The Good, the Bad and the Ugly in Cybersecurity – Week 13

This week has been unlike any other week. While everyone’s minds are on keeping our loved ones safe in these days of uncertainty, many are trying to adapt to the era of remote work. For those who have kids, it requires us to switch between being parents, teachers and workers. Despite that, cyberland is as active as it can get, so hang tight, and let’s see what happened this week.

The Good

There are plenty of good things around, and cybersecurity is no different. Starting with UK_Daniel_Card, Lisa Forte and Radslaw Gnat who came up with the brilliant idea of forming a cyber task force to protect healthcare institutes during this time when they are on the frontline of the war against COVID-19. If you want to take part, visit the EU based initiative for “Cyber volunteers to help healthcare providers in Europe during the COVID-19 outbreak”. Dan and his partners report that more local initiatives in different countries are doing the same. 

In Israel, the Ministry of Health and a number of volunteers joined forces to create an app, the “Hamagen” Application that maintains privacy while allowing users to check whether they’ve come into contact with a COVID-19 patient. They also made the project open-source both so that other groups can reuse the code and that the privacy aspects are publicly known. 

Hamagen Application - Fighting the Coronavirus

More good news on the fight against COVID-19 can be found at #COVID19GoodNews.

The Bad

Again Microsoft, and again Adobe with a new Type 1 Font Parsing Remote Code Execution Vulnerability. The vuln resides in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when opened with 3rd-party software such as Adobe Acrobat and Adobe Reader, but which is also used by Windows Explorer to display the contents of a file in the ‘Preview Pane’ or ‘Details Pane’ without opening the actual file. Until there’s a fix, the flaw can affect anyone as all versions of Windows, including Windows 10, are affected, although the danger is most severe on Windows 7 devices. The vulnerability is being actively exploited in the wild, according to Microsoft. If a next-gen behavioral-based solution protects your endpoints, you have a good chance to detect earlier or later stages of any such exploitation attempts, but if not you will need to wait for a patch (and please patch it asap). For Windows 7 users, Microsoft suggests some workarounds here.

image of tweet about Windows RCE vulnerability

The Ugly

Well, there is plenty of that this week. One that is worth covering is the behavior of the Maze group, which has been responsible for a large number of ransomware attacks recently and also leaks enterprise information to the public if the victim refuses to pay. We noted that last week the ransomware operators made a statement that they would refrain from attacking healthcare institutes after Vitali Kremez called them out. It took less than 48 hours for this pledge to be broken.

image of tweet from Vitali Kremez about Maze ransomware continuing to attack healthcare providers during COVID 19 pandemic

Meanwhile, Ryuk ransomware operators continue attacking vital services during the pandemic. It seems there is no limit to the lack of humanity in some people. Guys, we are all in it together, and you and your loved one may be in need of the very services you are crippling for profit.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Yaguara nabs $7.2M seed to help e-commerce companies understand customers better

Yaguara, a Denver-based startup that wants to help e-commerce companies understand their customers better to deliver more meaningful experiences, announced a $7.2 million seed investment today.

The round was led by Foundation Capital with participation from Gradient Ventures, Rainfall Ventures and Zelkova. It also had help from some e-commerce heavy hitters including Warby Parker, Harry’s and Allbirds.

Yaguara CEO Jonathan Smalley was working at an agency building specialized cloud tools for online businesses when he recognized there was a need to pull data together into a single place and help companies understand their customer’s behavior better.

“Yaguara is based on integrating data and having all their data in the right place. For us, it started with several dozen tools from performance marketing to your actual e-commerce data to your fulfillment and unit economic data — bringing that all into one place letting them see their data in real time.”

“Then our platform serves predictive and prescriptive insights and recommendations to individual users across your teams, so they can drive specific outcomes across the organization based on that unified data set,” Smalley explained.

