Worried Whether Your Mac Can Get A Virus? Let’s Talk Facts

It’s not the first time we’ve discussed this topic and it almost certainly won’t be the last, but this week’s report by one AV vendor that cyber threats on Mac endpoints have surpassed those on Windows devices, followed by accusations from a prominent Apple evangelist that the vendor was peddling in exaggeration and fear-mongering, have brought the topic into sharp relief once again. Do Macs get viruses? And if so, how do Macs get viruses? Is a Mac safer than a Windows PC? There’s a lot of confusion, misinformation and frankly (sadly) ignorance among so-called ‘Mac gurus’ who should know better. In this post, we’ll spare the fake news and simply lay out the facts. Here’s what we know (and can prove) about macOS malware from publicly verifiable data.

image of whether macs get viruses

Do Macs Get More Malware Than Windows PCs?

According to a report by Malwarebytes, the average number of threats they detected per endpoint was nearly double on Macs compared to Windows, at 11.0 and 5.8 respectively during 2019. That also represented a huge jump from the 4.8 detections per endpoint that they found on Macs in the year previous to that.

image of mac detections versus windows detections
Source

The data led to a flurry of headlines, not least because it was a surprise to many people who’ve long fantasized that Macs have some magical aura that makes them impervious to the same kind of criminal attacks that plague Microsoft Windows machines. One commentator went so far as to accuse the researchers of stoking fears to drum up business for themselves and concluded that, despite unquestionably accepting the data, “the statement that Macs don’t get viruses is still overwhelmingly true”.

Central to the argument that “Macs don’t get viruses” is equivocation over what we’re really talking about. “Virus” is a legacy term, and technically there are very few genuine viruses on any platform at all these days, not even Windows. What we’re really talking about is macOS malware and its supposedly less-dangerous cousins adware and coinminers. For businesses and personal users alike, these different threats are all of a piece: they steal data, hog resources, interfere with productivity and – at worst – lead to more serious network intrusions. Our recent posts on Adload, Shlayer and Lazarus APT go into some of the technical details.

Once you stop arguing about what counts as what kind of threat and accept that in all cases, you’re dealing with unwanted, deceptive and possibly dangerous code running on your machine, then what the data shows is that when you look at these categories together, Macs are heavily-targeted, particularly by adware and coinminers, and more Mac users than ever are being infected. Malware campaigns by APTs and other threat actors are also regular occurrences.

As one Twitter user pointed out, “I own a small computer consulting company that focuses on Apple products in the residential market. About 75% of my customers have/had malware on their computers and did not know it”.

image of tweet stating macs get malware

If we look at a public malware repository like VirusTotal and query how many threats have been uploaded that are tagged as ‘macho’ (the native macOS binary, though macOS runs other kinds of executables which are also used in malware) and have more than 4 independent vendors detecting them, then today we’ll get a list of around 5,800 samples. That’s 5,800 individual pieces of malicious software that have been written specifically for macOS in its native binary format over the last 90 days. If malware isn’t a problem on macOS, one might wonder why all these malware authors are wasting their time writing so much of it!

image of malware targeting macOS on virus total

That number is but a small sample. It doesn’t include malware that we’re aware of that doesn’t register on VirusTotal, such as this launcher script for OSX.DarthMiner, a threat that appeared in late 2018. This script was uploaded to VT 8 months ago and is still barely detected by the static engines there, to give but one example:

image of undetected malware samples on macos

How Do Macs Get Infected?

So, how do Macs get infected, then, given that the data categorically disproves the myth that Macs don’t get malware?

Macs, of course, are just Unix-based general purpose computers. Apple do not possess some secret sauce that makes them impervious to malware and that Microsoft and other OS vendors have failed to invent. In fact, Apple’s built-in security tools rely on outdated-technology similar to legacy AV products – file hashes, hardcoded path searches and Yara rules – as well as a few proprietary Apple technologies like Gatekeeper, Notarization and code signing, which we’ll say a little bit more about below.

