The Good, the Bad and the Ugly in Cybersecurity – Week 30

The Good

This week, two high-profile Chinese nationals were charged in relation to a series of large-scale cyber attacks. The unsealed, 11-count indictment alleges that the two individuals (Dong Jiazhi & Li Xiaoyu) participated in theft and intrusion of numerous companies spanning the globe, all at the direction of the Chinese government.

It is reported that the actors did not act exclusively for Chinese government entities, but carried out attacks both for the GSSD (Guangdong State Security Department) and MSS (Ministry of State Security) and for their own personal profit. While the alleged activities span many years, some of the more recent attacks include the intrusion of U.S.-based companies researching possible treatments and vaccines for COVID-19.

The two individuals are also alleged to have provided the MSS with valuable information pilfered from the victims of their attacks. This includes “personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents”. According to the indictment, the TTPs involved covered the spectrum of common TTPs that we see in modern attacks. A potent combination of commercial off-the-shelf (COTS) tools, LOTLbins, and more specialized tools such as China Chopper web shell were used. At times, the indictment almost reads like an IR engagement report.

This indictment is a huge victory for law enforcement and the defense industry in general. The more light that can be shed on these activities the better. It also helps the public gain a better understanding of some of the more commonly utilized TTPs by actors of this ilk. Kudos to those involved with the investigations. We encourage all to read though the Department of Justice’s press release and indictment.

The Bad

It has been another busy week for state-sponsored (malicious) activity out of North Korea. Details have emerged around a new multiplatform and multi-purpose framework referred to as MATA. Named for the supporting infrastructure (MataNet), the toolset consists of multiple components. The primary components of the MATA framework are the Loader, Orchestrator, and an assortment of Plug-ins. Possibly the most interesting aspect of this framework is the support for multiple platforms. Researchers at Netlab reported the Linux version of MATA in December 2019 (then referring to the tool as Dacls). At the time, it was considered to be a self-contained RAT with fairly robust support for plug-ins. In April 2020, a macOS port of the Linux Dacls tool was discovered on VirusTotal.

The MATA framework has been linked to North Korean APT group Lazarus though filenames and metadata contained within the orchestrator components, some of which have also only been seen in other tools also tied to the Lazarus group. There also appears to be some infrastructure overlap between the infrastructure used by the MATA framework and other tools directly tied to Lazarus. The discovery of just how broad and far-reaching the MATA framework is should be seen as par for the course with regards to the modus operandi of the Lazarus group.

The Ugly

Unfortunately, it is difficult to go a week, or even a day, without news of a high-profile ransomware attack.

While details are still coming in regarding a suspected WastedLocker attack on device manufacturer Garmin, another high profile ransomware attack this week targeted Telecom Argentina, one of the largest ISPs in the region. The attack, reportedly REvil ransomware, impacted multiple customer facing services. However, the company indicated that their land line services and primary internet services were not impacted.

According to current reports, the initial payload was delivered via phishing email opened by an employee. Once a foothold had been achieved, the attackers were able to take over administrative accounts, move laterally, and ultimately disrupt any host they could reach with the ransomware payload.

At the time of this writing, Telecom Argentina has continued to refuse to pay the reported $7.5 million dollar ransom. Adding further complication to the attack, REvil is one of many ransomware families that is publishing victim data in the event of “non-compliance”.

While Telecom Argentina currently does not appear on the blog maintained by the actors behind REvil, only time will tell if the company end up finding their data up for auction by the aggressive thieves.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Thinking of a Cybersecurity Career? Read This

Thousand of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.

Virtually every week KrebsOnSecurity receives at least one email from someone seeking advice on how to break into cybersecurity as a career. In most cases, the aspirants ask which certifications they should seek, or what specialization in computer security might hold the brightest future.

Rarely am I asked which practical skills they should seek to make themselves more appealing candidates for a future job. And while I always preface any response with the caveat that I don’t hold any computer-related certifications or degrees myself, I do speak with C-level executives in cybersecurity and recruiters on a regular basis and frequently ask them for their impressions of today’s cybersecurity job candidates.

A common theme in these C-level executive responses is that a great many candidates simply lack hands-on experience with the more practical concerns of operating, maintaining and defending the information systems which drive their businesses.

Granted, most people who have just graduated with a degree lack practical experience. But happily, a somewhat unique aspect of cybersecurity is that one can gain a fair degree of mastery of hands-on skills and foundational knowledge through self-directed study and old fashioned trial-and-error.

One key piece of advice I nearly always include in my response to readers involves learning the core components of how computers and other devices communicate with one another. I say this because a mastery of networking is a fundamental skill that so many other areas of learning build upon. Trying to get a job in security without a deep understanding of how data packets work is a bit like trying to become a chemical engineer without first mastering the periodic table of elements.

But please don’t take my word for it. The SANS Institute, a Bethesda, Md. based security research and training firm, recently conducted a survey of more than 500 cybersecurity practitioners at 284 different companies in an effort to suss out which skills they find most useful in job candidates, and which are most frequently lacking.