Screenshot: Yaguara

They build that data set by connecting to a variety of popular tools to help understand what’s happening across the customer lifecycle, whether that’s customer acquisition through Facebook or Google ads or understanding shopping cart abandonment data or how often the customer has returned to buy again, all of which help build a better picture of the customer.

While this may sound like a customer data platform (CDP), Smalley says it’s actually more than that. While the CDP provides the pipeline to your data sources like Yaguara, it doesn’t stop there. He says it reduces the complexity of helping front-line marketing personnel access and query that data without having to know SQL or R or have a technical intermediary to understand the data.

While the company is young it already has 250 e-commerce customers using the platform. With the new infusion of cash, it should be able to bring in more employees, build more data connectors and continue working to build out the platform.

Kaizo raises $3M for its AI-based tools to improve customer service support teams

CRM has for years been primarily a story of software to manage customer contacts, data to help agents do their jobs, and tools to manage incoming requests and outreach strategies. Now to add to that we’re starting to see a new theme: apps to help agents track how they work and to work better.

Today comes the latest startup in that category, a Dutch company called Kaizo, which uses AI and gamification to provide feedback on agents’ work, tips on what to do differently, and tools to set and work to goals — all of which can be used remotely, in the cloud. Today, it is announcing $3 million in a seed round of funding co-led by Gradient — Google’s AI venture fund — and French VC Partech. 

And along with the seed round, Kaizo (which rebranded last week from its former name, Ticketless) is announcing that Christoph Auer-Welsbach, a former partner at IBM Ventures, is joining the company as a co-founder, alongside founder Dominik Blattner. 

Although this is just a seed round, it’s coming after a period of strong growth for the company. Kaizo has already 500 companies including Truecaller, SimpleSurance, Miro, CreditRepairCloud, Justpark, Festicket and Nmbrs are using its software, covering “thousands” of customer support agents, which use a mixture of free and paid tools that integrate with established CRM software from the likes of Salesforce, Zendesk and more.

Customer service, and the idea of gamifying it to motivate employees, might feel like the last thing on people’s minds at the moment, but it is actually timely and relevant to our current state in responding to and living with the coronavirus.

People are spending much more time at home, and are turning to the internet and remote services to get what they need, and in many cases are finding that their best-laid plans are now in freefall. Both of these are driving a lot of traffic to sites and primarily customer support centers, which are getting overwhelmed with people reaching out for help.

And that’s before you consider how customer support teams might be impacted by coronavirus and the many mandates we’ve had to stay away from work, and the stresses they may be under.

“In our current social climate, customer support is an integral part of a company’s stability and growth that has embraced remote work to meet the demands of a globalized customer-base,” said Dominik Blattner, founder of Kaizo, in a statement. “With the rise of support teams utilizing a digital workplace, providing standards to measure an agent’s performance has never been more important. KPIs provide these standards, quantifying the success, achievement and contribution of each team member.”

On a more general level, Kaizo is also changing the conversation around how to improve one’s productivity. There has been a larger push for “quantified self” platforms, which has very much played out both in workplaces and in our personal lives, but a lot of services to track performance have focused on both managers and employees leaning in with a lot of input. That means if they don’t set aside the time to do that, the platforms never quite work the way they should.

This is where the AI element of Kaizo plays a key role, by taking on the need to proactively report into a system.

“This is how we’re distinct,” Auer-Welsbach said in an interview. “Normally KPIs are top-down. They are about people setting goals and then reporting they’ve done something. This is a bottom-up approach. We’re not trying to change employees’ behaviour. We plug into whatever environment they are using, and then our tool monitors. The employee doesn’t have to report or measure anything. We track clicks on the CRM, ticketing, and more, and we analyse all that.” He notes that Kaizo is looking at up to 50 datapoints in its analysis.