Importantly, all the Mac’s detection and malware removal capabilities are historical – meaning, they are updated to detect threats that have been seen to infect Mac users in the past. There is no predictive or heuristic threat detection built-in to macOS and indeed, the observation by one commentator that Apple have stepped up their game (something we’ve noted also) in terms of adding more detection rules is only a result of the fact that Apple are responding to the increased number of threats that they are actually seeing infecting Apple Mac computers. Those who follow Apple security issues will recall the lament during much of 2018 that XProtect hardly saw a single update, despite lots of new threats appearing during that year. In contrast, we’ve seen three updates to XProtect since the start of 2020. The takeaway there, if it isn’t obvious, is that Apple’s behavior mirrors what we’re seeing at SentinelOne and what Malwarebytes report pointed out: more threats than ever before are targeting macOS users.

And yet, despite all the evidence, we still find Mac gurus who believe and spread the myth that Macs don’t get malware and users don’t need additional security protections. Aside from a lack of awareness about the threats that are actually out there, it seems there are two related misconceptions that inform this kind of thinking:

    1. Apple’s built-in tools are sufficient to protect users
    2. Anyone who does get infected have themselves to blame for making ‘bad decisions’.

Neither of those beliefs are helpful, and propagating them only serves to do what malware authors most want: keep Mac users unprotected and believing in a false sense of security.

tweet from mac-interactive

Let’s look at those two claims individually and see how they cash out.

Why Apple’s Tools Won’t Stop All Malware

Are Apple’s built-in tools sufficient to protect users? As we’ve already noted, Apple’s security tools rely on historical data – an attack needs to have happened to someone, some Mac, somewhere, before Apple will add a detection rule for it. But even when Apple add detection rules for a particular piece of malware, that still doesn’t mean they will catch every instance of it.

The reasons are technical and we’ve gone into them elsewhere, but a short summary here should suffice. First, Apple’s blocking technology, Gatekeeper, is easily overridden by users (yup, those same users making those same ‘bad decisions’). Regardless of the “why”, and particularly in an enterprise context where social engineering is well understood, all that matters is that they do, and that that they do in sufficient numbers to make it a worthwhile enterprise for bad actors.

Second, Apple’s detection technology, XProtect, relies on very simple, lightly-obfuscated, string and data pattern matching YARA rules. Threat actors can see how Apple detect their malware within minutes of Apple updating these rules, and in most cases it’s a simple thing for these actors to refactor existing code to avoid Apple’s rules. In all versions of macOS except the new Catalina, XProtect will also fail to scan code that does not have a quarantine bit.

Third, notarization – Apple’s new demand that all 3rd party apps need to be vetted by Apple for malware before they can run on macOS – doesn’t apply in certain situations. Neither Gatekeeper nor Notarization apply if the app is installed without a quarantine bit, even on Catalina. This can happen by design (if the application is installed through MDM software like Jamf), and also by user override or by an unsandboxed process removing the quarantine bit. Astoundingly, removal of this essential attribute doesn’t require admin privileges, so even standard users (and processes running as standard users) can accomplish a bypass of the built-in Apple security tools. Finally, notarization doesn’t come into play even under the latest “strict policy” if the malware payload is downloaded via Curl or similar networking transfer tool by a first stage installer. Such first stage installers are typically either signed with valid Apple developer signatures (until Apple discover them and revoke them) or socially engineer the user to launch them as described above.

In short, the built-in tools are there to block and detect some of the most commonly known families of malware; they are not built to stop anything even mildly advanced or targeted at a particular business. Gatekeeper, XProtect and Notarization are also not going to find or block novel malware, nor are they much use against actively developed malware that iterates regularly.

Are Users to Blame for Risky Behaviour?

There’s a lot of macOS malware that preys on people who insist on risky behavior, it’s true. Torrents, cracked software and websites of dubious legality are all favorite hunting grounds for malware authors on macOS, just as they are on Windows. Whether such users “deserve what they get” is a matter of one’s personal opinion, but what is undoubtedly true is that the methods used by such malware are viable – and reliable – infection vectors that could equally be used against anyone.

tweet from howard oakley

Some would argue that users should stick to Apple App Store products to stay safe, but that both concedes the point that Macs are vulnerable to malware if used ‘out of the box’, and it limits users’ ability to exploit the full power of their Mac devices.

