016 Series C round, things started quieting down, though the company has clear ambitions to become a public company in the next few years. To chat about those plans and the overall state of the business, I sat down with Pantheon co-founder and CEO Zack Rosen and new Pantheon board member Elissa Fink, former CMO of Tableau.

Maybe the biggest change at Pantheon is that when it launched, its team was almost solely focused on the developer experience. And while Pantheon was essentially a hosting service and offers personal plans, its focus was never on individuals who wanted a WordPress blog (which a lot of companies focused on, especially in the pre-Twitter days). Its efforts always revolved around businesses, large enterprises and the agencies that serve them.

“Back then, our overriding focus was really around the developer experience — the practitioner experience — of using our product,” Rosen explained. “And frankly, at the time, we actually really didn’t know what to call it. It really didn’t have a category, but we always felt it was something new.” He noted that over the last few years, Pantheon started talking to a lot of marketers and realized that the needs of these marketing leaders are driving this space.

Persona raises $17.5M for an identify verification platform that goes beyond user IDs and passwords

The proliferation of data breaches based on leaked passwords, and the rising tide of regulation that puts a hard stop on just how much user information can be collected, stored and used by companies have laid bare the holes in simple password and memorable-information-based verification systems.

Today a startup called Persona, which has built a platform to make it easier for organisations to implement more watertight methods based on third-party documentation, real-time evaluation, and AI to verify users, is announcing a funding round, speaking to the shift in the market and subsequent demand for new alternatives to the old way of doing things.

The startup has raised $17.5 million in a Series A from a list of impressive investors that include Coatue and First Round Capital, money that it plans to use to double down on its core product: a platform that businesses and organisations can access by way of an API, which lets them use a variety of documents, from government-issued IDs through to biometrics, to verify that customers are who they say they are.

Current customers include Rippling, Petal, UrbanSitter, Branch, Brex, Postmates, Outdoorsy, Rently, SimpleHealth and Hipcamp, among others. Persona’s target user today is any company involved in any kind of online financial transaction to verify for regulatory compliance, fraud prevention and for trust and safety.

The startup is young and is not disclosing valuation. Previously, Persona had raised an undisclosed amount of funding from Kleiner Perkins and FirstRound, according to data from PitchBook. Angels in the company have included Zach Perret and William Hockey (co-founders of Plaid), Dylan Field (founded Figma), Scott Belsky (Behance) and Tony Xu (DoorDash).

Founded by Rick Song and Charles Yeh, respectively former engineers from Square and Dropbox (companies that have had their own concerns with identity verification and breaches), Persona’s main premise is that most companies are not security companies and therefore lack the people, skills, time and money to build strong authentication and verification services — much less to keep up with the latest developments on what is best practice.

And on top of that, there have been too many breaches that have underscored the problem with companies holding too much information on users, collected for identification purposes but then sitting there waiting to be hacked. While a number of services have arisen to help protect identity for repeat users of products — for example Duo and Okta on the enterprise front, or authenticators for online applications as a more secure alternative to two-factor authentication using text messaging — these don’t really fill the use case of verification for the kinds of companies that are typical Persona customers.

The name of the game for Persona is to provide services that are easy to use and as wide as possible in their applicability. For those who can’t or don’t access the code of their apps or websites for registration flows, they can even verify users by way of email-based links.

“Digital identity is one of the most important things to get right, but there is no silver bullet,” Song, who is the CEO, said in an interview. “I believe longer term we’ll see that it’s not a one-size-fits-all approach.” Not least because malicious hackers have an ever-increasing array of tools to get around every system that gets put into place. (The latest is the rise of deep-fakes to mimic people, putting into question how to get around that in, say, a video verification system.)

At Persona, the company currently gives customers the option to ask for social security numbers, biometric verification such as fingerprints or pictures, or government ID uploads and phone lookups, some of which (like biometrics) is built by Persona itself and some of which is accessed via third-party partnerships.

Added to that are other tools like quizzes and video-based interactions. Song said the list is expanding, and the company is looking at ways of using the AI engine that it’s building — which actually performs the matching — to also potentially suggest the best tools for each and every transaction.

It’s notable to me that the platform has been conceived of and built in part by an engineer from a payments company.