The survey asked respondents to rank various skills from “critical” to “not needed.” Fully 85 percent ranked networking as a critical or “very important” skill, followed by a mastery of the Linux operating system (77 percent), Windows (73 percent), common exploitation techniques (73 percent), computer architectures and virtualization (67 percent) and data and cryptography (58 percent). Perhaps surprisingly, only 39 percent ranked programming as a critical or very important skill (I’ll come back to this in a moment).

How did the cybersecurity practitioners surveyed grade their pool of potential job candidates on these critical and very important skills? The results may be eye-opening:

“Employers report that student cybersecurity preparation is largely inadequate and are frustrated that they have to spend months searching before they find qualified entry-level employees if any can be found,” said Alan Paller, director of research at the SANS Institute. “We hypothesized that the beginning of a pathway toward resolving those challenges and helping close the cybersecurity skills gap would be to isolate the capabilities that employers expected but did not find in cybersecurity graduates.”

The truth is, some of the smartest, most insightful and talented computer security professionals I know today don’t have any computer-related certifications under their belts. In fact, many of them never even went to college or completed a university-level degree program.

Rather, they got into security because they were passionately and intensely curious about the subject, and that curiosity led them to learn as much as they could — mainly by reading, doing, and making mistakes (lots of them).

I mention this not to dissuade readers from pursuing degrees or certifications in the field (which may be a basic requirement for many corporate HR departments) but to emphasize that these should not be viewed as some kind of golden ticket to a rewarding, stable and relatively high-paying career.

More to the point, without a mastery of one or more of the above-mentioned skills, you simply will not be a terribly appealing or outstanding job candidate when the time comes.

BUT..HOW?

So what should you focus on, and what’s the best way to get started? First, understand that while there are a near infinite number of ways to acquire knowledge and virtually no limit to the depths you can explore, getting your hands dirty is the fastest way to learning.

No, I’m not talking about breaking into someone’s network, or hacking some poor website. Please don’t do that without permission. If you must target third-party services and sites, stick to those that offer recognition and/or incentives for doing so through bug bounty programs, and then make sure you respect the boundaries of those programs.

Besides, almost anything you want to learn by doing can be replicated locally. Hoping to master common vulnerability and exploitation techniques? There are innumerable free resources available; purpose-built exploitation toolkits like Metasploit, WebGoat, and custom Linux distributions like Kali Linux that are well supported by tutorials and videos online. Then there are a number of free reconnaissance and vulnerability discovery tools like Nmap, Nessus, OpenVAS and Nikto. This is by no means a complete list.

Set up your own hacking labs. You can do this with a spare computer or server, or with older hardware that is plentiful and cheap on places like eBay or Craigslist. Free virtualization tools like VirtualBox can make it simple to get friendly with different operating systems without the need of additional hardware.

Or look into paying someone else to set up a virtual server that you can poke at. Amazon’s EC2 services are a good low-cost option here. If it’s web application testing you wish to learn, you can install any number of web services on computers within your own local network, such as older versions of WordPress, Joomla or shopping cart systems like Magento.

Want to learn networking? Start by getting a decent book on TCP/IP and really learning the network stack and how each layer interacts with the other.

And while you’re absorbing this information, learn to use some tools that can help put your newfound knowledge into practical application. For example, familiarize yourself with Wireshark and Tcpdump, handy tools relied upon by network administrators to troubleshoot network and security problems and to understand how network applications work (or don’t). Begin by inspecting your own network traffic, web browsing and everyday computer usage. Try to understand what applications on your computer are doing by looking at what data they are sending and receiving, how, and where.

ON PROGRAMMING

While being able to program in languages like Go, Java, Perl, Python, C or Ruby may or may not be at the top of the list of skills demanded by employers, having one or more languages in your skillset is not only going to make you a more attractive hire, it will also make it easier to grow your knowledge and venture into deeper levels of mastery.

It is also likely that depending on which specialization of security you end up pursuing, at some point you will find your ability to expand that knowledge is somewhat limited without understanding how to code.

For those intimidated by the idea of learning a programming language, start by getting familiar with basic command line tools on Linux. Just learning to write basic scripts that automate specific manual tasks can be a wonderful stepping stone. What’s more, a mastery of creating shell scripts will pay handsome dividends for the duration of your career in almost any technical role involving computers (regardless of whether you learn a specific coding language).

GET HELP

Make no mistake: Much like learning a musical instrument or a new language, gaining cybersecurity skills takes most people a good deal of time and effort. But don’t get discouraged if a given topic of study seems overwhelming at first; just take your time and keep going.

That’s why it helps to have support groups. Seriously. In the cybersecurity industry, the human side of networking takes the form of conferences and local meetups. I cannot stress enough how important it is for both your sanity and career to get involved with like-minded people on a semi-regular basis.

Many of these gatherings are free, including Security BSides eventsDEFCON groups, and OWASP chapters. And because the tech industry continues to be disproportionately populated by men, there are also a number cybersecurity meetups and membership groups geared toward women, such as the Women’s Society of Cyberjutsu and others listed here.