On top of that, Apple’s App Store has had its own problems with malware, adware and spyware, so there’s no guarantee that what you download from there will be safe; the only guarantee is that if something is discovered to be harmful after-the-fact, Apple have the power to remove it pretty rapidly.

<span style="font-weight: 400;"What's more, the "stick to the App Store" dictum ignores the reality that if you need a computer (as opposed to say a phone or a tablet), particularly in a business environment, you're going to want to use it for tasks that simply don't fall in line with the kind of feature-lite offerings found in the macOS App Store.

So, blame the users if you want (and if they are employees, you probably should!), but the blame game isn’t going to keep you safe. If there’s one thing we know about malware authors it’s that they are just like any other software developer: they will code what they need to get the job done and nothing more, nothing less. If you’re looking for an answer to the question: why don’t we see more sophisticated malware on macOS like on Windows?’, you’ll find it in the fact that most macOS users don’t run security software and are not security conscious. Why build something complicated when something as simple as this will do?

image right click to bypass macOS security

Conclusion

Sometimes people take an ideological position based on faith, interest or just coherence with other things that they hold to be true or wish to be true, and no amount of data is going to convince them otherwise. But for those with the eyes to see, there’s no question that threat actors have placed increasing attention on macOS, not least because the belief that Macs are “more secure” plays into the hands of malware authors by encouraging complacency about the need for protection.

As we have seen, the built-in security technologies are not keeping Mac users malware free – Apple’s own increased efforts are evidence of this, as is the other data we’ve mentioned above. Meanwhile, cyber criminals are making a nice living out of running coinminers, adware, scamware, backdoors and, yes, malware on unsuspecting users’ macOS devices. And as a final thought for those who don’t have visibility into what’s happening on their Macs: exactly how do you know there isn’t any malware running on any of your Macs, right now? What tools are you using that give you that confidence?


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Thomas Kurian on his first year as Google Cloud CEO

“Yes.”

That was Google Cloud CEO Thomas Kurian’s simple answer when I asked if he thought he’d achieved what he set out to do in his first year.

A year ago, he took the helm of Google’s cloud operations — which includes G Suite — and set about giving the organization a sharpened focus by expanding on a strategy his predecessor Diane Greene first set during her tenure.

It’s no secret that Kurian, with his background at Oracle, immediately put the entire Google Cloud operation on a course to focus on enterprise customers, with an emphasis on a number of key verticals.

So it’s no surprise, then, that the first highlight Kurian cited is that Google Cloud expanded its feature lineup with important capabilities that were previously missing. “When we look at what we’ve done this last year, first is maturing our products,” he said. “We’ve opened up many markets for our products because we’ve matured the core capabilities in the product. We’ve added things like compliance requirements. We’ve added support for many enterprise things like SAP and VMware and Oracle and a number of enterprise solutions.” Thanks to this, he stressed, analyst firms like Gartner and Forrester now rank Google Cloud “neck-and-neck with the other two players that everybody compares us to.”

If Google Cloud’s previous record made anything clear, though, it’s that technical know-how and great features aren’t enough. One of the first actions Kurian took was to expand the company’s sales team to resemble an organization that looked a bit more like that of a traditional enterprise company. “We were able to specialize our sales teams by industry — added talent into the sales organization and scaled up the sales force very, very significantly — and I think you’re starting to see those results. Not only did we increase the number of people, but our productivity improved as well as the sales organization, so all of that was good.”

He also cited Google’s partner business as a reason for its overall growth. Partner influence revenue increased by about 200% in 2019, and its partners brought in 13 times more new customers in 2019 when compared to the previous year.

Hackers Were Inside Citrix for Five Months

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.

Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.

In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company’s internal network. The FBI told Citrix the hackers likely got in using a technique called “password spraying,” a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.

In a statement released at the time, Citrix said it appeared hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen.

But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company’s systems.

Citrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.

It is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company.

Citrix’s letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company’s software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well.

Shortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company Resecurity claimed it had evidence Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged.

Iranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A report released this week (PDF) by security firm ClearSky details how Iran’s government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms.

ClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government.