“We’re excited about Kaizo’s novel approach to applying AI to existing ticket data from platforms like Zendesk and Salesforce to optimize the customer support workflow,” said Darian Shirazi, General Partner at Gradient Ventures, in a statement. “Using machine learning, Kaizo understands which behaviors in customer service tickets lead to better outcomes for customers and then guides agents to replicate that using ongoing game mechanics. Customer support and service platforms today are failing to leverage data in the right way to make the life of agents easier and more effective. The demand Kaizo has seen since they launched on the Zendesk Marketplace shows agents have been waiting for such a solution for some time.”

Kaizo is not the only startup to have identified the area of building new services to improve the performance of customer support teams. Assembled earlier this month also raised $3.1 million led by Stripe for what it describes as the “operating system” for customer support.

Microsoft acquires 5G specialist Affirmed Networks

Microsoft today announced that it has acquired Affirmed Networks, a company that specializes in fully virtualized, cloud-native networking solutions for telecom operators.

With its focus on 5G and edge computing, Affirmed looks like the ideal acquisition target for a large cloud provider looking to get deeper into the telco business. According to Crunchbase, Affirmed raised a total of $155 million before this acquisition, and the company’s more than 100 enterprise customers include the likes of AT&T, Orange, Vodafone, Telus, Turkcell and STC.

“As we’ve seen with other technology transformations, we believe that software can play an important role in helping advance 5G and deliver new network solutions that offer step-change advancements in speed, cost and security,” writes Yousef Khalidi, Microsoft’s corporate vice president for Azure Networking. “There is a significant opportunity for both incumbents and new players across the industry to innovate, collaborate and create new markets, serving the networking and edge computing needs of our mutual customers.”

With its customer base, Affirmed gives Microsoft another entry point into the telecom industry. Previously, the telcos would often build their own data centers and stuff it with costly proprietary hardware (and the software to manage it). But thanks to today’s virtualization technologies, the large cloud platforms are now able to offer the same capabilities and reliability without any of the cost. And unsurprisingly, a new technology like 5G, with its promise of new and expanded markets, makes for a good moment to push forward with these new technologies.

Google recently made some moves in this direction with its Anthos for Telecom and Global Mobile Edge Cloud, too. Chances are we will see all of the large cloud providers continue to go after this market in the coming months.

In a somewhat odd move, only yesterday Affirmed announced a new CEO and president, Anand Krishnamurthy. It’s not often that we see these kinds of executive moves hours before a company announces its acquisition.

The announcement doesn’t feature a single hint at today’s news and includes all of the usual cliches we’ve come to expect from a press release that announces a new CEO. “We are thankful to Hassan for his vision and commitment in guiding the company through this extraordinary journey and positioning us for tremendous success in the future,” Krishnamurthy wrote at the time. “It is my honor to lead Affirmed as we continue to drive this incredible transformation in our industry.”

We asked Affirmed for some more background about this and will update this post if we hear more. Update: an Affirmed spokesperson told us that this was “part of a succession plan that had been determined previously.  So it was not related [to] any specific event.”

Salesforce’s Benioff pledges no ‘significant’ layoffs for 90 days

In a Twitter thread on Tuesday, Salesforce CEO Marc Benioff outlined an eight-step plan to keep people safe and find treatments and a vaccine for the COVID-19 virus, all while working to find a way to get people back to work safely. He also asked that all CEOs take a 90-day “no lay off” pledge to help everyone get through the crisis.

The same day, he posted another tweet pledging to not make any “significant” layoffs for 90 days. When TechCrunch asked Salesforce to comment on the difference between the two tweets, the company chose not to comment any further on the matter and let the tweets stand on their own.

It sounds like Benioff’s second tweet, which also asked employees to consider paying their own hourly workers like housekeepers and dog walkers throughout the layoff period, whether they were working or not, was designed to give the CEO some wiggle room for at least some layoffs.

Salesforce has almost 50,000 employees worldwide. Even if the company were to lay off just 1% of employees it would equal 500 people without jobs, though it’s not clear if that would count as “significant.” Perhaps more likely, the company might make some cuts to staff for performance or HR-related reasons, but not broad cuts, and thus make both of its CEO’s claims essentially true.