API-based platforms taking out some of the extreme complexity of payment systems by doing all the hard work “under the hood” have been a building block of how a lot of financial services get integrated into workflows in cases where the business in question may rely on them but is actually not actually a fintechs (or payment tech provider) in and of themselves. This has been the premise of companies like Stripe, Adyen, CurrencyCloud and even Square to an extent, since its customers are integrating the tool that Square has built for them.

Another key point with Persona is that it provides a way for its customers to access and use information for verification by linking up with other databases, meaning the data is then not kept by the customer itself.

This is a moving target, and one that is becoming increasingly harder to focus on, given not just the rise in malicious hacking, but also regulation that limits how and when data can be accessed and used by online businesses.

Persona notes a McKinsey forecast that the personal identify and verification market will be worth some $20 billion by 2022, which is not a surprising figure when you consider the nearly $9 billion that Google has been fined so far for GDPR violations, or the $700 million Equifax paid out, or the $50 million Yahoo (a sister company now) paid out for its own user-data breach.

Chicago’s ActiveCampaign raises $100M for an all-in-one marketing and sales automation platform

Marketing and sales automation — tools that leverage the advances and data of our digital age to better identify and then interact with customers — is big business, with the whole market expected to generate some $6.6 billion in revenues for related companies by 2025.

But “companies” is the operative word here: it’s a very fragmented space, with dozens of hopefuls covering different aspects of marketing and sales, each with its own unique approach. There is an alternative trend, though, and today a customer experience automation company called ActiveCampaign, catering not just to large enterprises but small and medium businesses too, has raised a large round of funding to build out its own one-stop-shop model. It includes the tools to run email and messaging-based marketing campaigns; marketing automation across sites and events; and sales and CRM.

The Chicago-based company is today announcing that it has closed a Series B of $100 million, money that it will use to invest in building out new technology and to expand internationally. The funding is being led by Susquehanna Growth Equity, with PE firm Silversmith Capital Partners also participating.

ActiveCampaign is not your typical startup. It has been around since 2003, and this is only the second time it has raised money — the first time was in 2016, a modest $20 million round from Silversmith. Fundraising is not the only thing that sets it apart: it’s also profitable and has been for years (one reason it hasn’t raised money), and it’s actually already quite large, with 90,000 customers in 161 countries.

Yet it’s something of a theme in the world of “startups” — meaning tech companies that are still privately owned and raising from VCs and related backers — particularly those that are B2B focused, that some of the more interesting and successfully bootstrapped of them at some point turn to VC and private equity when it comes to needing an extra boost to move beyond what has become its natural growth rate.

In the case of ActiveCampaign, it had a taste of what a little outside investment could do in the last few years: Jason VandeBoom, founder and CEO of ActiveCampaign, said the company has seen its annual recurring revenues grow 6x since 2016 to $90 million, with employees booming from 65 to more than 550.

The company’s core proposition is that it provides a less fragmented approach to businesses interested in building in some digital marketing or sales tools into their outreach and then considering what to do next.

“What we are up against are a number of companies focused on a single slice of customer experience, either CRM or a customer success platform,” VandeBoom said. “We’re still at this point in the industry where the category is taking shape,” which spells a ripe opportunity for ActiveCampaign.

The need for what ActiveCampaign provides is a basic one: Whether you are an online retailer or any business that wants to expand its audience or make sure to stay connected to the one you already have, you need tools to reach users, figure out what they want to see from you and connect in a relevant way.

VandeBoom added while there are no specific plans for acquisitions that can be discussed now, the funding also gives the company “optionality” in terms of what it might do next.

Part of the company’s approach is to build technology in-house, but in the spirit of all-in-one platforms, its value also lies in how many other things its users can plug into using ActiveCampaign.

The company has some 260 technology partners and a “recipe library” with more than 250 automations already built, or users can build and customise themselves from more than 300 possible apps that can be integrated, including Shopify, Square, Facebook, Eventbrite and Salesforce.

With this round, Martin Angert, director at Susquehanna, is joining ActiveCampaign’s board of directors. His existing roles on the boards of Workfront, WhiteSource, XebiaLabs and Allocadia speaks to interesting potential strategic partnerships for ActiveCampaign.

“ActiveCampaign and the CXA category have grown significantly and our investment in the series B reconfirms Silversmith’s commitment to ActiveCampaign’s future,” said Todd Maclean, co-founder and managing partner of Silversmith Capital Partners, in a statement.

Cooks Venture raises $4 million from Golden West Food Group to ramp up distribution

Cooks Venture, the agtech company looking to revolutionize the chicken industry, has today announced the close of a $4 million funding round led by Golden West Food Group.

