Rapid7 is acquiring DivvyCloud for $145M to beef up cloud security

Rapid7 announced today after the closing bell that it will be acquiring DivvyCloud, a cloud security and governance startup, for $145 million in cash and stock.

With Divvy, the company moves more deeply into the cloud, something that Lee Weiner, chief innovation officer, says the company has been working toward, even before the pandemic pushed that agenda.

Like any company looking at expanding its offering, it balanced building versus buying and decided that buying was the better way to go. “DivvyCloud has a fantastic platform that really allows companies the freedom to innovate as they move to the cloud in a way that manages their compliance and security,” Weiner told TechCrunch.

CEO Corey Thomas says it’s not possible to make a deal right now without looking at the economic conditions due to the pandemic, but he says this was a move they felt comfortable making.

“You have to actually think about everything that’s going on in the world. I think we’re in a fortunate position in that we have had the benefit of both growing in the past couple years but also getting the business more efficient,” Thomas said.

He said that this acquisition fits in perfectly with what he’s been hearing from customers about what they need right now. “One area of new projects that is actually going forward is how people are trying to figure out how to digitize their operations in a world where they aren’t sure how soon employees will be able to congregate and work together. And so from that context, focusing on the cloud and supporting our customers’ journey to the cloud has become an even more important priority for the organization,” he said.

Brian Johnson, CEO and co-founder at DivvyCloud, says that is precisely what his company offers, and why it should fit in well with the Rapid7 family. “We help customers achieve rapid innovation in the cloud while ensuring they remain secure, well governed and compliant,” he said. That takes a different playbook than when customers were on prem, particularly requiring automation and real-time remediation.

With DivvyCloud, Rapid 7 is getting a 7-year-old company with 70 employees and 54 customers. It raised $27.5 million on an $80 million post-money valuation, according to PitchBook data. All of the employees will become part of the Rapid7 organization when the deal closes, which is expected to happen some time this quarter.

The companies say that as they come together, they will continue to support existing Divvy customers, while working to integrate it more deeply into the Rapid7 platform.

Would You Have Fallen for This Phone Scam?

You may have heard that today’s phone fraudsters like to use caller ID spoofing services to make their scam calls seem more believable. But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Last week, KrebsOnSecurity told the harrowing tale of a reader (a security expert, no less) who tried to turn the tables on his telephonic tormentors and failed spectacularly. In that episode, the people impersonating his bank not only spoofed the bank’s real phone number, but they were also pretending to be him on a separate call at the same time with his bank.

This foiled his efforts to make sure it was really his bank that called him, because he called his bank with another phone and the bank confirmed they currently were in a separate call with him discussing fraud on his account (however, the other call was the fraudster pretending to be him).

Shortly after that story ran, I heard from another reader — we’ll call him “Jim” since he didn’t want his real name used for this story — whose wife was the target of a similar scam, albeit with an important twist: The scammers were armed with information about a number of her recent financial transactions, which he claims they got from the bank’s own automated phone system just by spoofing her phone number.

“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” Jim explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online. As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”

Jim said he was so aghast at this realization that he called the same number from his phone and tried accessing his account, which is also at Citi but wholly separate from his spouse’s. Sure enough, he said, as long as he was calling from the number on file for his account, the automated system let him review recent transactions without any further authentication.

“I confirmed on my separate Citi card that they often (but not quite always) were providing the transaction details,” Jim said. “I was appalled that Citi would do that. So, it seemed the crooks would spoof caller ID when calling Citibank, as well as when calling the target/victim.

The incident Jim described happened in late January 2020, and Citi may have changed its procedures since then. But in a phone interview with KrebsOnSecurity earlier this week, Jim made a call to Citi’s automated system from his mobile phone on file with the bank, and I could hear Citi’s systems asking him to enter the last four digits of his credit card number before he could review recent transactions.

The request for the last four of the customer’s credit card number was consistent with my own testing, which relied on a caller ID spoofing service advertised in the cybercrime underground and aimed at a Citi account controlled by this author.

In one test, the spoofed call let KrebsOnSecurity hear recent transaction data — where and when the transaction was made, and how much was spent — after providing the automated system the last four digits of the account’s credit card number. In another test, the automated system asked for the account holder’s full Social Security number.

Citi declined to discuss specific actions it takes to detect and prevent fraud. But in a written statement provided to this author it said the company continuously monitors and analyzes threats and looks for opportunities to strengthen its controls.

“We see regular attempts by fraudsters to gain access to information and we are constantly monitoring for emerging threats and taking preventive action for our clients’ protection,” the statement reads. “For inbound calls to call centers, we continue to adapt and implement detection capabilities to identify suspicious or spoofed phone numbers. We also encourage clients to install and use our mobile app and sign up for push notifications and alerts in the mobile app.”


Jim said the fraudster who called his wife clearly already knew her mailing and email addresses, her mobile number and the fact that her card was an American Airlines-branded Citi card. The caller said there had been a series of suspicious transactions, and proceeded to read back details of several recent transactions to verify if those were purchases she’d authorized.

A list of services offered by one of several underground stores that sell caller ID spoofing and email bombing services.

Jim’s wife quickly logged on to her Citi account and saw that the amounts, dates and places of the transactions referenced by the caller indeed corresponded to recent legitimate transactions. But she didn’t see any signs of unauthorized charges.

After verifying the recent legitimate transactions with the caller, the person on the phone asked for her security word. When she provided it, there was a long hold before the caller came back and said she’d provided the wrong answer.

When she corrected herself and provided a different security word, there was another long pause before the caller said the second answer she provided was correct. At that point, the caller said Citi would be sending her a new card and that it had prevented several phony charges from even posting to her account.

She didn’t understand until later that the pauses were points at which the fraudsters had to put her on hold to relay her answers in their own call posing as her to Citi’s customer service department.

Not long after Jim’s spouse hung up with the caller, her inbox quickly began filling up with hundreds of automated messages from various websites trying to confirm an email newsletter subscription she’d supposedly requested.

As the recipient of several of theseemail bombing” attacks, I can verify that crooks often will use services offered in the cybercrime underground to flood a target’s inbox with these junk newsletter subscriptions shortly after committing fraud in the target’s name when they wish to bury an email notification from a target’s bank.