Salesforce is a wildly successful company. It celebrated its 20th anniversary last fall and has grown from a pesky startup to a software behemoth with a projected revenue of over $20 billion for FY2021. It currently has almost $8 billion in cash and equivalents on hand. Certainly companies that use Salesforce’s products will continue to need them, even with the workforce at home.

While it could have an impact on that projection for FY2021 and its ability to land new customers this quarter, it seems like it has the money and revenue to ride out the situation for the short term without making any moves to reduce headcount at this critical time.

Working From Home | How to Use Zoom, Slack and Other Remote Software Safely

Due to the current Coronavirus pandemic and the large-scale shift to teleworking, we’ve recently posted on how to prepare yourself and your staff for ‘work from home’ (WFH) and warned of common mistakes that can lead to compromise of endpoints and company networks. In this post, we take a look at some popular teleworking software and highlight some of the privacy and security concerns to be aware of. 

Securing Slack and MS Teams Against Malicious Actors

There are likely more than 60 million daily users of workplace chat apps like Slack and Microsoft Teams, and both platforms have seen increased growth as the Coronavirus pandemic has forced most businesses to move to remote work wherever possible. Such apps are vital in today’s digital, distributed workplace, but CISOs and security teams need to be aware of the security implications of using such software. 

It is relatively trivial for an attacker on a compromised machine to exfiltrate all of a user’s entire Slack workspaces, chat messages, files and history. Worse, attackers can also gain current access to the workspace by stealing the stored session cookies on the user’s machine. As researchers noted earlier this month, all an attacker has to do on a Mac is copy off the entire directory at ~/Library/Application Support/Slack (or alternatively, ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack if using the sandboxed, App Store version). On Windows, the same data can be found at %AppData%RoamingSlack

image of contents of Slack support folder

Having acquired the data, the attacker can then start up a virtual machine instance, install the Slack app, and copy the stolen data to the same location on the VM from where it came (the user name need not be the same). Launching Slack will then log the attacker into the user’s workspaces and give them full, live access. Although this activity will be recorded in the workspace Access Logs on the server-side, it will not be obvious to the user unless the attacker actively tries to impersonate the user in the workspace.

Because the Slack data on the user’s machine is exposed to any unsandboxed process running as the logged in user, it’s possible for a malicious app to exfiltrate this data without the victim’s awareness. 

While Slack’s developers have acknowledged the issue, their official response is that this is not an urgent issue for them at this time, so security teams are going to need to take their own steps to ensure that the organization’s workspace is secure. These include, in the first instance, ensuring all company devices have a good EDR solution to prevent malware from infecting the system to start with. Secondly, educate users and IT admins about the need to regularly sign out of other devices. This may or may not require a password depending on your workspace settings. 

image of how to sign out of all Slack sessions

Thirdly, as with all password protected accounts, remind users to change passwords on a regular basis and to set up 2FA for Slack. With workspace platforms like Slack, changing passwords can be easily overlooked. Users can also review access logs to check whether any unknown devices have been logged into the account.

image of access logs in Slack

The Microsoft Teams’ app, Slack’s major competitor, has also faced security issues in the last 9 or 10 months. Last June, the Teams’ Windows Desktop app was found to be vulnerable to a bug in a dependency, the Squirrel framework, that could allow arbitrary code execution, malicious downloads and privilege escalation. In September of last year, researchers also discovered the Teams app was vulnerable to Cross-Site Scripting (XSS) and a Client Side Template Injection. These vulnerabilities have been addressed in recent Teams.app updates, so it is vital that IT admins ensure users are updating these applications in a timely manner.

Regardless of what platform you use, make sure for critical meetings you have a backup plan in place. MS Teams had a 3hr outage back in February when Microsoft incredibly forgot to renew a critical security certificate. Our online digital world may be more susceptible to disruption now more than ever before as people practice social distancing and bandwidth comes under increasing pressure. Regular communication channels from email to telephone may need to be pressed into service in the event of service unavailability. Those, particularly email, have their own security challenges, of course, including phishing and SIM swapping.