Cooks Venture has been working in stealth for many years, but launched onto the scene in 2018 with a plan to reshape agriculture from the ground up. And the key to that strategy? Chickens.

Cooks Venture geneticists and scientists have spent years isolating genetic lines of chickens to create a new, proprietary breed, called the Pioneer, a type of heirloom chicken. Most folks don’t know that, no matter what brand of chicken you buy at the store, chances are that it’s one of two breeds, the Cobb 500 or the Ross 308, which are produced by Cobb and Aviagen respectively.

Both of these breeds of broilers are fast-growing (they’re ready to be processed in just over five weeks) and use a three-phase feed system for growth. This system, and these breeds, are a big reason why animal activist groups express so much concern over the wellbeing of chicken livestock, often explaining that the birds are too young to carry around all the weight they put on so quickly.

Cooks Venture looked to science to solve the problem. The company’s Pioneer chicken can eat a highly diverse diet, and can be raised in 60 to 65 days. This means that the Pioneer chickens are truly free range, wandering around the farm. It also means that these chickens, with a digestive track that can handle a diverse diet and the ability to exercise, live a healthier life, are higher in Omega-3, and taste better than your average Cobb 500 or Ross 308, according to the company.

But the chickens themselves are only part of the solution. A byproduct of the proliferation of these fast-growing chickens produced by Cobb and Aviagen is that they have to eat, and their diet is very specific. That means that farmers must produce a great deal of one or two crops to feed the millions of chickens out there. The result is that our agricultural land is not being used in an efficient or eco-friendly way.

In fact, Cooks Venture founder Matt Wadiak says that the vast majority of our crop production in the United States is used for ethanol or animal feed, which indexes towards corn and soy. The USDA says, of feed grains, that corn accounts for more than 95 percent of total production and use in the country.

Many farmers would love to implement regenerative agricultural practices, a big part of which includes creating a biodiverse ecosystem with many different crops, but who would they sell the extra, low-demand crops to?

The answer now can be Cooks Venture. With strong digestive systems, Cooks Venture chickens can eat a diet that comes from a more biodiverse farm. Moreover, when Cooks Venture is ready to expand globally, the chickens are able to eat crops local to the ecosystems of emerging nations, such as yucca and quinoa.

Cooks Venture has its own farm, and works with farm partners to set up regenerative agricultural practices around producing Pioneer chicken feed. Cooks also does its own processing at its own plant.

Golden West Food Group is a manufacturer of meat products and value-add food products like marinated chicken, such as Jack Daniels pulled pork. It’s worth noting that GWFG is not a competitor to Cooks Venture, as it produces no meat products whatsoever, but rather an important distribution partner for the brand.

Through the partnership with GWFG, Cooks can start to ramp up commercialization of its chickens, which are currently sold through some retailers, on the Cooks website, and on FreshDirect.

As part of the announcement, Cooks Venture is also bringing on Ankur Agrawal as Chief Financial Officer. Wadiak, a cofounder at Blue Apron, worked with Agrawal back in the Blue Apron days and says that his understanding of agricultural finance is top of the line.

Editor’s Note: An earlier version of this article misidentified the Pioneer chicken and mistook HelloFresh for Fresh Direct. It has been updated for accuracy.

ServiceNow acquires conversational AI startup Passage AI

ServiceNow announced this morning that it has acquired Passage AI, a startup that helps customers build chatbots in multiple languages, something that should come in handy as ServiceNow continues to modernize its digital service platform. The companies did not share terms of the deal.

With Passage AI, ServiceNow gets a bushel of AI talent, which in itself has value, but it also gets AI technology, which should fit in nicely with ServiceNow’s mission. For starters, the company’s chatbot solutions gives ServiceNow an automated way to respond to customer/user inquiries.

Even more interesting for ServiceNow, Passage includes an IT automation component that uses ” a conversational interface to submit tickets, handle queries, and take direct action through APIs,” according to the company website. It also gets an HR automation piece, giving the company an intelligent tool it could incorporate across its Now Platform in tools like ServiceNow Virtual Agent and Service Portal, Workspaces in multiple languages.

The multilingual support was an aspect of the deal that appeals to Debu Chatterjee, senior director of AI Engineering at ServiceNow. “Building deep learning, conversational AI capabilities into the Now Platform will enable a work request initiated in German or a customer inquiry initiated in Japanese to be solved by Virtual Agent,” he said in a statement.