In the case of Jim’s wife, the inbox flood backfired, and only made her more suspicious about the true nature of the recent phone call. So she called the number on the back of her Citi card and was told that she had indeed just called Citi and requested what’s known as an “overpayment reimbursement.” The couple have long had their credit cards on auto-payment, and the most recent payment was especially high — nearly $4,000 — thanks to a flurry of Christmas present purchases for friends and family.

In an overpayment reimbursement, a customer can request that the bank refund any amount paid toward a previous bill that exceeds the minimum required monthly payment. Doing so causes any back-due interest on that unpaid amount to accrue to the account as well.

In this case, the caller posing as Jim’s wife requested an overpayment reimbursement to the tune of just under $4,000. It’s not clear how or where the fraudsters intended this payment to be sent, but for whatever reason Citi ended up saying they would cut a physical check and mail it to the address on file. Probably not what the fraudsters wanted, although since then Jim and his wife say they have been on alert for anyone suspicious lurking near their mailbox.

“The person we spoke with at Citi’s fraud department kept insisting that yes, it was my wife that called because the call came from her mobile number,” Jim said. “The Citi employee was alarmed because she didn’t understand the whole notion of caller ID spoofing. And we both found it kind of disturbing that someone in fraud at such a major bank didn’t even understand that such a thing was possible.”


Fraud experts say the scammers behind the types of calls that targeted Jim’s family are most likely fueled by the rampant sale of credit card records stolen from hacked online merchants. This data, known as “CVVs” in the cybercrime underground, is sold in packages for about $15 to $20 per record, and very often includes the customer’s name, address, phone number, email address and full credit or debit card number, expiration date, and card verification value (CVV) printed on the back of the card.

A screen shot from an underground store selling CVV records. Note that all of these records come with the cardholder’s address, email, phone number and zip code. Click to enlarge. Image: Gemini Advisory.

Dozens of cybercrime shops traffic in this stolen data, which is more traditionally used to defraud online merchants. But such records are ideally suited for criminals engaged in the type of phone scams that are the subject of this article.

That’s according to Andrei Barysevich, CEO and co-founder of Gemini Advisory, a New York-based company that monitors dozens of underground shops selling stolen card data.

“If the fraudsters already have the target’s cell phone number, in many cases they already have the target’s credit card information as well,” Barysevich said.

Gemini estimates there are currently some 13 million CVV records for sale across the dark web, and that more than 40 percent of these records put up for sale over the past year included the cardholder’s phone number.

Data from recent financial transactions can not only help fraudsters better impersonate your bank, it can also be useful in linking a customer’s account to another account the fraudsters control. That’s because PayPal and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits.

For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.


Both this and last week’s story illustrate why the only sane response to a call purporting to be from your bank is to hang up, look up your bank’s customer service number from their Web site or from the back of your card, and call them back yourself.

Meanwhile, fraudsters who hack peoples’ finances with nothing more than a telephone have been significantly upping the volume of attacks in recent months, new research suggests. Fraud prevention company Next Caller said this week it has tracked “massive increases in call volumes and high-risk calls across Fortune 500 companies as a result of COVID-19.”

Image: Next Caller.

“After a brief reprieve in Week 4 (April 6-12), Week 5 (April 13-19) saw call volume across Next Caller’s clients in the telecom and financial services sectors spike 40% above previous highs,” the company found. “Particularly worrisome is the activity taking place in the financial services sector, where call traffic topped previous highs by 800%.”

Next Caller said it’s likely some of that increase was due to numerous online and mobile app outages for many major financial institutions at a time when more than 80 million Americans were simultaneously trying to track the status of their stimulus deposits. But it said that surge also brought with it an influx of fraudsters looking to capitalize on all the chaos.

“High-risk calls to financial services surged to 50% above pre-COVID levels, with one Fortune 100 bank suffering a high-risk increase of 60% during Week 5,” the company wrote in a recent report.

Anatomy of Automated Account Takeovers

In this guest post, Tal Eliyahu and Begum Calguner explain in rich detail the entire process behind automated account takeovers and how they caused over $4bn of losses in the previous year alone.

Living in an era of data privacy dystopia, having an online presence comes with the direct opportunity cost of “being pwned”. In a data black market fueled by both legitimate and illegitimate players, cybercriminals not only transact amongst themselves but also with large corporations for stolen data.

As a matter of fact, the number of data breaches as well as the average cost of a data breach continues to soar. Having to self-regulate in the ever-expanding field of cybersecurity, the obscurity of privacy interpretations and awareness causes tech leaders to opt for biometrics as the primary authentication method while retiring the traditional password-based user logins, despite public satisfaction with using passwords. The misperception lies in the fact that, with opting for biometric authentication instead of passwords, users gain the ultimate blend of user experience (UX) and security. However, biometrics-supported authentication methods don’t always manifest as foolproof or user-friendly.

In light of the above, public trust in technological business has diminished, which is subsequently reflected upon those businesses financially. This situation is charged by the new dynamic challenges such as data access rights exploits brought by the adoption of privacy laws and regulations.

The Official Definition of ATO

“An account takeover can happen when a fraudster or computer criminal poses as a genuine customer, gains control of an account and then makes unauthorized transactions. Any account could be taken over by criminals, including bank, credit card, email, and other service providers. Online banking accounts are usually taken over as a result of phishing, spyware or malware scams. This is a form of internet crime or computer crime.” – ActionFraud a service provided by City of London Police.

Key Figures Illustrating the Magnitude of Account Takeovers Currently

“Account takeover placed among the top three types of fraud reported from a whole 96% fraud attack reported by eCommerce businesses.” – MRC 2019 Global Fraud Survey

“89% of executives at financial institutions said that account takeover fraud is the most common cause of losses in their digital channels” – Aite Group

“Account takeover accounted for $4 billion in losses last year, which was slightly down from the year prior ($5.1 billion), but was up significantly when compared to data in recent years.”  Javelin Strategy & Research

“The large majority of compromised accounts are in a dormant state…65% of these accounts belong to users that have not logged in for more than 90 days, and 80% of these accounts belong to users that have not logged in for more than 30 days.” – DataVisor

“29% of breaches involved use of stolen credentials.” – Verizon Data Breach Incident Report 2019

Role of Credential Stuffing in Automated ATO Attacks

Criminals gather billions of login credentials via data breaches occurring in low profile websites. With credential stuffing, they then exploit the tendency of people to reuse the same password and username combination even on higher profile websites.