Security & Privacy While Using Video Conferencing Software

Zoom and Skype are great ways to hold meetings from small teams to tens of thousands. But these apps also have security and privacy implications. 

First, ensure your own physical space is suitable for a meeting. Social media has this last week or two been chock with mildly embarrassing images of people engaged in work from home who didn’t consider their surroundings. From the spouse walking around in his underwear to one employee who inadvertently revealed more than colleagues wanted to see after taking her smartphone to the bathroom while on a conference call, it’s always worth remembering your environment. 

A few quick tips for personal comfort: look behind you and check what can be seen by the camera. Make sure family and others who share your living space are aware of when you’re on a work call. Whether it’s barking dogs or a family spat, unwanted background noise can be both disturbing and embarrassing for other meeting participants. Also take care when screen sharing. Ensure there are no applications, images or videos visible that might be in the Not Safe For Work (NSFW) category or that might expose personal or confidential business data. Check which tabs are visible in the top bar of your browser and whether you’re accidentally about to reveal sites you’ve recently been visiting. 

Second, be aware of the privacy policies and features of the software you’re using. Zoom has some interesting features, like attention tracking and some “should know” policies on data collection and sharing

As for security, there are a number of issues to be aware of with video conferencing software. Account managers should ensure that end-to-end encryption is enabled to prevent snooping of traffic, particularly if remote workers are connecting to meetings from outside of the company’s secure VPN network.

Also, remember that video meetings can be recorded by any participant, and that raises issues of confidentiality. Recordings are stored locally on the user’s device. With Zoom, for example, they can be found in ~/Documents/Zoom on a Mac, and Users/UsersDocumentsZoom on Windows. If that device is compromised, those recordings are also vulnerable to being leaked and leveraged. Extorting and exposing victims is a technique that’s increasingly popular with some attackers, like ransomware developers Maze and DoppelPaymer, for instance.

Earlier this year, researchers found that Zoom had a vulnerability which made it possible to figure out which random numbers were valid Zoom calls. The researchers were then able to use those numbers to eavesdrop on calls. This vulnerability was discovered shortly after Zoom and a number of other video conferencing apps were found to contain a software vulnerability that could lead to remote command execution (RCE) on any macOS device, even if the Zoom app had been uninstalled. In this case, Apple took quick action and updated their own internal security software to remove the vulnerability. Both vulnerabilities are patched in the latest versions of Zoom.

As with workplace chat apps, so with teleconferencing software: ensure that your users are patching as soon as updates are available, and that endpoints are protected by a security platform that can protect against malware, malicious devices and network compromise.

Conclusion

It’s a truism that all software contains bugs. Most are trivial and never noticed by users, some are zero days we never learn of until after they’ve been either patched or exploited in the wild, while others are critical and patched in a timely fashion. There’s another class of issues that fall in between the cracks: developers are informed, but the issue remains unpatched, perhaps because the vendor does not agree as to the severity of the security risk, or doesn’t think it’s their bug to fix, or cannot find a technical solution. On top of that, some security and privacy issues arise not from flaws in programs, but in the way we use those programs, such as not being aware of our environment when teleconferencing. The best way to protect ourselves from such a wide range of issues is to share knowledge, follow best practices and implement security technology where we can to mitigate issues on our behalf. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Tech giants should let startups defer cloud payments

Google, Amazon and Microsoft are the landlords. Amidst the coronavirus economic crisis, startups need a break from paying rent. They’re in a cash crunch. Revenue has stopped flowing in, capital markets like venture debt are hesitant and startups and small-to-medium sized businesses are at risk of either having to lay off huge numbers of employees and/or shut down.

Meanwhile, the tech giants are cash rich. Their success this decade means they’re able to weather the storm for a few months. Their customers cannot.