Companies are increasingly looking for ways to solve common customer problems using chatbots, while only bringing humans into the loop when the bot can’t answer the query. Passage AI gives ServiceNow much deeper knowledge in this growing area.

Passage AI, which launched in 2016, has raised $10.3 million, according to Crunchbase data. The company website lists a variety of large customers including MasterCard, Shell, Mercedes Benz and SoftBank. The acquisition comes less than a week after the company purchased another AI-focused startup, Loom Systems, one that concentrates on automating operations data.

The deal is expected to close this quarter. ServiceNow will be announcing earnings on Wednesday afternoon.

Nutanix execs discuss how they built their 2016 IPO roadshow deck

Bringing a startup from idea to IPO isn’t an easy task, but if you can build something successful, one major milestone is to go public. Before your Nasdaq debut, however, there’s a major step — building a deck and taking it on the road for investors.

Cloud computing company Nutanix went public in 2016, so we spoke to CEO Dheeraj Pandey and CFO Duston Williams, both of whom were with the company for the big event, to learn about how a company should define itself for investors as it seeks to go public.

Who are you?

Building a roadshow deck is an exercise in communications as founders attempt to carefully lay out their company’s core purpose and how they built it, along with their ethics, aspirations, financials and value proposition. In a nutshell, an effective roadshow deck summarizes who you are, what you stand for and why your company will make a good investment.

CEO Pandey says that in addition to investment bank Goldman Sachs, a number of people from the company helped craft the presentation. “Fifteen people across different functions were involved in building the deck. That included product and marketing, to finance and corporate communications, to legal. I think there were at least six different departments,” he said.

RealityEngines launches its autonomous AI service

RealityEngines.AI, an AI and machine learning startup founded by a number of former Google executives and engineers, is coming out of stealth today and announcing its first set of products.

When the company first announced its $5.25 million seed round last year, CEO Bindu Reddy wasn’t quite ready to disclose RealityEngines’ mission beyond saying that it planned to make machine learning easier for enterprises. With today’s launch, the team is putting this into practice by launching a set of tools that specifically tackle a number of standard enterprise use cases for ML, including user churn predictions, fraud detection, sales lead forecasting, security threat detection and cloud spend optimization. For use cases that don’t fit neatly into these buckets, the service also offers a more general predictive modeling service.

Before co-founding RealiyEngines, Reddy was the head of product for Google Apps and general manager for AI verticals at AWS. Her co-founders are Arvind Sundararajan (formerly at Google and Uber) and Siddartha Naidu (who founded BigQuery at Google). Investors in the company include Eric Schmidt, Ram Shriram, Khosla Ventures and Paul Buchheit.

As Reddy noted, the idea behind this first set of products from RealityEngines is to give businesses an easy entry into machine learning, even if they don’t have data scientists on staff.

Besides talent, another issue that businesses often face is that they don’t always have massive amounts of data to train their networks effectively. That has long been a roadblock for many companies that want to see what AI can do for them but that didn’t have the right resources to do so. RealityEngines overcomes this by creating realistic synthetic data that it can then use to augment a company’s existing data. In its tests, this creates models that are up to 15 percent more accurate than models that were trained without the synthetic data.

“The most prominent use of generative adversarial networks  — GANS — has been to create deep fakes,” said Reddy. “Deepfakes have captured the public’s imagination by highlighting how easy it to spread misinformation with these doctored videos and images. However, GANS can also be applied to productive and good use. They can be used to create synthetic datasets which when then be combined with the original data, to produce robust AI models even when a business doesn’t have much training data.”

RealityEngines currently has about 20 employees, most of whom have a deep background in ML/AI, both as researchers and practitioners.

 

Russian Cybercrime Boss Burkov Pleads Guilty

Aleksei Burkov, an ultra-connected Russian hacker once described as “an asset of supreme importance” to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.

Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

Burkov, 29, admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers. He pleaded guilty last week in a Virginia court to access device fraud and conspiracy to commit computer intrusion, identity theft, wire fraud and money laundering.

As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”

Membership in the DirectConnection fraud forum was heavily restricted. New members had to be native Russian speakers, provide a $5,000 deposit, and be vouched for by three existing crime forum members. Also, members needed to have a special encryption certificate installed in their Web browser before the forum’s login page would even load.