The repeated use of passwords increases users’ likelihood of having their credentials already existing within an already-breached ‘combo list’ (e.g., “Collection #1-#5”). With free services at the disposal of the criminals such as people search to gather user credentials as well as tools utilizing combo lists to automate their credential stuffing attacks, criminals can streamline the data breach, and achieve a higher succes rate of account takeovers.

“From January 2018 through June 2019, more than 61 billion credential stuffing attempts” — Akamai, State of the Internet 

In short, combined with a user propensity to use the same password on a myriad of platforms no matter if it is high or low profile, many websites accepting email address/phone number as a valid, alternative username simplifies the attack even further for the criminal: one username with a repeatable set of passwords for all the accounts belonging to the victim.

Empire & Mimikatz Detection Demo
By Ryan Merrick – Sr. Strategic Engineer – SentinelOne

The two main types of threat from credential stuffing attacks are coordinated mass-scale automated threat attacks based on sophisticated techniques and targeted attacks. While preventative measures exist for the common user against the former, there is little that a less tech-savvy user lacking cybersecurity awareness can do to hinder being the victim of the latter type.

In spite of the fact that mass-scale automated threat attacks may usually be avoided by users enabling two-factor authentication (2FA) on their accounts, this is not as vastly adopted by users as commonly believed. Even for services such as e-mail accounts, which store data of the utmost sensitivity with integration to various other 3rd party platforms and services, 2FA is not mandatory for users on many platforms.

According to reports, amongst over 1.5 billion active Gmail users, 90% do not have 2FA enabled. Even though Financial institutions’ (FIs) accounts are perceived as the most important type of account to secure for users based on surveys, FIs still facilitate credential stuffing attacks by not enforcing the usage of 2FA for account access.

Due to the continuous dilemma of keeping a safe balance between UX versus security, firms opt to serve 2FA as a recommended option rather than imposing it upon users as a mandatory practice. However, not enforcing 2FA from the start leads into additional authentication layers (i.e., static and dynamic knowledge-based questions and more), thus halting the user experience at later stages. And for all that, each of the above-mentioned authentication controls can still be bypassed by criminals.

Cybercrime as an Industry – Status Quo

Cybercrime as an industry, although illegitimate, operates according to the same principles of keeping any business afloat, which is to attain and preserve a positive return on investment (ROI). Thereupon, with the continuous growth of the target group known as the ‘client pool’, combined with internet users’ lack of password hygiene awareness, the cybercrime industry offers many opportunities that can be capitalized on, which can also minimize the cost of successful attacks. As a matter of fact, this creates a technological race between the criminals, technology evangelists and entrepreneurs and the cybersecurity industry, where criminals adopt emerging technologies and develop advanced automation for attacks and new tactics and techniques to bypass security measures, while the cost to business of implementing and adjusting security measures against cybercrime continues to increase.

Impact of the Growth of Targeted Population on Criminal Strategies

Amongst a rising population of 7.75 billion people, the number of internet users has increased from 2.4 billion to 4.54 billion since 2014. Bearing in mind that of those 4.54 billion, 3.76 billion use mobile and web payment methods for products and services, credential stuffing attacks present a lucrative option for criminals.

Just within the first quarter of 2019, 281 data breaches exposed more than 4.53 billion records, while 1 million usernames and passwords are reportedly spilled or stolen daily.

Different demographic groups of internet users manifest online behavioral patterns specific to their demographic group and present distinct vulnerabilities for criminals to take advantage of. Identifying the target clients via client pool segmentation, based on their key weaknesses and their associated financial stats, optimizes the ROI of the credential stuffing attacks for criminals (highest revenue for the effort and time invested). It would be worthwhile to note that the age-based segmentation of the client pool depicts the proclivities of the behavior patterns of millennials and seniors to the attackers.

“Criminals Steal $37 Billion a Year from America’s Elderly” – Bloomberg

According to reports, a standard user with an average of 90 online accounts requiring passwords, will reuse the same passwords 4-6 times. When required to update, 68% of users only tweak their previous password slightly. In addition, the majority of users still rely on “saving passwords” through memory: meaning, they create passwords that are easy to remember (and thus, guess) rather than making high-entropy passwords and saving them in password manager software. At the other end of the spectrum, securing the account credentials using password managers also possesses certain vulnerabilities, including creating a single point of compromise.

Criminals predominantly use automation for credential stuffing by means of tools known as “bad bots”. Bots are software programs operating online to perform repetitive tasks. While constituting 20.4% of the total website traffic, only 21.1% of them are categorized to be the sophisticated type also known as All-in-One (AIO) applications. Notable tools used by criminals are “SNIPR” ($20), STORM, MailRanger, and  SentryMBA. Competition amongst hackers encourages other hackers to reverse engineer existing tools to optimize the flaws and release cracked or pirated versions back into the market. Even legitimate tools like OpenBullet are utilized by criminals as “access checkers”. Such tools are renowned for their strong community support, using uploaded configuration files programmed to generate sequenced API calls, and their ability to automate browsing processes using scripting languages (e.g., PhantomJS, trifleJS and others) with browser emulation libraries (Puppeteer, Selenium, etc).

Criminal Adoption of Innovation

Despite the abundance of community support for traditional, manual and arduous attack techniques available for a range of prices in web forums, criminals consistently endeavor to maximize the capabilities of the latest automation techniques with growing community support on contemporary, detection resilient instant messaging groups (i.e. “‘Dark Work’’) or even on legitimate freelancer and mechanical turks platforms.

Supplemented by collaboration and information-sharing amongst criminals, the adoption of the latest automated techniques has been ousting the aforementioned laborious human tasks while adding further layers of sophistication for superior and speedier results utilizing AI-enhanced systems to elevate bad bots to beyond level 2 automation.

Bad bots are highly sophisticated, automated robots devised to function in stealth mode and to mimic behaviors via their built-in deception and evasion capabilities that help to surpass detective and preventive security controls.

With the use of rotating VPN, secure VPS, RDP servers or residential, secure and other clean proxies, the location of the targeted victim can be simulated with a 5-mile precision. Furthermore, bad bots evade anti-fraud control measures with the help of a digital mask containing not only unique behaviors of the victim (e.g., tap touchscreen frequency) and browsing patterns (e.g., screentime or fields of user interest) but also the victim’s device fingerprint (e.g., device ID, OS version) using doppelgangers.

The development of such countermeasures in order to evade bot detection controls like Google’s reCaptcha and other traditional controls that once required human involvement goes to show just how advantageous such advanced bots are for credential stuffing attacks.