Unless you live in the middle of nowhere, chances are there’s a number of security conferences and security meetups in your general area. But even if you do reside in the boonies, the good news is many of these meetups are going virtual to avoid the ongoing pestilence that is the COVID-19 epidemic.

In summary, don’t count on a degree or certification to prepare you for the kinds of skills employers are going to understandably expect you to possess. That may not be fair or as it should be, but it’s likely on you to develop and nurture the skills that will serve your future employer(s) and employability in this field.

I’m certain that readers here have their own ideas about how newbies, students and those contemplating a career shift into cybersecurity can best focus their time and efforts. Please feel free to sound off in the comments. I may even update this post to include some of the better recommendations.

Quantexa raises $64.7M to bring big data intelligence to risk analysis and investigations

The wider field of cybersecurity — not just defending networks, but identifying fraudulent activity — has seen a big boost in activity in the last few months, and that’s no surprise. The global health pandemic has led to more interactions and transactions moving online, and the contractions we’re feeling across the economy and society have led some to take more desperate and illegal actions, using digital challenges to do it.

Today, a U.K. company called Quantexa — which has built a machine learning platform branded “Contextual Decision Intelligence” (CDI) that analyses disparate data points to get better insight into nefarious activity, as well as to (more productively) build better profiles of a company’s entire customer base — is raising a growth round of funding to address that opportunity.

The London-based startup has picked up $64.7 million, a Series C it will be using to continue building out both its tools and the use cases for applying them, as well as expanding geographically, specifically in North America, Asia-Pacific and more European territories.

The mission, said Vishal Marria, Quantexa’s founder and CEO, is to “connect the dots to make better business decisions.”

The startup built its business on the back of doing work for major banks and others in the financial services sector, and Marria added that the plan will be to continue enhancing tools for that vertical while also expanding into two growing opportunities: working with insurance and government/public sector organizations.

The backers in this round speak to how Quantexa positions itself in the market, and the traction it’s seen to date for its business. It’s being led by Evolution Equity Partners — a VC that specialises in innovative cybersecurity startups — with participation also from previous backers Dawn Capital, AlbionVC, HSBC and Accenture, as well as new backers ABN AMRO Ventures. HSBC, Accenture and ABN AMRO are all strategic investors working directly with the startup in their businesses.

Altogether, Quantexa has “thousands of users” across 70+ countries, it said, with additional large enterprises, including Standard Chartered, OFX and Dunn & Bradstreet.

The company has now raised some $90 million to date, and reliable sources close to the company tell us that the valuation is “well north” of $250 million — which to me sounds like it’s between $250 million and $300 million.

Marria said in an interview that he initially got the idea for Quantexa — which I believe may be a creative portmanteau of “quantum” and “context” — when he was working as an executive director at Ernst & Young and saw “many challenges with investigations” in the financial services industry.

“Is this a money launderer?” is the basic question that investigators aim to answer, but they were going about it, “using just a sliver of information,” he said. “I thought to myself, this is bonkers. There must be a better way.”

That better way, as built by Quantexa, is to solve it in the classic approach of tapping big data and building AI algorithms that help, in Marria’s words, connect the dots.

As an example, typically, an investigation needs to do significantly more than just track the activity of one individual or one shell company, and you need to seek out the most unlikely connections between a number of actions in order to build up an accurate picture. When you think about it, trying to identify, track, shut down and catch a large money launderer (a typical use case for Quantexa’s software) is a classic big data problem.

While there is a lot of attention these days on data protection and security breaches that leak sensitive customer information, Quantexa’s approach, Marria said, is to sell software, not ingest proprietary data into its engine to provide insights. He said that these days deployments typically either are done on premises or within private clouds, rather than using public cloud infrastructure, and that when Quantexa provides data to complement its customers’ data, it comes from publicly available sources (for example, Companies House filings in the U.K.).

There are a number of companies offering services in the same general area as Quantexa. They include those that present themselves more as business intelligence platforms that help detect fraud (such as Looker) through to those that are secretive and present themselves as AI businesses working behind the scenes for enterprises and governments to solve tough challenges, such as Palantir, through to others focusing specifically on some of the use cases for the technology, such as ComplyAdvantage and its focus on financial fraud detection.

Marria says that it has a few key differentiators from these. First is how its software works at scale: “It comes back to entity resolution that [calculations] can be done in real time and at batch,” he said. “And this is a platform, software that is easily deployed and configured at a much lower total cost of ownership. It is tech and that’s quite important in the current climate.”

And that is what has resonated with investors.

“Quantexa’s proprietary platform heralds a new generation of decision intelligence technology that uses a single contextual view of customers to profoundly improve operational decision making and overcome big data challenges,” said Richard Seewald, founding and managing partner of Evolution, in a statement. “Its impressive rapid growth, renowned client base and potential to build further value across so many sectors make Quantexa a fantastic partner whose team I look forward to working with.” Seewald is joining the board with this round.

iObeya raises $17M to digitize management planning processes like Agile

As we move deeper into the pandemic, companies are looking for ways to digitize processes that previously required in-person meetings with manual approaches. Investors appear to be rewarding companies who can achieve this. iObeya, a French company that helps digitize management planning processes like lean and agile, announced a $17 million Series A today.