Among the VPN flaws available to attackers is a recently-patched vulnerability (CVE-2019-19781) in Citrix VPN servers dubbed “Shitrix” by some in the security community. The derisive nickname may have been chosen because while Citrix initially warned customers about the vulnerability in mid-December 2019, it didn’t start releasing patches to plug the holes until late January 2020 — roughly two weeks after attackers started using publicly released exploit code to break into vulnerable organizations.

How would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don’t know you should probably check, and then act on the results accordingly. It’s a fair bet the bad guys are going to find out even if you don’t.

Egnyte unifies its security and productivity tooling into single platform

Egnyte announced today it was combining its two main products — Egnyte Protect and Egnyte Connect — into a single platform to help customers manage, govern and secure the data from a single set of tools.

Egynte co-founder and CEO Vineet Jain says that this new single platform approach is being driven chiefly by the sheer volume of data they are seeing from customers, especially as they shift from on-prem to the cloud.

“The underlying pervasive theme is that there’s a rapid acceleration of data going to the cloud, and we’ve seen that in our customers,” Jain told TechCrunch. He says that long-time customers have been shifting from terabytes to petabytes of data, while new customers are starting out with a few hundred terabytes instead of five or ten.

As this has happened, he says customers are asking for a way to deal with this data glut with a single platform because the volume of data makes it too much to handle with separate tools. “Instead of looking at this as separate problems, customers are saying they want a solution that helps address the productivity part at the same time as the security part. That’s because there is more data in the cloud, and concerns around data security and privacy, along with increasing compliance requirements, are driving the need to have it in one unified platform,” he explained.

The company is doing this because managing the data needs to be tied to security and governance policies. “They are not ultimately separate ideas,” Jain says.

Jain says, up until recently, the company saw the data management piece as the way into a customer, and after they had that locked down, they would move to layer on security and compliance as a value-add. Today, partly due to the data glut and partly due to compliance regulations, Jain says, these are no longer separate ideas, and his company has evolved its approach to meet the changing requirements of customers.

Egnyte was founded in 2007 and has raised over $138 million on a $460 million post valuation, according to Pitchbook data. Its most recent round was $75 million led by Goldman Sachs in September, 2018. Egnyte passed the $100 million ARR mark in November.

Dell sells RSA to consortium led by Symphony Technology Group for over $2B

Dell Technologies announced today that it was selling legacy security firm RSA for $2.075 billion to a consortium of investors led by Symphony Technology Group. Other investors include Ontario Teachers’ Pension Plan Board and AlpInvest Partners.

RSA came to Dell when it bought EMC for $67 billion in 2015. EMC bought the company in 2006 for a similar price it was sold for today, $2.1 billion. The deal includes several pieces, including the RSA security conference held each year in San Francisco.

As for products, the consortium gets RSA Archer, RSA NetWitness Platform, RSA SecurID, RSA Fraud and Risk Intelligence — in addition to the conference. At the time of the EMC acquisition, in a letter to customers, Michael Dell actually called out RSA as one of the companies he looked forward to welcoming to the Dell family after the deal was completed:

I am excited to work with the EMC, VMware, Pivotal, VCE, Virtustream and RSA teams, and I am personally committed to the success of our new company, our partners and above all, to you, our customers.

Times change however, and perhaps Dell decided it was simply time to get some cash and jettison the veteran security company to go a bit more modern, as RSA’s approach no longer aligned with Dell’s company-wide security strategy.

“The strategies of RSA and Dell Technologies have evolved to address different business needs with different go-to-market models. The sale of RSA gives us greater flexibility to focus on integrated innovation across Dell Technologies, while allowing RSA to focus on its strategy of providing risk, security and fraud teams with the ability to holistically manage digital risk,” Dell Technology’s chief operating officer and vice chairman Jeff Clarke, wrote in a blog post announcing the deal.

Meanwhile, RSA president Rohit Ghai tried to put a happy spin on the outcome, framing it as the next step in the company’s long and storied history. “The one constant in every episode of our existence has been our focus on the success of our customers and our ability to endure through market disruption by innovating on behalf of our customers,” he wrote in a blog post on the RSA company website.

The deal is subject to the normal kinds of regulatory approval before it is finalized.