Even the case of the bot maxing out the number of login attempts, triggering a lock-out challenge or generating suspicious activity causing account lockout can pose a revenue stream for the criminals. Receiving notifications at their back-office once an account is locked out enables the criminals to initiate second and third layers of ATO attacks immediately. Usually, swiftly after the failure of the second layer attacks (e.g., abuse recovery options), the third layer of attacks commence by sending the victim’s account details to a pseudo support center to “alert” the victim of the locked out account. This facilitates “escorting” the victim to give remote access to his or her account, to unlock the account or even to share the details received in an email or SMS to reset their passwords per request, hence resulting in an ATO. As a matter of fact, criminals manage to turn the tables in their favor in spite of the roadblocks they encounter.

Criminal Leveraging of Alert Fatigue

More than half of global corporations are estimated to be neither ready nor prepared to handle a large scale cyber attack, lacking highly skilled cybersecurity staff let alone a cybersecurity lead; ergo, they are creating the circumstances for cybercrime to flourish.

Based on internet traffic, bad bots can be considered the permanent residents of the digital world with just one step away from being official dominant digital citizens. While for detection avoidance, bad bots are developed to stay in stealth mode during credential stuffing attacks by replicating any good red team operation, being empowered with AI automation capabilities equips them with the art of storytelling as has been observed lately in automated breach and attack simulation (BAS) solutions.

With the deception created by storytelling, bad bots’ activity may be perceived as “white noise” and tagged as false positive alerts amongst 50% of the reported alerts, non-priority alert or under scoped incidents from the overwhelming 25K daily events that can last for several days on average, according to SecOps analysts. Bearing in mind the daily average of 20 alerts each with the duration of 20 mins for analysts to investigate as well as the limited training of 20 hours annually they receive, analysts’ wasting over half of their day looking for problems that are either insignificant or not really problems at all is inevitable. Akin to the domino effect, the waste of resources impairs the KPIs and eventually benefits criminals.

“50,000 Unique IP Addresses Make Credential Stuffing Attempts on Daily Basis” — Auth0 

“Using 14 days of data, we observed 21,962,978 login attempts; of those, 33% (7,379,074) represented failed logins.” – Akamai

Cashing In on an ATO

Cunningly mimicking the victims’ footprints and the patterns in their account while avoiding having the security and fraud safeguards invoked in a successful credential stuffing attack, criminals amass critical account information that they can opt to consume in different ways to help achieve ATO.

They could be the sole owner of the account to impede other criminals’ accessibility by changing the victim’s credentials; ergo, locking the victim out of his own account. Nonetheless, by keeping the credentials as is, the criminal may act as the temporary co-owner of the account, while familiarizing himself with the victim via DSR exploits and preparing a reliable pretext for a strike. At the end of the nesting period, in other words, once the account is “mature” enough with proper gathered authorizations and verifications to make high-risk actions from the owner of the account, the criminal exploits this information by increasing the victims’ credit card limits or extending their credit line, taking unsecured loans and making wire transfers and ACH payments. Ironically, the nesting period brings with it the risks of being targeted by rival criminals and losing the ATO all together, along with the time and resources invested.

Last but not least is the utilization of the ATO to act as a mule account for different purposes, such as money drop to serve as a redirector/bouncing account that gets the account holder up to 20% commission. The commission charges change if the money mule is managed by a money herder to attract more drops. And of course, there is also the option in some cases to hold the account as ransom or just sell the account credentials (aka “log”) with full collected information of the victim (aka fullz).

“The bank usernames and passwords are not as important as the fullz and here is why. With a bank username and password by itself you can’t do very much, but with fullz records you can CREATE NEW bank usernames and passwords that will match whatever IP/Browser Agent you are using. So think of the fullz as the master key to fraud…With all this info you can do each transfers of 10k or more, open brand new 15,000 USD and up credit cards, open up fresh bank accounts for quick internal transfers, and way more…” — Cybercriminal explaining

ATO Pricing and Selling

Prior to monetizing an ATO, deep evaluation of the account characteristics – account balance, victim’s age, confirmed payments, victim’s financial history such as credit score and other aggregated transaction information – is conducted by the criminals to determine the overall worth of the account. 

With the development and adoption of predictive algorithms (e.g., criminal FICO), account pricing is complex and tricky because account credentials are packaged with equally complex-to-price digital doppelgangers and require proxies associated with the given account credentials. Therefore, considering the diversity of the types of accounts (loyalty and rewards, OTT, digital intangibles, financial accounts, etc) and their idiosyncratic characteristics, it is crucial for the criminals to meticulously calculate the tag price of the accounts.

Selling credentials can be done in a variety of ways. One way, which often requires a commissioned escrow service (e.g., middleman services), is transacting with a broker who provides credentials on-demand or as a subscription service. Thereupon, the broker provides his fellow criminal subscribers with updated credential combo lists regularly for a periodic fee. Having the escrow as an intermediary not only ensures the security of the money transfer between the criminals but also the functionality of the provided credentials. Furthermore, they also provide additional services like sorting information that was dumped from ransomware stealers to fetch the relevant credentials and verifying the quality of data prior to the transactions with brokers. 

Additionally, platforms like Telegram – as well as dedicated “Account Shop” marketplaces with professional customer service providing quality assurance against defective batches for a commission of 10-15% of the asking price – serve as facilitators for the criminals. Another option is selling via the digital intangible storefronts i.e Shoppy, Selly, Deer.io for a minimal monthly cost of $11. Some storefront platforms can even be embedded directly within the very visible surface web forums (e.g., RaidForums, Ogusers, Cracked) with very easy to use payment gateways and integrated crypto-wallets using privacy coins (e.g., Monero), BTC or other payments processors (e.g., PayPal and others). 

“Many accounts compromised via credential stuffing will sell for as little as $3.25 USD. These accounts come with a warranty: If the credentials don’t work once sold, they can be replaced at no cost” — Akamai, 2019

Cashing Out

In order to cash out the funds deposited into their drop accounts, criminals need to be equipped with an understanding of regional and international legal, regulatory and operational measures set to combat money laundering and other related threats.

For instance, with the introduction of the PATRIOT Act, compliance with the AML/KYC regulations has been extended beyond financial institutions to standard citizens consuming financial services. It serves as the de facto counterproductive measure as the personal KYC data can be traded and used for identity theft in event of a breach.