Red River West led the round with help from Atlantic Bridge Capital and Fortino Capital Partners. It has now raised a total of $20 million, according to the company.

Tim McCracken, who heads up the company’s US operations, says the name comes from the Japanese word for the large room where companies did all their planning. Many companies gather a group of people in a conference room and line the walls with sticky notes and white boards with their plans for the coming weeks and months.

Even before the pandemic struck, it wasn’t the most effective way to record this valuable business content, and iObeya has developed a service to put it in the digital realm. “And so one of the things that they did with those obeya rooms was they had lots of different visual management boards with post it notes and with different types of indicators that they would use to manage their business. And so what iObeya does is digitize that type of visual management, so that you can access it from multiple locations and share it amongst teams and basically eliminate the need for doing it on paper and on walls,” McCracken explained.

This involves digitizing four main areas that include lean management, factory floor management, agile programming and finally what they call the digital workplace, which includes design thinking, virtual whiteboarding and brainstorming. All of these approaches have lots of planning associated with them and could benefit from being moved online.

Image Credits: iObeya

They are approaching 100 employees with the majority in France right now with a small office in the U.S. in Seattle, but they will be using this money to expand with plans to add 50 more. He says that the company has always looked at diversity when it comes to its hiring practices.

“We want to try to attract, not only experienced salespeople, as well as the support organization around them, but also really do as much outreach in the local community to see how we can ensure that our workforce reflects the community,” he said.

As the company had to shut down offices due to COVID-19, McCracken says their own software helped them make that transition more smoothly. “We actually use our own software to manage business so we had very little disruption to our actual work. At the same time, the volume of work increased probably four to five fold, simply because of increased demand for the software. So we had to manage not only moving from working in an office to work at home, but also the increased workload,” he said.

The company was founded near Paris in 2011. They plan to use the money to expand operations in the U.S. and build awareness of the company through greater sales and marketing spend.

NY Charges First American Financial for Massive Data Leak

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.

First American Financial Corp.

Santa Ana, Calif.-based First American [NYSE:FAF] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019.

As first reported here last year, First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The documents were available without authentication to anyone with a Web browser.

According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.

“Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist,” the DFS explained in a statement on the charges.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

Reuters reports that the penalties could be significant for First American: The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation.

In a written statement, First American said it strongly disagrees with the DFS’s findings, and that its own investigation determined only a “very limited number” of consumers — and none from New York — had personal data accessed without permission.

In August 2019, the company said a third-party investigation into the exposure identified just 32 consumers whose non-public personal information likely was accessed without authorization.

When KrebsOnSecurity asked last year how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying only that its logs covered a period that was typical for a company of its size and nature.

But in Wednesday’s filing, the DFS said First American was unable to determine whether records were accessed prior to Jun 2018.

“Respondent’s forensic investigation relied on a review of web logs retained from June 2018 onward,” the DFS found. “Respondent’s own analysis demonstrated that during this 11-month period, more than 350,000 documents were accessed without authorization by automated ‘bots’ or ‘scraper’ programs designed to collect information on the Internet.

The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American’s stock price fell more than 6 percent the day after news of their data leak was published here. In the days that followed, the DFS and U.S. Securities and Exchange Commission each announced they were investigating the company.

First American released its first quarter 2020 earnings today. A hearing on the charges alleged by the DFS is slated for Oct. 26.

huddl.ai wants to bring more intelligence to online meetings

As the pandemic has shut down in-person meetings, and pushed us online, products like Zoom, Cisco WebEx, Google Meet and Microsoft Teams have become part of our daily lives. Into the fray jumps huddl.ai, a 3.5-year-old startup from a serial entrepreneur who wants to bring a dose of artificial intelligence to meeting technology.

Company co-founder and CEO Krishna Yarlagadda says while these companies have introduced the video meeting concept, his startup has a vision of taking it further. “As we move forward. I think the next [era] is going to be about intelligence,” Yarlagadda told TechCrunch.

That involves using AI tools to transcribe the meeting, pull out the salient points and help users understand what happened without poring over notes to find the key information in a long session. “Primarily there’s a purpose for every meeting, or essentially we’re meeting for outcomes, and that’s where Huddl comes in,” he said.

Yarlagadda said that current solutions simply give you a link to a cloud room and everyone involved clicks and enters. Huddl wants to bring some more structure to that whole process. “We’ve developed a very user-centric architecture and also added a layer called meeting memory, which essentially captures the core aspects of the meeting — the agenda, action items and moments and then added search,” he explained.

They call these meeting elements moments, and they involve capturing three key aspects of the meeting: the agenda and collaborative notes participants take during the meeting, screen captures the user takes using a built-in tool and, finally, audio, which captures a recording of the meeting. Users can search across these elements to find the parts of the meeting that are most relevant to them.