DirectConnection was something of a Who’s Who of major cybercriminals, and many of its most well-known members have likewise been extradited to and prosecuted by the United States. Those include Sergey “Fly” Vovnenko, who was sentenced to 41 months in prison for operating a botnet and stealing login and payment card data. Vovnenko also served as administrator of his own cybercrime forum, which he used in 2013 to carry out a plan to have Yours Truly framed for heroin possession.

As noted in last year’s profile of Burkov, an early and important member of DirectConnection was a hacker who went by the moniker “aqua” and ran the banking sub-forum on Burkov’s site. In December 2019, the FBI offered a $5 million bounty leading to the arrest and conviction of aqua, who’s been identified as Maksim Viktorovich Yakubets. The Justice Department says Yakubets/aqua ran a transnational cybercrime organization called “Evil Corp.” that stole roughly $100 million from victims.

In this 2011 screenshot of DirectConnection, we can see the nickname of “aqua,” who ran the “banking” sub-forum on DirectConecttion. Aqua, a.k.a. Maksim V. Yakubets of Russia, now has a $5 million bounty on his head from the FBI.

According to a statement of facts in Burkov’s case, the author of the infamous SpyEye banking trojanAleksandr “Gribodemon” Panin — was personally vouched for by Burkov. Panin was sentenced in 2016 to more than nine years in prison.

Other top DirectConnection members include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

Burkov was arrested in 2015 on an international warrant while he was visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned a young Israeli woman on trumped-up drug charges in a bid to trade prisoners.

As the news outlet Haaretz reported in October, Naama Issachar was arrested while changing planes in Russia on her way home from a yoga course in India. Russian police said they found approximately 10 grams of marijuana in Issachar’s bag. Issachar denied smuggling drugs, saying she had not sought to enter Russia during her layover and had no access to her luggage during her brief stay in the Russian airport.

Haaretz noted that the Russian government pressed Israel to exchange Burkov for Issachar. When Israel’s supreme court cleared the way for Burkov’s extradition to the United States, Issachar was found guilty of drug smuggling and sentenced to 7.5 years in jail.

But according to a story today in The Times of Israel, the Kremlin has signaled that Russian President Vladimir Putin may make a decision “in the near future,” on a possible pardon for Issachar, whose mother reportedly met with Putin while the Russian leader was visiting Israel last week.

Burkov currently is scheduled to be sentenced on May 8. He faces a maximum sentence of 15 years in prison.

CISO Essentials | How Remote Access Trojans Affect the Enterprise

The Chinese Lunar year 2020 is the Year of the Rat, and people born in the Year of the Rat are supposed to be optimistic and likable. But in cybersecurity, RAT (Remote Access Trojan) stands for the opposite of likable: a nasty tool leveraged by bad actors. For many years, RATs have been used as a means to control victims’ computers remotely and surreptitiously. The sneaky RAT can access computer users’ files and hardware resources like webcams and microphones, as well as function as a keylogger, data stealer and springboard for launching other malware attacks. Worse, use of RATs in attacks against the enterprise is on the increase. In this post, we take a look at the latest developments in the use of Remote Access Trojans.

image how rats affect enterprise

What is a Remote Access Trojan?

Sometimes referred to as a “remote administration tool” due to their similarity to legitimate IT admin tools like TeamViewer and LogMeIn, a remote access trojan is essentially a hidden backdoor into another user’s computer. This backdoor gives the person operating the RAT a whole range of different functions that can be used for malicious purposes, depending on which particular RAT platform they’re utilizing. 

Some well-known RATS from the past and present include:

  • Adwind jRAT
  • Blackshades RAT
  • CalypsoRAT
  • DanBot RAT
  • DarkComet
  • FlawedAmmyy RAT
  • FlawedGrace RAT
  • Orcus RAT
  • PupyRat

Like genuine tools used by organizations to manage endpoints remotely, RATs give their operators powerful control over the system they are installed on. The difference, of course, is that a RAT is both hidden and unwanted.

How Do Remote Access Trojans Spread?

As with most malware infections, RATs typically come through malspam, phishing and spearphishing campaigns. For example, a user may receive a phishing email carrying a malicious pdf or Word document, or the mail may contain a URL that takes the victim to a webpage for a fake software plugin and a message that a required tool is missing or needs updating. Adobe Flash, Adobe Reader and similar popular products are often spoofed for just this kind of trick due to their wide adoption across platforms. 