Despite the prior existence of KYC/AML regulations, attacks on U.S. soil gave the government a pretext to implement the PATRIOT act. Terrorism funding was the underlying reason that governments gave for tracking the trail of money moving throughout the world.

Even if criminals follow the restrictions (i.e., avoiding transactions above $10,000), they still run the risk of a suspicious activity report (SAR) that can challenge the cashing out process. However, experience criminals, and especially organized cyber gangs, have the resources and specialists with expert understanding of payment infrastructure and can devise a vigilant cashing out strategy to avoid any hindrances that may tamper with withdrawal.

Supplementary Services for ATOs

Having described the end-to-end process from credential stuffing to cashing out, it is worth covering some of the additional capabilities of bad bots that supplement the cybercrime business, especially when the compromised accounts are “burned”, prompting criminals to shift to “Plan B”.

Due to the imperative of time-consuming efforts to reopen accounts and reload the content, criminals need to lay down the groundwork in advance in order to swiftly shift to ‘Plan B’ without raising any security flags.

Prior to opening a new account, criminals need to have the synthetic identities (aka Frankenstein IDs and ghost profiles) and digital twins backed with original data assembled in addition to the forged hard and soft documents to satisfy KYC and/or identity-proofing processes to establish the legitimacy of the pseudo account.

Even so, successful account creation is only the preliminary stage for the criminals as subsequently they need to initiate the process of ‘aging’ the account. “Aging” an account refers to creating a sense of maturity of an active account by usually creating false transactions and activity, while mimicking human behavioral patterns to avert being flagged for potential fraud. Such preparations usually require relatively complex automation techniques. For example, in some cases criminals will need to create other providers’ accounts to get a new VCC (virtual credit card) or accounts in neobanks for account validation and verification purposes. It’s worth noting that there are a multitude of supplementary and complementary services (proxies, accounts, and servers) as well as facilitators providing special services to aid criminals specifically for creating synthetic business accounts and to establish a presence (i.e website, forms of payment, and mail drops).

The hacker who allegedly cracks PayPal accounts says that while he’s been banned “quite a few times,” he’s able to boot up his storefront with a temporary email address and a new username in “five minutes.” — Luke Winkie

In a constantly growing industry of bad bots, the scale of operations extends beyond ATOs and validity checks to providing on-demand services, sales bolstering, post review improvement services and many other types of ad-fraud (forecasted to earn $29 billion by 2021). Moreover, bad bot centers enable a solid proxy ground for account setup, management, and control of those in different platforms for mass scams like scalping and copping while creating a barricade against shutdowns.

Of the industries with a major prevalence of mass adoption of credential stuffing powered by bad bot services are travel, retail, the entertainment industry, and social media. For monetization in social media, criminals strive to compromise high-profile accounts of “legitimizedinfluencers, officials and celebrities and thought leaders through ‘wetware’ exploitation to inflate the price of cryptocurrencies, amplification pump and dump stock schemes, cognitive mind hacks, trust-trading scams, promotion copycat and fake apps or crafted phishing links enabling mass ATO.

An auxiliary income stream of bots for criminals can be observed in the publicly consumed on-demand service industry. With the public seeking to enhance a sense of authenticity via social proofing (including social verification and validation) of sockpuppet, impostor, cyborg, “doubleswitched” accounts as well as influencer accounts (costing an estimate of $1.3 billion), the demand for service providers of undetectable toxic user-generated content (UGC), fabricated followers, likes, reviews, and comments is on the rise.

These activities, which originated from account control centers (i.e troll farms and click farms utilizing physical devices and device emulators), depict the pervasiveness of the use of bad bots as a service. Bizarrely, it even extends beyond online to public places such as automated vending machines that sell Instagram and Vkontakte likes and followers (50 rubles / ±$0.9 per 100 likes).

“Facebook has been lying to the public about the scale of its problem with fake accounts, which likely exceed 50% of its network.” — PlainSite Report

“Spending 300 EUR, we bought 3,530 comments, 25,750 likes, 20,000 views, and 5,100 followers” – NATO

Cross-Account ATOs

Rising adoption by businesses of delegated authentication services (e.g., “Log in with Twitter”) to provide users with a smoother authentication experience without the hurdle of creating new registrations also serves as a facilitator for credential stuffing. Bearing in mind the user tendency of interlinking different platform accounts (e.g.cross platform login), once the criminal attains the ATO of one of the interlinked accounts, cross-ATO of the remaining accounts through the compromised one becomes straightforward.

This phenomenon presents a greater threat with the rising adoption of “all accounts in one place” aggregators, which use different connection methods, assistant applications, and open banking through third-party trusted companies such as Fintechs. Such companies have disparate customer data protection approaches and typically lack the stringent standards and regulations that banks are subjected to, which only widens the attack surface for criminals.

Criminals are thus presented with an open playground to conduct sophisticated, second layer credential stuffing attacks such as via a compromised account in the main superapp, which facilitates accessibility to integrated third-party service applications (e.g., in-app web-applications and mini-programs).

The increasing prevalence of daily platforms such as gaming, social, and communication apps with integrated third party services prompts criminals to seek novel attack techniques. Considering “everything commerce”, revenue diversification strategies companies lead new business opportunities without adopting a unified omnichannel authentication approach throughout all of their cross-channel logins, and in the process serve up persistent, lucrative avenues for criminals.

Finally, let us note that studies have also shown technology advances make it possible to create even smarter credential stuffing attacks, one of which discusses a credential tweaking attack with a success rate of 16% of ATOs in less than 1000 guesses using deep learning techniques.

Conclusion and Recommendations

Having discussed the end-to-end process of automated ATO attacks in a thriving industry of cybercrime, as well as the repercussions of the attacks on businesses and public, we should consider the following measures to address the issue.

Tailored MFA

It is crucial to tailor user authentication experience as a continuous process with fit-for-purpose authentication factors to combat ATO attacks. Therefore, to provide clients with the ultimate frictionless experience throughout the user journey, we should weigh the pros and cons of different structures and how to combine the three types of MFAs in a continuous and adaptive authentication process. Optimizing the MFA structure requires a focus on prioritizing UX, while minimizing the security risks, and adopting a structure fit for the respective business flows and requirements.

It is essential to avoid similar MFA processes of other related businesses, imposed use of existing or common MFA solutions (e.g., biometric authentication) and default/assumption based authentication methods. These are not only cost ineffective but also lead into higher abandonment rates with users struggling to pass the authentication challenges.