Image Credits: huddl.ai

Further, it integrates with other enterprise applications like Slack or Salesforce to move to applicable tools items discussed during these meetings when it makes sense. “Essentially what we’re trying to do is create a five-minute version of your 60-minute meeting that is stored in your memory and that becomes part of your search. Post-meeting this content has a life, and through APIs and integrations, we can [share it with the right programs],” he said.

For instance, if it’s an action item in a sales meeting, it would go to Salesforce, and if it is a software bug in an engineering meeting, it could be shared with Jira.

The company was started in 2017, and has raised $8.7 million in seed money to date. It has 50 employees, with 10 in the U.S. and the others in India, and has plans to hire 15-20 additional people this year between the U.S. and India offices.

Reflect wants to help you automate web testing without writing code

Reflect, a member of the Y Combinator Summer 2020 class, is building a tool to automate website and web application testing, making it faster to get your site up and running without waiting for engineers to write testing code, or for human testers to run the site through its paces.

Company CEO and co-founder Fitz Nowlan says his startup’s goal is to allow companies to have the ease of use and convenience of manual testing, but the speed of execution of automated or code-based testing.

“Reflect is a no-code tool for creating automated tests. Typically when you change your website, or your web application, you have to test it, and you have the choice of either having your engineers build coded tests to run through and ensure the correctness of your application, or you can hire human testers to do it manually,” he said.

With Reflect, you simply teach the tool how to test your site or application by running through it once, and based on those actions, Reflect can create a test suite for you. “You enter your URL, and we load it in a browser in a virtual machine in the cloud. From there, you just use your application just like a normal user would, and by using your application, you’re telling us what is important to test,” Nowlan explained.

He adds, “Reflect will observe all of your actions throughout that whole interaction with that whole browser session. And then from those actions, it will distill that down into a repeatable machine executable test.”

Nowlan and co-founder Todd McNeal started the company in September 2019 after spending five years together at a digital marketing startup near Philadelphia, where they experienced problems with web testing first-hand.

They launched a free version of this product in April, just as we were beginning to feel the full force of the pandemic in the U.S, a point that was not lost on him. “We didn’t want to delay any longer and we just felt like, you know you got to get up there and swing the bat,” he said.

Today, the company has 20 paying customers, and he has found that the pandemic has helped speed up sales in some instances, while slowing it down in others.

He says the remote YC experience has been a positive one, and in fact he couldn’t have participated had they had to show up in California as they have families and homes in Pennsylvania.  He says that the remote nature of the current program forces you to be fully engaged mentally to get the most out of the program.

“It’s just a little more mental work to prepare yourself and to have the mental energy to stay locked in for a remote batch. But I think if you can get over that initial hump, the information flow and the knowledge sharing is all the same,” he said.

He says as technical founders, the program has helped them focus on the sales and marketing side of the equation, and taught them that it’s more than building a good product. You still have to go out there and sell it to build a company.

He says his short-term goal is to get as many people as he can using the platform, which will help them refine their ability to automate the test building. For starters, that involves recording activities on-screen, but over time they plan to layer on machine learning and that requires more data.

“We’re going to focus primarily over the next six to 12 months on growing our customer base — both paid and unpaid — and I really mean that we want people to come in and create tests. Even if they [use the free product], we’re benefiting from that creation of that test,” he said.

Daily Crunch: Slack files antitrust complaint against Microsoft

An antitrust battle is brewing between Microsoft and Slack, Apple continues to defend its App Store policies and Dexterity raises funding for warehouse robots. Here’s your Daily Crunch for July 22, 2020.

PS: I’m going to be on vacation until Wednesday of next week. Until then, I leave you in Darrell Etherington’s capable hands!

The big story: Slack files antitrust complaint against Microsoft

The complaint was filed in the European Union and alleges that Microsoft is unfairly bundling its Teams product with the broader Office suite.

“Microsoft has illegally tied its Teams product into its market-dominant Office productivity suite, force installing it for millions, blocking its removal, and hiding the true cost to enterprise customers,” Slack said in a statement.

When Microsoft first announced Teams in 2016, Slack took out an ad mocking the company and saying it welcomed competition. In April, Microsoft said Teams has grown to 75 million daily active users, compared to the 12.5 million that Slack reported in March.

The tech giants

Apple digs in heels over its App Store commission structure with release of new study — Apple has been commissioning research that defends its 30% commission on App Store purchases.

Spotify and Universal sign new licensing deal, will partner on development of marketing tools — In addition to re-securing Universal’s catalog for the music streaming service, the deal signs up Universal as an early adopter of Spotify’s future products for labels and artists.

Twitter cracks down on QAnon conspiracy theory, banning 7,000 accounts — Moving forward, Twitter said it will be removing QAnon-related topics from its trending pages and algorithmic recommendations and blocking any associated URLs.

Startups, funding and venture capital

Dexterity exits stealth with $56.2 million raised for its collaborative warehouse robots — The startup’s system combines hardware and software for warehouse tasks like bin picking and box packing.

Misfits Market raises $85 million Series B to send you ‘ugly’ fruits and veggies — Users sign up for a weekly produce box and can also add chocolate, snacks, chips, coffee, herbs, grains, lentils, sauces and spices.