Encoding Stolen Credit Card Data on Barcodes

Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.

This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service.

Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode.

“Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction,” reads an alert the Secret Service sent to law enforcement agencies. “They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number.”

The instructions on the phony rewards card are designed to make the cashier think it’s a payment alternative designed for use exclusively at Sam’s Club and WalMart stores. When the transaction goes through, it’s recorded as card-not-present purchase.

“This appears to be an evolution of the traditional card-not-present fraud, and early indications are linking this type of activity to criminal organizations of Asian descent,” the Secret Service memo observed.

“As a result of this emerging trend, instead of finding a large number of re-encoded credit cards during a search, a subject may only possess stickers or cards with barcodes that contain stolen card data,” the alert continues. “Additionally, the barcodes could be stored on the subject’s cell phone. If barcodes are discovered in the field, it could be beneficial to utilize a barcode scanning app to check the barcode for credit card data.”

Cyber Insurance & Information Security | Is InfoSec’s Criticism of Cyber Insurance Fair?

A Guest Post by Jeffrey Smith. Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed by insurance agents and cyber security providers.

Insurance is easy to hate. You can’t touch it and it is difficult to understand. Cyber insurance is particularly confusing. The product is relatively new and evolving quickly, making it ever more difficult to understand for lay people and insurance professionals alike. To make matters more complicated, the ubiquitous nature of cyber risk can trigger some level of coverage in multiple business insurance policies. As a result, cyber insurance is often misrepresented and confused with other types of insurance. It is not only alleged that the policy doesn’t pay claims, but InfoSec professionals are concerned that the purchase of a cyber insurance policy threatens funding for existing cyber security efforts.

image of cyber insurance

Business Insurance is Confusing

The source of the most confusion results from the fact that multiple business insurance policies may provide coverage for some aspect of cyber loss. The table below indicates typical coverage overlaps found in various business insurance products. Oft-cited claim disputes such as Mondelez, National Bank of Blacksburg and others do not involve stand-alone cyber insurance. 

image table showing cyber insurance coverage and policy types

These companies did not purchase stand-alone cyber insurance. As such, they are pursuing recovery under other insurance policies that often contain limited coverage grants consistent with exposure overlaps. Since these other insurance policies are not designed to respond to all cyber events, the insurers are going to the mat to restrict payments to the bespoke and limited coverage provided. Crime, kidnap and ransom, and property insurance are the most notable ‘other’ insurance policies; however, overlaps are also found in other policies such as professional liability, management liability and general liability products.

Human Error & Failure to Maintain

We often hear that cyber insurers try to find ways to avoid paying claims, citing human error or an insured’s failure to maintain a threshold of security efforts. From our experience, 85% of paid cyber insurance claims involve human error. These typically include not following existing procedures, clicking on malicious links, and falling victim to sophisticated social engineering attacks. Not unlike legacy cyber security software, early versions of cyber insurance policies were not very good compared to current products.

As an example, many early cyber policies included a ‘failure to maintain’ condition that precluded coverage in the event the insured did not maintain specific security controls. Today’s cyber underwriters are better equipped to evaluate exposure, so today’s policies no longer include this restriction. However, it is important to keep in mind that if you indicate on the insurance application that you encrypt all information at rest, and it is discovered that no such process existed, your claim may be denied. As long as you are honest during the application process, a single error or omission in application of stated security protocols will not preclude a coverage response by your cyber insurance policy.

Cyber Insurance Is Not a Replacement for Security Practices

The idea of course, is not to experience a cyber claim. As mentioned here before, cyber insurance should not, under any circumstance, be seen as a replacement for a robust security posture, which requires modern cybersecurity technologies, trained teams and tested procedures. 

Sentinel One is among the less than 1% of InfoSec vendors to stand behind product performance (for more information on product guarantees, check this out). However, Infosec technology vendors do not provide financial guarantees for all costs associated with human error or failure of product performance.

The primary role of cyber insurance is to provide financing of breach costs and liability resulting from a cyber event. In our view, cyber insurance is the last puzzle piece of any cyber risk management process.