Other threat actors have been more creative. For example, hackers have hidden the PyXie RAT in a Tetris game, used Facebook to deliver FlawedAmmyy RAT, and have even used a fake WebEx meeting invitation to infect an unsuspecting victim.

How Do RATs Evade Detection?

For your organization, the main danger with RATS is that they make illegitimate use of perfectly legitimate functionality that your admins need. No modern business can run an effective IT support service without the ability to remotely login to users’ computers for troubleshooting and other support tasks. RATS piggyback on the same remote access services that legitimate tools like TeamViewer use, exploiting Windows Remote Desktop (RDP) and TCP networking protocols to install a backdoor to the attacker’s own machine. 

In the eyes of legacy AV suites, such activity may not seem suspicious at all. This ability to blend in with normal or expected traffic can allow a RAT to go undetected for months or years, which makes the RAT a perfect tool for all kinds of malicious actors, from APT and nation-state hackers to criminals looking for financial reward.

How Do Threat Actors Use RATs Against The Enterprise?

A RAT’s primary objective is to operate without the target’s awareness. While there’s certainly been cases of “lone wolf” actors targeting individuals and organizations and remaining undetected for over a decade, until recently the main threat to enterprise from RATs came from APT campaigns, including those targeting the most sensitive of installations such as a nuclear power plant in India (targeted by the DTrack RAT), oil and gas companies in the Middle East, telecoms across Africa and Asia (DanBot RAT), government agencies around the globe (Calypso RAT), and most recently an energy-sector organization in Europe (PupyRAT).

Using these RATs, hackers were able to take complete control over victims’ machines, gain access to entire networks, exfiltrate troves of sensitive corporate data and avoid detection until after they had realized all their goals.

Are Remote Access Trojans Becoming More Common?

While RATs have long been a popular tool for advanced targeted attacks, a new trend has emerged over the last 18 months or so. In this time, RATs have become more prevalent and now appear to be attractive to financially-motivated hackers. This has led to an increase in the number of RAT victims, who are unequipped to detect and mitigate this malware threat. This rise is in large part due to the fact that RAT developers have made their malware less expensive and more readily accessible. As a result, more criminals have started experimenting with these tools, and with this proliferation, the number of infected victims has risen.

A recent example of a RAT becoming a commercial, “off the shelf” tool for criminals in this way was the Imminent Monitor Remote Access Trojan (IM-RAT). IM-RAT provided cybercriminals easy access to victims’ machines. It was clever enough to bypass legacy anti-virus and malware detection software, carry out commands such as recording keystrokes, steal data and passwords, and watch victims via their webcams – all for a measly $25 per license. This made IM-RAT very popular, very fast. IM-RAT was used in 124 countries and sold to more than 14,500 buyers before being taken down by a joint action of the Australian Federal Police (AFP), Europol and Eurojust. 

But price alone is not the only reason RATs have grown in popularity. RATs are very versatile, and their use is limited only by the imagination of those who develop and deploy them. They have been used to collect payment card details, to collect military and diplomatic intelligence, to grab the personal details of hotel guests and even to satisfy the sexual needs of voyeurs

How Can CISOs Protect Against Remote Access Trojans?

In the past, RATs were difficult to develop and required a high degree of proficiency to operate. They were anything but “fire-and-forget” tools. They required threat actors to invest time and effort in inserting the malware into victims’ systems, manually operate the connection and then carry out whatever nefarious activities they had planned. As we have seen, things have changed more recently, and like other crimeware such as ransomware as a service, malware developers have seen and grasped the opportunity to make profit by selling easy access to tools that others do not have the skill to make for themselves.

For defenders, the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, and to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control and network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers.

Aside from that, disable Remote Desktop Protocol (RDP) and any similar remote access protocols across your fleet where they are not needed. Except for machines that require a constant remote connection, endpoints are typically better off only enabling RDP and similar services on a temporary “as needed” basis. 

Conclusion

Researchers have noted that 2019 was a watershed year in the history of RATs, when, for the first time, they became a common weapon in the arsenal of financially-motivated hackers. It is highly likely that the popularity of RATs will increase in 2020, making it both the Lunar and the Cyber year of the Rat. Fortunately, a trusted next-gen behavioral AI security solution like SentinelOne can identify and block RATs both on installation and during execution. If you’d like to learn more about how SentinelOne can protect your organization, contact us today or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security