YC-backed Glimpse helps Airbnb hosts make money through product placement — Airbnbs could the perfect place to convince someone to try a new mattress or a new kind of coffee.

Advice and analysis from Extra Crunch

What you need to know before selling your company’s stock — Part 3 of financial adviser Peyton Carr’s guide for startup founders.

Messenger tools can help you recover millions in lost revenue — Rank Secure CEO Baruch Labunski says messenger tools have helped a single client recover more than $5 million in lost revenue.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

GEDmatch confirms data breach after users’ DNA profile data made available to police — The company said that during the breach, “Users who did not opt-in for law enforcement matching were also available for law enforcement matching, and conversely, all law enforcement profiles were made visible to Gedmatch users.”

Go SPAC yourself — I’d never heard of SPACs before today, but the latest episode of Equity explains that they could offer a way for companies to go public through a different pricing mechanism.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Twitter Hacking for Profit and the LoLs

The New York Times last week ran an interview with several young men who claimed to have had direct contact with those involved in last week’s epic hack against Twitter. These individuals said they were only customers of the person who had access to Twitter’s internal employee tools, and were not responsible for the actual intrusion or bitcoin scams that took place that day. But new information suggests that at least two of them operated a service that resold access to Twitter employees for the purposes of modifying or seizing control of prized Twitter profiles.

As first reported here on July 16, prior to bitcoin scam messages being blasted out from such high-profile Twitter accounts @barackobama, @joebiden, @elonmusk and @billgates, several highly desirable short-character Twitter account names changed hands, including @L, @6 and @W.

A screenshot of a Discord discussion between the key Twitter hacker “Kirk” and several people seeking to hijack high-value Twitter accounts.

Known as “original gangster” or “OG” accounts, short-character profile names confer a measure of status and wealth in certain online communities, and such accounts can often fetch thousands of dollars when resold in the underground.

The people involved in obtaining those OG accounts on July 15 said they got them from a person identified only as “Kirk,” who claimed to be a Twitter employee. According to The Times, Kirk first reached out to the group through a hacker who used the screen name “lol” on OGusers, a forum dedicated to helping users hijack and resell OG accounts from Twitter and other social media platforms. From The Times’s story:

“The hacker ‘lol’ and another one he worked with, who went by the screen name ‘ever so anxious,’ told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday.

‘lol’ did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. “ever so anxious” said he was 19 and lived in the south of England with his mother.

Kirk connected with “lol” late Tuesday and then “ever so anxious” on Discord early on Wednesday, and asked if they wanted to be his middlemen, selling Twitter accounts to the online underworld where they were known. They would take a cut from each transaction.”

Twice in the past year, the OGUsers forum was hacked, and both times its database of usernames, email addresses and private messages was leaked online. A review of the private messages for “lol” on OGUsers provides a glimpse into the vibrant market for the resale of prized OG accounts.

On OGUsers, lol was known to other members as someone who had a direct connection to one or more people working at Twitter who could be used to help fellow members gain access to Twitter profiles, including those that had been suspended for one reason or another. In fact, this was how lol introduced himself to the OGUsers community when he first joined.

“I have a twitter contact who I can get users from (to an extent) and I believe I can get verification from,” lol explained.

In a direct message exchange on OGUsers from November 2019, lol is asked for help from another OGUser member whose Twitter account had been suspended for abuse.

“hello saw u talking about a twitter rep could you please ask if she would be able to help unsus [unsuspend] my main and my friends business account will pay 800-1k for each,” the OGUusers profile inquires of lol.

Lol says he can’t promise anything but will look into it. “I sent her that, not sure if I will get a reply today bc its the weekend but ill let u know,” Lol says.

In another exchange, an OGUser denizen quizzes lol about his Twitter hookup.

“Does she charge for escalations? And how do you know her/what is her department/job. How do you connect with them if I may ask?”

“They are in the Client success team,” lol replies. “No they don’t charge, and I know them through a connection.”

As for how he got access to the Twitter employee, lol declines to elaborate, saying it’s a private method. “It’s a lil method, sorry I cant say.”

In another direct message, lol asks a fellow OGUser member to edit a comment in a forum discussion which included the Twitter account “@tankska,” saying it was his IRL (in real life) Twitter account and that he didn’t want to risk it getting found out or suspended (Twitter says this account doesn’t exist, but a simple text search on Twitter shows the profile was active until late 2019).

“can u edit that comment out, @tankska is a gaming twitter of mine and i dont want it to be on ogu :D’,” lol wrote. “just dont want my irl getting sus[pended].”

Still another OGUser member would post lol’s identifying information into a forum thread, calling lol by his first name — “Josh” — in a post asking lol what he might offer in an auction for a specific OG name.

“Put me down for 100, but don’t note my name in the thread please,” lol wrote.

WHO IS LOL?

The information in lol’s OGUsers registration profile indicates he was probably being truthful with The Times about his location. The hacked forum database shows a user “tankska” registered on OGUsers back in July 2018, but only made one post asking about the price of an older Twitter account for sale.