Conclusion

High profile claims such as Mondelez, National Bank of Blacksburg, DLA Piper and others wrongly suggest stand-alone cyber policies do not pay. Product confusion and the use of brokers without cyber expertise often result in false expectations for claims recoveries. Make sure to use insurance brokers with specific cyber insurance expertise. Use your broker to review policy coverage parts, conditions and exclusions prior to purchase. Get quotes from multiple insurers. If you want to use one of your vendors for incident response, try to negotiate that into the deal. A good policy includes bespoke coverage for cyber-terrorism events (such as NotPetya) and is devoid of any ‘maintenance’ conditions as found in older policy versions.

It is common sense to use all available tools to protect from catastrophic peril. While not the most important part of your cyber security platform, a carefully crafted cyber insurance policy is a great addition to your existing cyber risk management program.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Rippling starts billboard battle with Gusto

Remember when Zenefits imploded, and kicked out CEO Parker Conrad. Well, Conrad launched a new employee onboarding startup called Rippling, and now he’s going after another HR company called Gusto with a new billboard, “Outgrowing Gusto? Presto change-o.”

The problem is, Gusto got it taken down by issuing a cease & desist order to Rippling and the billboard operator Clear Channel Outdoor. That’s despite the law typically allowing comparative advertising as long as it’s accurate. Gusto sells HR, benefits and payroll software, while Rippling does the same but adds in IT management to tie together an employee identity platform.

Rippling tells me that outgrowing Gusto is the top reasons customers say they’re switching to Rippling. Gusto’s customer stories page lists no customers larger than 61 customers, and Enlyft research says the company is most often used by 10 to 50-person staffs. “We were one of Gusto’s largest customers when we left the platform last year. They were very open about the fact that the product didn’t work for businesses of our size. We moved to Rippling last fall and have been extremely happy with it,” says Compass Coffee co-founder Michael Haft.

That all suggests the Rippling ad’s claim is reasonable. But the C&D claims that “Gusto counts as customers multiple companies with 100 or more employees and does not state the businesses will ‘outgrow’ their platfrom at a certain size.”

In an email to staff provided to TechCrunch, Rippling CMO Matt Epstein wrote, “We take legal claims seriously, but this one doesn’t pass the laugh test. As Gusto says all over their website, they focus on small businesses.”

So rather than taking Gusto to court or trying to change Clear Channel’s mind, Conrad and Rippling did something cheeky. They responded to the cease & desist order in Shakespeare-style iambic pentameter.

Our billboard struck a nerve, it seems. And so you phoned your legal teams,
who started shouting, “Cease!” “Desist!” and other threats too long to list.

Your brand is known for being chill. So this just seems like overkill.
But since you think we’ve been unfair, we’d really like to clear the air.

Rippling’s general counsel Vanessa Wu wrote the letter, which goes on to claim that “When Gusto tried to scale itself, we saw what you took off the shelf. Your software fell a little short. You needed Workday for support,” asserting that Gusto’s own HR tool couldn’t handle its 1,000-plus employees and needed to turn to a bigger enterprise vendor. The letter concludes with the implication that Gusto should drop the cease-and-desist, and instead compete on merit:

So Gusto, do not fear our sign. Our mission and our goals align.
Let’s keep this conflict dignified—and let the customers decide.

Rippling CMO Matt Epstein tells me that “While the folks across the street may find competition upsetting, customers win when companies push each other to do better. We hope our lighthearted poem gets this debate back down to earth, and we look forward to competing in the marketplace.”

Rippling might think this whole thing was slick or funny, but it comes off a bit lame and try-hard. These are far from 8 Mile-worthy battle rhymes. If it really wanted to let customers decide, it could have just accepted the C&D and moved on…or not run the billboard at all. It still has four others that don’t slam competitors running. That said, Gusto does look petty trying to block the billboard and hide that it’s unequipped to support massive teams.

We reached out to Gusto over the weekend and again today asking for comment, whether it will drop the C&D, if it’s trying to get Rippling’s bus ads dropped too and if it does in fact use Workday internally.