While bearing in mind the pitfalls of the MFA methods, when adapted vigilantly per business needs and users profiles, they can present a barrier against robotic and manual attacks; rendering robots disoriented in their attempts to adopt the authentication structure and presenting a time-consuming challenge for the attackers.

However, MFA isn’t a foolproof obstruction against automated and targeted ATO attacks, considering the sophisticated detection evasion techniques some employ. This necessitates us to adopt a proactive approach (e.g., task-driven threat hunting) and establish collaboration amongst UI/UX developers, software engineers, and pentesters.

Further, we need to adopt deception techniques e.g., using previously used user credentials as honeytokens and/or distributing honey identities rather than relying heavily on non-human-session hindering solutions, lockout policies, and CAPTCHA type controls, which are overall futile endeavors and also can be counterproductive.

Prompting users to resort to self-service unlock procedures both redundantly burdens the SecOp analysts, diverting them from tackling what is crucial (alert fatigue conundrum) and increasing the staff overhead for the business, as well as detering the user and enabling criminals.

Use the Data

The favoritism towards the controversial “assume breach” mentality with a “when, not if” attitude to avert cyberattacks may obscure the focus on what is crucial. We should be cognizant of the potential gaps and threats through data-driven scrutinization of our existing deployed endpoint solutions to effectively mitigate those gaps and threats, while avoiding solely “gut feeling” oriented decision making.

In order to devise believable attack models and realistic views of our risk posture, embracing high-value threat data and intelligence-driven decision making, tailored for specific business objectives, is essential. Combined with a focused investment approach to implement enhanced interconnection across the security layers, this would enable us to acquire a bespoke understanding of what and why to prioritize, thus addressing the root causes of the threats.

User Awareness

As discussed in the article, one of the most critical catalysts of the automated ATO attacks is the users’ tendency to reuse passwords on different platform accounts. In order to increase users’ cybersecurity awareness, technology companies should strive to avoid bias in their published statements, surveys, and research reports. Implausible and deceptive statements such as “multi-factor authentication blocks 99.9% of account hacks” can be counterproductive when research and experience proves that not to be the case.

Similarly, encouraging the use of password managers, without creating awareness about the trade-offs of using them can harm adoption and confidence in the solution. Hence, it is essential to educate users how to use such technology effectively, and to emphasize the need to secure high-value accounts with sufficiently complex and unique passwords, as well as to help users adopt good security behavior like monitoring their accounts’ breach status via lookup services.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Seed investors take long view on promising enterprise startups

The job of an early-stage startup founder is challenging in good times, never mind a crash like the one we are experiencing today.

While most expect private investing to slow down, it’s clear that some investments are still happening in spite of the pandemic, if the stories we are writing on TechCrunch are any indication.

But the downturn is bound to have an impact on the types of deals that receive funding; any startup that offers a good or service requiring human interaction or installation will face an uphill battle, at least in the short term. That said, enterprise SaaS vendors, especially ones that solve hard problems, help with work-from-home or collaboration, or better yet, help increase efficiency and save money, are still very much in demand.

Nobody can do anything about the CIO who is hunkering down until things improve — but that’s not everyone. Companies might be thinking twice about where they spend money, but some are still helping drive the net-new, post-COVID-19 investments happening from seed to late stage across many sectors.

We looked at data and spoke to a couple of enterprise-focused, NYC-based seed investors to better understand their investing cadence. Nobody painted a rosy picture of today’s climate, but seed investors were never about immediate gratification, especially where enterprise startups are concerned. That means, if a seed-stage investor believes in the founders and their vision and the company can ride out today’s economic upset, there’s still money in the till — at least for now.

Seed investment generally in decline

Factorial raises $16M to take on the HR world with a platform for SMBs

A startup that’s hoping to be a contender in the very large and fragmented market of human resources software has captured the eye of a big investor out of the US and become its first investment in Spain.

Barcelona-based Factorial, which is building an all-in-one HR automation platform aimed at small and medium businesses that manages payroll, employee onboarding, time off and other human resource functions, has raised €15 ($16 million) in a Series A round of funding led by CRV, with participation also from existing investors Creandum, Point Nine and K Fund.

The money comes on the heels of Factorial — which has customers in 40 countries — seeing eightfold growth in revenues in 2019, with more than 60,000 customers now using its tools.

Jordi Romero, the CEO who co-founded the company with Pau Ramon (CTO) and Bernat Farrero (head of corporate), said in an interview that the investment will be used both to expand to new markets and add more customers, as well as to double down on tech development to bring on more features. These will include RPA integrations to further automate services, and to move into more back-office product areas such as handling expenses,

Factorial has now raised $18 million and is not disclosing its valuation, he added.

The funding is notable on a couple of levels that speak not just to the wider investing climate but also to the specific area of human resources.

In addition to being CRV’s first deal in Spain, the investment is being made at a time when the whole VC model is under a lot of pressure because of the global coronavirus pandemic — not least in Spain, which has a decent, fledgling technology scene but has been one of the hardest-hit countries in the world when it comes to COVID-19.

“It made the closing of the funding very, very stressful,” Romero said from Barcelona last week (via video conference). “We had a gentleman’s agreement [so to speak] before the virus broke out, but the money was still to be wired. Seeing the world collapse around you, with some accounts closing, and with the bigger business world in a very fragile state, was very nerve wracking.”

Ironically, it’s that fragile state that proved to be a saviour of sorts for Factorial.

“We target HR leaders and they are currently very distracted with furloughs and layoffs right now, so we turned around and focused on how we could provide the best value to them,” Romero said.

The company made its product free to use until lockdowns are eased up, and Factorial has found a new interest from businesses that had never used cloud-based services before but needed to get something quickly up and running to use while working from home. He noted that among new companies signing up to Factorial, most either previously kept all their records in local files or at best a “Dropbox folder, but nothing else.”

The company also put in place more materials and other tools specifically to address the most pressing needs those HR people might have right now, such as guidance on how to implement furloughs and layoffs, best practices for communication policies and more. “We had to get creative,” Romero said.

At $16 million, this is at the larger end of Series A rounds as of January 2020, and while it’s definitely not as big as some of the outsized deals we’ve seen out of the US, it happens to be the biggest funding round so far this year in Spain.