The person who registered the tankska account on OGUsers did so with the email address jperry94526@gmail.com, and from an Internet address tied to the San Ramon Unified School District in Danville, Calif.

According to 4iq.com, a service that indexes account details like usernames and passwords exposed in Web site data breaches, the jperry94526 email address was used to register accounts at several other sites over the years, including one at the apparel store Stockx.com under the profile name Josh Perry.

Tankska was active only briefly on OGUsers, but the hacked OGUsers database shows that “lol” changed his username three times over the years. Initially, it was “freej0sh,” followed by just “j0sh.”

lol did not respond to requests for comment sent to email addresses tied to his various OGU profiles and Instagram accounts.

ALWAYS IN DISCORD

Last week’s story on the Twitter compromise noted that just before the bitcoin scam tweets went out, several OG usernames changed hands. The story traced screenshots of Twitter tools posted online back to a moniker that is well-known in the OGUsers circle: PlugWalkJoe, a 21-year-old from the United Kingdom.

Speaking with The Times, PlugWalkJoe — whose real name is Joseph O’Connor — said while he acquired a single OG Twitter account (@6) through one of the hackers in direct communication with Kirk, he was otherwise not involved in the conversation.

“I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

In an interview with KrebsOnSecurity, O’Connor likewise asserted his innocence, suggesting at least a half dozen other hacker handles that may have been Kirk or someone who worked with Kirk on July 15, including “Voku,” “Crim/Criminal,” “Promo,” and “Aqua.”

“That twit screenshot was the first time in a while I joke[d], and evidently I shouldn’t have,” he said. “Joking is what got me into this mess.”

O’Connor shared a number of screenshots from a Discord chat conversation on the day of the Twitter hack between Kirk and two others: “Alive,” which is another handle used by lol, and “Ever So Anxious.” Both were described by The Times as middlemen who sought to resell OG Twitter names obtained from Kirk. O’Connor is referenced in these screenshots as both “PWJ” and by his Discord handle, “Beyond Insane.”

The negotiations over highly-prized OG Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams.

Ever So Anxious told Kirk his OGU nickname was “Chaewon,” which corresponds to a user in the United Kingdom. Just prior to the Twitter compromise, Chaewon advertised a service on the forum that could change the email address tied to any Twitter account for around $250 worth of bitcoin. O’Connor said Chaewon also operates under the hacker alias “Mason.”

“Ever So Anxious” tells Kirk his OGUsers handle is “Chaewon,” and asks Kirk to modify the display names of different OG Twitter handles to read “lol” and “PWJ”.

At one point in the conversation, Kirk tells Alive and Ever So Anxious to send funds for any OG usernames they want to this bitcoin address. The payment history of that address shows that it indeed also received approximately $180,000 worth of bitcoin from the wallet address tied to the scam messages tweeted out on July 15 by the compromised celebrity accounts.

The Twitter hacker “Kirk” telling lol/Alive and Chaewon/Mason/Ever So Anxious where to send the funds for the OG Twitter accounts they wanted.

SWIMPING

My July 15 story observed there were strong indications that the people involved in the Twitter hack have connections to SIM swapping, an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.

The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface.

SIM swapping was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year. As recounted by Wired.com, @jack was hijacked after the attackers conducted a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account.

Immediately after Jack Dorsey’s Twitter handle was hijacked, the hackers tweeted out several shout-outs, including one to @PlugWalkJoe. O’Connor told KrebsOnSecurity he has never been involved in SIM swapping, although that statement was contradicted by two law enforcement sources who closely track such crimes.

However, Chaewon’s private messages on OGusers indicate that he very much was involved in SIM swapping. Use of the term “SIM swapping” was not allowed on OGusers, and the forum administrators created an automated script that would watch for anyone trying to post the term into a private message or discussion thread.

The script would replace the term with “I do not condone illegal activities.” Hence, a portmanteau was sometimes used: “Swimping.”

“Are you still swimping?” one OGUser member asks of Chaewon on Mar. 24, 2020. “If so and got targs lmk your discord.” Chaewon responds in the affirmative, and asks the other user to share his account name on Wickr, an encrypted online messaging app that automatically deletes messages after a few days.

Chaewon/Ever So Anxious/Mason did not respond to requests for comment.

O’Connor told KrebsOnSecurity that one of the individuals thought to be associated with the July 15 Twitter hack — a young man who goes by the nickname “Voku” — is still actively involved in SIM-swapping, particularly against customers of AT&T and Verizon.

Voku is one of several hacker handles used by a Canton, Mich. youth whose mom turned him in to the local police in February 2018 when she overheard him talking on the phone and pretending to be an AT&T employee. Officers responding to the report searched the residence and found multiple cell phones and SIM cards, as well as files on the kid’s computer that included “an extensive list of names and phone numbers of people from around the world.”

The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, Voku’s mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint against him — saying he’d obtained yet another mobile phone.

Voku’s cooperation with authorities led them to bust up a conspiracy involving at least nine individuals who stole millions of dollars worth of cryptocurrency and other items of value from their targets.