Given Gusto has raised $516 million10X what Rippling has — you’d think it could just outspend Rippling on advertising or invest in building the enterprise HR tools so customers really couldn’t outgrow it. They’re both Y Combinator companies with Kleiner Perkins as a major investor (conflict of interest?), so perhaps they can still bury the hatchet.

At least they found a way to make the HR industry interesting for an afternoon.

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.

The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.

Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”

“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.

Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.

“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”

Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.

“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

The Good, the Bad and the Ugly in Cybersecurity – Week 7

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Welcome news this week as Citrix’s campaign to get businesses aware and on-task patching CVE-2019-19781 over the last two months has really borne fruit. It’s now estimated that 80% of all internet-exposed machines with the flaw have been patched to date. That only leaves the 20% of unpatched boxes to go, but the admins responsible for them had better get a move on. There’s already “plug-and-play” exploits for the bug publicly available.

image of Shodan map of Citrix boxes exposed on the internet with CVE-2019-19781
Source

It’s been a great week for vulnerability fixes. 99 is the astonishing number of bugs Microsoft have addressed in this week’s Patch Tuesday, including a fistful of RCEs like CVE-2020-0674 and CVE-2020-0729. Adobe also crushed 12 critical CVEs (including CVE-2020-3742, CVE-2020-3752, and CVE-2020-3751) plus five other less severe vulnerabilities in Reader and Acrobat, and one critical CVE in Flash Player (CVE-2020-3757). Elsewhere, in a good advert for bug bounty programs, SoundCloud fixed a number of critical bugs that could allow attackers to take over user accounts, although the company said there was no evidence of these bugs being actively used in the wild.

The Bad

If there’s one thing that the Emotet trojan and malware loading platform will be remembered for in cyber history, it’ll no doubt be its sophistication. Adding to that rep is news that the ubiquitous malware loader has been making use of a Wifi spreader. According to researchers, previously Emotet was thought to spread purely via malspam and infected networks. It now turns out that Emotet can also infect nearby wireless networks if the networks use insecure passwords. Essentially, the Wifi-spreader module enumerates the Wifi networks in range of any Emotet-infected machine, and then tries to brute force the passwords of each from a built-in password dictionary.

Business Email Compromise (BEC) cost U.S. companies a combined total of $1.7 billion in 2019, according to the FBI’s “2019 Internet Crime Report.” The huge scale of cybercrime is worth pausing over: those losses came from a staggering 23,775 targeted attacks. “By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost,”, the FBI said in its report. If you still think your business is flying under the cybercriminals’ radar, those figures are a bullhorn telling you to think again.

image of tweet of FBI Tampa Crime Report

The Ugly

American accusations that Huawei spies for the Chinese government are being viewed with a certain amount of chutzpah this week after news broke that the U.S. and German intelligence agencies have been spying on over 100 other nations, including allies, for decades through deliberately weakened encryption. It turns out that Crypto AG, a Swiss firm manufacturing encryption devices, was secretly owned by the CIA. While the secret operation led to many intelligence coups against U.S. enemies, it also raises some worrying ethical issues. According to the Washington Post, these include:

“the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.”

The success of the program probably helps account for the US government’s penchant for haranguing the likes of Apple to build backdoors into their own encryption products. It’ll be interesting to see whether this case serves to strengthen or weaken public perception on the legitimacy of that stance.

image of crypto AG building and logo

Adding grist to the mill, prosecutors have held pretty compelling evidence to obtain a conviction against this suspected pedophile for some time, but they were determined to also examine his computer hard drive. The problem was the alleged offender either couldn’t or wouldn’t disclose the password for the encrypted disk even after being ordered to do so by a judge, so he’s been sitting in prison for the last 4 years on a contempt of court charge. That was until this week, when a federal appeals court ruled that 18 months is the maximum jail term for contempt as a result of refusing (or forgetting, as the defence would have it) to provide a decryption password. That could be either good news (the government can’t indefinitely imprison, say, a journalist) or bad news (the government can’t indefinitely imprison, say, a pedophile, either) depending on how you look at it, so we’ll file this under ‘ugly’ for now. The “eww” factor will certainly vary from case to case, but one thing is for sure: it’ll be interesting to see how strong that precedent proves to be when the next decryption controversy crops up to challenge it.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security