Its rise feels unlikely for another reason, too: it comes at a time when we already have dozens (maybe even hundreds) of human resources software businesses, with many an established name — they include PeopleHR, Workday, Infor, ADP, Zenefits, Gusto, IBM, Oracle, SAP, Rippling, and many others — in a market that analysts project will be worth $38.17 billion by 2027 growing at a CAGR of over 11%.

But as is often the case in tech, status quo breeds disruption, and that’s the case here. Factorial’s approach has been to build HR tools specifically for people who are not HR professionals per se: companies that are small enough not to have specialists, or if they do, they share a lot of the tasks and work with other managers who are not in HR first and foremost.

It’s a formula that Romero said could potentially see the company taking on bigger customers, but for now, investors like it for having built a platform approach for the huge but often under-served SME market.

“Factorial was built for the users, designed for the modern web and workplace,” said Reid Christian, General Partner at CRV, in a statement. “Historically the HR software market has been one of the most lucrative categories for enterprise tech companies, and today, the HR stack looks much different. As we enter the third generation of cloud HR products, with countless point solutions, there’s a strong need for an underlying platform to integrate work across these.”

The Good, the Bad and the Ugly in Cybersecurity – Week 17

The Good

User education is possibly one of the most powerful tools in the world of breach prevention or attack evasion, particularly when it comes to phishing attempts and the like. The more confident and aware users are in regard to their cyber hygiene, the better off they are generally speaking. This week GCHQ and The National Cyber Security Centre (NCSC) joined forces and established a new user-awareness campaign dubbed ‘SERS’, the Suspicious Email Reporting Service. This is part of a broader ‘Cyber Aware’ campaign to arm the public with better email security guidance in the light of a rapid increase in scams since the Coronavirus outbreak. The new service, a joint effort with the City of London Police, enables the public to directly submit suspicious and potentially malicious emails to report@phishing.gov.uk. When users submit messages to SERS, the validity of various aspects of the message are interrogated and validated. Domains and hosts of the sender, for example, are tested for validity and any sites found to be phishing scams will be removed immediately. In one day of operation, over 5000 reports were sent in and 83 online phishing campaigns were shut down as a result. Nice work!

On another positive note this week, the results for the latest round of MITRE ATT&CK evaluation were released. MITRE’s focus for Round 2 was “APT29” and the tactics, techniques and procedures relevant to this notorious Russian-backed threat actor. This year we are proud to highlight SentinelOne’s leading results for the round. SentinelOne achieved the lowest number of overall missed detections, as well as reaching the highest number of combined high-quality detections with the highest levels of correlation. That being said, we applaud and congratulate all of the participants that tested alongside SentinelOne. We are all working together toward the greater good of a more secure world.

The Bad

Researchers claim to have found critical vulnerabilities within Apple’s Mail app on iOS this week. The remote code-execution vulnerability appears to have been present in the OS since 2012, iOS 6 being current at the time. It is reported that the flow specifically affects iOS 6 through iOS 13.4.1. This flaw is especially critical due to the compete lack of user input. Typical email-bourne threats at least require the target to open the messages, or click a link, or even open attachments. In this case, the Mail.app need only receive a maliciously-crafted message to invoke the exploitable conditions. The flaw is due to a pair of heap-overflow and out-of-bounds write conditions that can be invoked by an attacker whilst composing the weaponized message.

The discovering party (ZecOps) also reports that they are aware of attackers attempting to exploit this vulnerability in the wild. However, Apple have contradicted that claim, stating that they “have found no evidence they were used against customers”. The issues have apparently already been addressed in a beta build of a forthcoming iOS update. Other email clients on the platform such as Chrome or Outlook are not affected and offer a potential workaround for concerned users in the meantime.

The Ugly

This week the Maze Crew (actors behind the Maze ransomware) set their sights on global MSP and consulting firm Cognizant. APT groups and highly-sophisticated cybercrime operators alike have been targeting MSPs as they are considered high-value targets. MSPs (Managed Service Providers) typically manage and host massive amounts of network environments and users. Attackers focused on MSPs potentially have the ability to disrupt the operations of all entities under the MSP’s scope or control.

That aspect of the attack alone is cause for alarm. However, this being a Maze attack adds yet another possible consequence to the compromise. Maze, like many other malware families of late, also steals data from targeted environments. They increase impact by threatening to publicly release the data pilfered from their victims. Having to consider any modern ransomware attack as essentially a full-scale breach is a scenario that more and more enterprises are facing these days. Maze alone has publicly posted data belonging to approximately 100 of their victims. Other ransomware families like DoppelPaymer and Sodin / REvil are not far behind. More recently, families like Ragnar and Netphilim have been actively posting victim data and threats as well.

These attacks are currently on the rise, and the threat of leaking sensitive information is far from empty. Taking the time to understand your exposure, adjusting your security posture, and adopting necessary measures to mitigate risk is critical. Knowledge and powerful technological controls together go a long way to reduce our exposure to data-robbing cybercriminals. 

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

A Mar. 31 message to affiliates working with the Union Pharm program, noting that supplies of Aralen had dried up due to the shipping closures in India.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

Miro lands $50M Series B for digital whiteboard as demand surges

Miro is a company in the right place at the right time. The makers of a digital whiteboard are seeing usage surge right now as businesses move from the workplace and physical whiteboards. Today, the company announced a hefty $50 million Series B.

Iconiq Capital led the round with help from Accel and a slew of individual investors. Today’s investment brings the total raised to around $75 million, according to the company. Among the company’s angel investors was basketball star Steph Curry.

What’s attracting this level of investment is that this is a product made for a moment when workers are forced to stay home. One of the primary complaints about working at home is the inability to sit in the same room with colleagues and brainstorm around a whiteboard. This reproduces that to an extent.

What’s more, Miro isn’t simply light-weight add-in like you might find built into a collaboration tool like Zoom or Microsoft Teams; it’s more of a platform play designed to integrate with many different enterprise tools, much like Slack does for communications.

Miro co-founder and CEO Andrey Khusid said the company planned the platform idea from its earliest days. “The concept from day one was building something for real-time collaboration and the platform thing is very important because we expect that people will build on top of our product,” Khusid told TechCrunch.

Image Credit: Miro

That means that people can build integrations to other common tools and customize the base tool to meet the needs of an individual team or organization. It’s an approach that seems to be working as the company reports it’s profitable with more than 21,000 customers including 80% of the Fortune 100. Customers include Netflix, Salesforce, PwC, Spotify, Expedia and Deloitte.