CONSPIRACY

Samy Tarazi, an investigator with the Santa Clara County District Attorney’s Office, has spent hundreds of hours tracking young hackers during his tenure with REACT, a task force set up to combat SIM swapping and bring SIM swappers to justice.

According to Tarazi, multiple actors in the cybercrime underground are constantly targeting people who work in key roles at major social media and online gaming platforms, from Twitter and Instagram to Sony, Playstation and Xbox.

Tarazi said some people engaged in this activity seek to woo their targets, sometimes offering them bribes in exchange for the occasional request to unban or change the ownership of specific accounts.

All too often, however, employees at these social media and gaming platforms find themselves the object of extremely hostile and persistent personal attacks that threaten them and their families unless and until they give in to demands.

“In some cases, they’re just hitting up employees saying, ‘Hey, I’ve got a business opportunity for you, do you want to make some money?’” Tarazi explained. “In other cases, they’ve done everything from SIM swapping and swatting the victim many times to posting their personal details online or extorting the victims to give up access.”

Allison Nixon is chief research officer at Unit 221B, a cyber investigations company based in New York. Nixon says she doesn’t buy the idea that PlugWalkJoe, lol, and Ever So Anxious are somehow less culpable in the Twitter compromise, even if their claims of not being involved in the July 15 Twitter bitcoin scam are accurate.

“You have the hackers like Kirk who can get the goods, and the money people who can help them profit — the buyers and the resellers,” Nixon said. “Without the buyers and the resellers, there is no incentive to hack into all these social media and gaming companies.”

Mark Rasch, Unit 221B’s general counsel and a former U.S. federal prosecutor, said all of the players involved in the Twitter compromise of July 15 can be charged with conspiracy, a legal concept in the criminal statute which holds that any co-conspirators are liable for the acts of any other co-conspirator in furtherance of the crime, even if they don’t know who those other people are in real life or what else they may have been doing at the time.

“Conspiracy has been called the prosecutor’s friend because it makes the agreement the crime,” Rasch said. “It’s a separate crime in addition to the underlying crime, whether it be breaking in to a network, data theft or account takeover. The ‘I just bought some usernames and gave or sold them to someone else’ excuse is wrong because it’s a conspiracy and these people obviously don’t realize that.”

In a statement on its ongoing investigation into the July 15 incident, Twitter said it resulted from a small number of employees being manipulated through a social engineering scheme. Twitter said at least 130 accounts were targeted by the attackers, who succeeded in sending out unauthorized tweets from 45 of them and may have been able to view additional information about those accounts, such as direct messages.

On eight of the compromised accounts, Twitter said, the attackers managed to download the account history using the Your Twitter Data tool. Twitter added that it is working with law enforcement and is rolling out additional company-wide training to guard against social engineering tactics.

Microsoft introduces Customer Voice, a real-time customer feedback tool

At Microsoft Inspire today, the company made several Dynamics 365 announcements, including Dynamics 365 Customer Voice, a real-time customer feedback tool that could compete with Qualtrics, the company SAP bought in 2018 for a cool $8 billion.

Microsoft General Manager Brenda Bown says that as more customers move online during the pandemic, it’s more important than ever to capture real-time customer feedback that you can combine with other data to build a more complete picture of the customer that could lead to more successful interactions in the future.

“Customer Voice is a feedback management solution, and it’s designed to empower businesses and organizations to build better products, deliver better experiences to customers and really build the relationships for the customers with that feedback management tool,” Bown told TechCrunch.

The data gets shared with Microsoft’s customer data platform (CDP), and is built on top of Dynamics 365 and the Power Platform. The latter provides a way to customize the Customer Voice tool to meet the needs of an individual company.

Brent Leary, partner and co-founder at CRM Essentials, says this solves the problem of getting feedback as the interaction is happening. He adds that being able to share that data directly with the CDP makes it even more valuable.

“Customer feedback has to be done as close to the interaction/transaction as possible and as frictionless as possible for it to really work, or else customers won’t give it to you. And then the data has to be integrated into the CDP with all the other data automatically to really be of use. And having a platform to handle both the feedback capture and the data integration optimizes the likelihood of this happening,” Leary said.

The company also announced Dynamics 365 Connected Store, a set of tools designed to help stores manage in-store and curbside traffic, among other things. As the pandemic limits the number of people in a store at one time, using sensors and cameras, Connected Store can help managers understand and manage the number of people inside the store at any given time to help aid in social distancing.

It can also help add a level of automation to curbside pickup, letting an employee know when the customer has pulled up. “It alerts the employee and they can bring out the order for a more seamless and quick pickup. And obviously this scenario is super important today because of [more people wanting] contactless pickup,” Bown said.

Finally, the company announced a fraud protection component. She says that Dynamics 365 Fraud Protection helps protect businesses online or in physical stores from fraudulent activities, which she says is even more important as more transactions are conducted digitally. New capabilities include account protection and loss prevention tooling.

Inspire is the company’s annual partner conference, which is being held virtually this year. Bown says by running it virtually, the company can involve even more partners than a typical in-person conference because companies that couldn’t previously attend because of cost and distance are able to participate this year.