Cloud infrastructure costs area amongst many startups’ top expense besides payroll. The option to pay these cloud bills later could save some from going out of business or axing huge parts of their staff. Both would hurt the tech industry, the economy and the individuals laid off. But most worryingly for the giants, it could destroy their customer base.

The mass layoffs have already begun. Soon we’re sure to start hearing about sizable companies shutting down, upended by COVID-19. But there’s still an opportunity to stop a larger bloodbath from ensuing.

That’s why I have a proposal: cloud relief.

The platform giants should let startups and small businesses defer their cloud infrastructure payments for three to six months until they can pay them back in installments. Amazon AWS, Google Cloud, Microsoft Azure, these companies’ additional infrastructure products, and other platform providers should let customers pause payment until the worst of the first wave of the COVID-19 economic disruption passes. Profitable SaaS providers like Salesforce could give customers an extension too.

There are plenty of altruistic reasons to do this. They have the resources to help businesses in need. We all need to support each other in these tough times. This could protect tons of families. Some of these startups are providing important services to the public and even discounting them, thereby ramping up their bills while decreasing revenue.

Then there are the PR reasons. After years of techlash and anti-trust scrutiny, here’s the chance for the giants to prove their size can be beneficial to the world. Recruiters could use it as a talking point. “We’re the company that helped save Silicon Valley.” There’s an explanation for them squirreling away so much cash: the rainy day has finally arrived.

But the capitalistic truth and the story they could sell to Wall Street is that it’s not good for our business if our customers go out of business. Look at what happened to infrastructure providers in the dot-com crash. When tons of startups vaporized, so did the profits for those selling them hosting and tools. Any government stimulus for businesses would be better spent by them paying employees than paying the cloud companies that aren’t in danger. Saving one future Netflix from shutting down could cover any short-term loss from helping 100 other businesses.

This isn’t a handout. These startups will still owe the money. They’d just be able to pay it a little later, spread out over their monthly bills for a year or so. Once mass shelter-in-place orders subside, businesses can operate at least a little closer to normal, investors can get less cautious and customers will have the cash they need to pay their dues. Plus interest, if necessary.

Meanwhile, they’ll be locked in and loyal customers for the foreseeable future. Cloud vendors could gate the deferment to only customers that have been with them for X amount of months or that have already spent Y amount on the platform. The vendors also could offer the deferment on the condition that customers add a year or more to their existing contracts. Founders will remember who gave them the benefit of the doubt.

cloud ice cream cone imagine

Consider it a marketing expense. Platforms often offer discounts or free trials to new customers. Now it’s existing customers that need a reprieve. Instead of airport ads, the giants could spend the money ensuring they’ll still have plenty of developers building atop them by the end of 2020.

Beyond deferred payment, platforms could just push the due date on all outstanding bills to three or six months from now. Alternatively, they could offer a deep discount such as 50% off for three months if they didn’t want to deal with accruing debt and then servicing it. Customers with multi-year contracts could offered the opportunity to downgrade or renegotiate their contracts without penalties. Any of these might require giving sales quota forgiveness to their account executives.

It would likely be far too complicated and risky to accept equity in lieu of cash, a cut of revenue going forward or to provide loans or credit lines to customers. The clearest and simplest solution is to let startups skip a few payments, then pay more every month later until they clear their debt. When asked for comment or about whether they’re considering payment deferment options, Microsoft declined, and Amazon and Google did not respond.

To be clear, administering payment deferment won’t be simple or free. There are sure to be holes that cloud economists can poke in this proposal, but my goal is to get the conversation started. It could require the giants to change their earnings guidance. Rewriting deals with significantly sized customers will take work on both ends, and there’s a chance of breach of contract disputes. Giants would face the threat of customers recklessly using cloud resources before shutting down or skipping town.

Most taxing would be determining and enforcing the criteria of who’s eligible. The vendors would need to lay out which customers are too big so they don’t accidentally give a cloud-intensive but healthy media company a deferment they don’t need. Businesses that get questionably excluded could make a stink in public. Executing on the plan will require staff when giants are stretched thin trying to handle logistics disruptions, misinformation and accelerating work-from-home usage.

Still, this is the moment when the fortunate need to lend a hand to the vulnerable. Not a hand out, but a hand up. Companies with billions in cash in their coffers could save those struggling to pay salaries. All the fundraisers and info centers and hackathons are great, but this is how the tech giants can live up to their lofty mission statements.

We all live in the cloud now. Don’t evict us. #CloudRelief

Thanks to Falon Fatemi, Corey Quinn, Ilya Fushman, Jason Kim, Ilya Sukhar and Michael Campbell for their ideas and feedback on this proposal.

Russians Shut Down Huge Card Fraud Ring

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanon also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.

A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.

A snippet from a promotional video from the carding/dumps shop MrWhite.

KNOW YOUR FRAUDSTER

Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.

Most carding sites will offer customers a form of buyer’s insurance known as a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.

These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.

But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.

With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.

An ad for the “Trust Your Client” or TYC policy observed by virtually all of the carding shops taken down in this past week’s Russian law enforcement operation.

Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.

Looking on the Bright Side of Coronavirus: Impact on Low-to-Mid-Tier Criminals and Vendors

In these difficult and challenging times, it is helpful to try and look on the “bright side” and perhaps introduce a touch of levity into our massively-adjusted daily lives.

The Coronavirus/COVID-19 pandemic has affected everyone, but on said “bright side” it has also brought disruption to the businesses of cybercriminals. Among those seeing a downturn in trade are vendors of fraudulent and stolen data as well as illicit items like drugs. The strain on “supply”, from a shipping and logistics perspective, along with increased screening and scrutiny within various postal operations and shipping companies has had a very clear effect on illegal operations.

This impact has been felt, especially with online drug and chemical vendors.

In the last week or so, we observed a number of sites being updated to reflect current issues and difficulties surrounding COVID-19.

How COVID-19 Has Disrupted Cybercrime

One of the earliest examples of this phenomenon was the online drug and chemical vendor ‘Pushing Taboo’. The site was forced to announce temporary closure as a result of the Covid-19 pandemic.

image of Pushing Taboo message to customers

Their message was later expanded to provide additional information and guidance. And, similar to any legitimate business, they describe their current contingency plans, including partial refunds and a “massive sale” once things return to normal.

For a vendor that has not ceased operations for the last 8 years, it is remarkable that the current health crisis has done more to disrupt their business than anything else during that time.

Not every vendor is faced with a full shutdown, however. Many are shifting processes and alerting their customers to expect delays in shipments, especially in specific regions where lockdowns and increased package inspection are in place. Cocaine, heroin, and ecstasy vendor ‘cokehero’ updated their site to reflect shipping issues with specific countries:


Criminals with Crocodile Tears?

Illicit businesses are still businesses, and every successful business needs to put its customers first, or at least appear to be doing so. As a result, there is a running theme with most of these. They offer helpful hygiene advice (wash hands, stay inside, etc.) along with their situational update. In the previous example, the vendor ‘cokehero’ goes the extra mile to remind site visitors to wash their hands and disinfect all packages upon receipt. We see similar guidance from other vendors as well.

Below, “MushMerica” reminds customers to wash hands and delay opening packages for approximately one week.

“BlueMagic”, a distributor of Cocaine, bullishly proclaim it’s “Business as usual” for them, but they go on to point out that delivery is dependent on local conditions. Your order will arrive “As soon as your country delivers it!”. And of course, their “Corona Virus Update” ends with a perfunctory “stay safe people”.

Meanwhile, “DutchDrugz”, a supplier of a wide-range of narcotics, issued an update on March 16th informing its customers that distribution had been heavily impacted by lockdowns in the EU and worldwide. The message expresses a note of sympathy for anyone having contracted the virus and reminds customers to “follow advice and stay away from impaired & elderly people”.

Two days later, “DutchDrugz” were forced to post another message stressing that they were still in business, as clearly the first update had backfired and caused a negative impact on their sales:

Online drug dealers are not the only ones feeling the constraints of this global health issue, either. Bettings sites and professional ‘match fixers’ are feeling the effects as well.

In the example below, we see updates from “BettingLeaks 2.0” providing guidance on events that are cancelled or otherwise affected by COVID-19.

The message outlines the problems caused by a lack of live sporting fixtures, and promises refunds where necessary.

Conclusion

At the end of the day, we are all affected by the current COVID-19 outbreak. While we all adjust our daily lives and work to “flatten the curve”, it is nice to know that this health crisis does not discriminate. Criminal enterprises and operations are being impacted in a good way (well…bad for them). Hopefully, this brings a touch of cheer while reading this from your home office, couch or bed. There’s some small comfort to be had from knowing that our usual, anti-social adversaries are feeling the effects of the global pandemic in their pockets. We encourage everyone to continue to follow prescribed guidelines to keep yourselves and your loved ones safe, and as one of the messages above puts it, “hopefully, these dark times end faster than we think”.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

TripActions lays off hundreds amid COVID-19 travel freeze

The coronavirus demand crunch has taken another bite: Palo Alto-based corporate travel-focused unicorn TripActions has confirmed laying off hundreds of staff.

Per this post on Blind — written by someone with a verified TripActions email address — the company laid off 350 people. Business Insider reported the same figure yesterday, and the Wall Street Journal said the layoffs amount to between one-quarter to one-fifth of the startup’s total staff, citing a person familiar with the situation.

Update: A spokesman for TripActions told us the number of impacted employees impacted is “less than 300” — although he qualified the remark by saying the figure includes 25 people who were offered other roles within the company.

In an earlier email to Crunchbase News TripActions confirmed axing jobs in response to the COVID-19 global health crisis — saying it had “cut back on all non-essential spend.” It did not confirm exactly how many employees it had fired at that point.

“[We] made the very difficult decision to reduce our global workforce in line with the current climate,” TripActions wrote in the statement. “We look forward to when the strength of the global economy and business travel inevitably return and we can hire back our colleagues to rejoin us in our mission to make business travel effortless for our customers and users.”

“This global health crisis is unlike anything we’ve ever seen in our lifetimes, and our hearts go out to everyone impacted around the world, including our own customers, partners, suppliers and employees,” it added. “The coronavirus has had [a] wide-reaching effect on the global economy. Every business has been impacted including TripActions. While we were fortunate to have recently raised funding and secured debt financing, we are taking appropriate steps in our business to ensure we are here for our customers and their travelers long into the future.”

Per the post on Blind, TripActions is providing one week of severance to sacked staff and medical cover until end of month. “With [the coronavirus pandemic] going on you think they would do better,” the OP wrote. The layoffs were made by Zoom call, they also said.

However TripActions’ spokesman disputed the details about severance and medical cover, saying it is offering severance packages for U.S. employees that include two months of company-paid COBRA health insurance coverage, extending health benefits through the end of June, along with a minimum of 3 weeks salary.

He added that U.S. employees who were given notice yesterday were told their last day would be April 1, 2020 — meaning their health benefits continue through the end of April.

Travel startups are facing an unprecedented nuclear winter as demand has fallen off a cliff globally — with little prospect of a substantial change to the freeze on most business travel in the coming months as rates of COVID-19 infections continue to grow exponentially outside China.

However, TripActions is one of the highest valued and best financed of such startups, securing a $500 million credit facility for a new corporate product only last month. At the time, Crunchbase recorded $480 million in tracked equity funding for the company, including a $250M Series D TripActions raised in June from investors including a16z, Group 11, Lightspeed and Zeev Ventures.

Before the layoffs, the company had already paused all hiring, per one former technical sourcer for the company writing on LinkedIn.

This post was updated with additional comment from TripActions