Khusid says usage has been skyrocketing among both business and educational customers as the pandemic has forced millions of people to work at home. He says that has been a challenge for his engineering team to keep up with the demand, but one that the company has been able to meet to this point.

The startup just passed the 300 employee mark this week, and it will continue to hire with this new influx of money. Khusid expects to have another 150 employees before the end of the year to keep up with increasing demand for the product.

“We understand that we need to come out strong from this situation. The company is growing much faster than we expected, so we need to have a very strong team to maintain the growth at the same pace after the crisis ends.”

Stripe adds card issuing, localized card networks and expanded approvals tool

At a time when more transactions than ever are happening online, payments behemoth Stripe is announcing three new features to continue expanding its reach.

The company today announced that it will now offer card issuing services directly to businesses to let them in turn make credit cards for customers tailored to specific purposes. Alongside that, it’s going to expand the number of accepted local, large card networks to cut down some of the steps it takes to make transactions in international markets. And finally, it’s launching a “revenue optimization” feature that essentially will use Stripe’s AI algorithms to reassess and approve more flagged transactions that might have otherwise been rejected in the past.

Together the three features underscore how Stripe is continuing to scale up with more services around its core payment processing APIs, a significant step in the wake of last week announcing its biggest fundraise to date: $600 million at a $36 billion valuation.

The rollouts of the new products are specifically coming at a time when Stripe has seen a big boost in usage among some (but not all) of its customers, said John Collison, Stripe’s co-founder and president, in an interview. Instacart, which is providing grocery delivery at a time when many are living under stay-at-home orders, has seen transactions up by 300% in recent weeks. Another newer customer, Zoom, is also seeing business boom. Amazon, Stripe’s behemoth customer that Collison would not discuss in any specific terms except to confirm it’s a close partner, is also seeing extremely heavy usage.

But other Stripe users — for example, many of its sea of small business users — are seeing huge pressures, while still others, faced with no physical business, are just starting to approach e-commerce in earnest for the first time. Stripe’s idea is that the launches today can help it address all of these scenarios.

“What we’re seeing in the COVID-19 world is that the impact is not minor,” said Collison. “Online has always been steadily taking a share from offline, but now many [projected] years of that migration are happening in the space of a few weeks.”

Stripe is among those companies that have been very mum about when they might go public — a state of affairs that only become more set in recent times, given how the IPO market has all but dried up in the midst of a health pandemic and economic slump. That has meant very little transparency about how Stripe is run, whether it’s profitable and how much revenues it makes.

But Stripe did note last week that it had some $2 billion in cash and cash reserves, which at least speaks to a level of financial stability. And another hint of efficiency might be gleaned from today’s product news.

While these three new services don’t necessarily sound like they are connected to each other, what they have underpinning them is that they are all building on top of tech and services that Stripe has previously rolled out. This speaks to how, even as the company now handles some 250 million API requests daily, it’s keeping some lean practices in place in terms of how it invests and maximises engineering and business development resources.

The card issuing service, for example, is built on a card service that Stripe launched last year. Originally aimed at businesses to provide their employees with credit cards — for example to better manage their own work-related expenses, or to make transactions on behalf of the business — now businesses can use the card issuing platform to build out aspects of its customer-facing services.

For example, Stripe noted that the first customer, Zipcar, will now be placing credit cards in each of its vehicles, which drivers can use to fuel up the vehicles (that is, the cards can only be used to buy gas). Another example Collison gave for how these could be implemented would be in a food delivery service, for example for a Postmates delivery person to use the card to pay for the meal that a customer has already paid Postmates to pick up and deliver to them.

Collison noted that while other startups like Marqeta have built big businesses around innovative card issuing services, “this is the first time it’s being issued on a self-serving basis,” meaning companies that want to use these cards can now set this up more quickly as a “programmatic card” experience, akin to self-serve, programmatic ads online.

It seems also to be good news for investors. “Stripe Issuing is a big step forward,” said Alex Rampell, general partner at Andreessen Horowitz, in a statement. “Not just for the millions of businesses running on Stripe, but for credit cards as a fundamental technology. Businesses can now use an API to create and issue cards exactly when and where they need them, and they can do it in a few clicks, not a few months. As investors, we’re excited by all the potential new companies and business models that will emerge as a result.”

Meanwhile, the revenue “optimization” engine that Stripe is rolling out is built on the same machine learning algorithms that it originally built for Radar, its fraud prevention tool that originally launched in 2016 and was extended to larger enterprises in 2018. This makes a lot of sense, since oftentimes the reason transactions get rejected is because of the suspicion of fraud. Why it’s taken four years to extend that to improve how transactions are approved or rejected is not entirely clear, but Stripe estimates that it could enable a further $2.5 billion in transactions annually.

One reason why the revenue optimization may have taken some time to roll out was because while Stripe offers a very seamless, simple API for users, it’s doing a lot of complex work behind the scenes knitting together a lot of very fragmented payment flows between card issuers, banks, businesses, customers and more in order to make transactions possible.

The third product announcement speaks to how Stripe is simplifying a bit more of that. Now, it’s able to provide direct links into six big card networks — Visa, Mastercard, American Express, Discover, JCB and China Union Pay, which effectively covers the major card networks in North and Latin America, Southeast Asia and Europe. Previously, Stripe would have had to work with third parties to integrate acceptance of all of these networks in different regions, which would have cut into Stripe’s own margins and also given it less flexibility in terms of how it could handle the transaction data.

Launching the revenue optimization by being able to apply machine learning to the transaction data is one example of where and how it might be able to apply more innovative processes from now on.

While Stripe is mainly focused today on how to serve its wider customer base and to just help business continue to keep running, Collison noted that the COVID-19 pandemic has had a measurable impact on Stripe beyond just boosts in business for some of its customers.

The whole company has been working remotely for weeks, including its development team, making for challenging times in building and rolling out services.

And Stripe, along with others, is also in the early stages of piloting how it will play a role in issuing small business loans as part of the CARES Act, he said.

In addition to that, he noted that there has been an emergence of more medical and telehealth services using Stripe for payments.

Before now, many of those use cases had been blocked by the banks, he said, for reasons of the industries themselves being strictly regulated in terms of what kind of data could get passed across networks and the sensitive nature of the businesses themselves. He said that a lot of that has started to get unblocked in the current climate, and “the growth of telemedicine has been off the charts.”

When in Doubt: Hang Up, Look Up, & Call Back

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.’”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit