‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered

ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

ValidCC, circa 2017.

There are dozens of online shops that sell so-called “card not present” (CNP) payment card data stolen from e-commerce stores, but most source the data from other criminals. In contrast, researchers say ValidCC was actively involved in hacking and pillaging hundreds of online merchants — seeding the sites with hidden card-skimming code that siphoned personal and financial information as customers went through the checkout process.

Russian cybersecurity firm Group-IB published a report last year detailing the activities of ValidCC, noting the gang behind the crime shop was responsible for plundering nearly 700 e-commerce sites. Group-IB dubbed the gang “UltraRank,” which it said had additionally compromised at least 13 third-party suppliers whose software components are used by countless online stores across Europe, Asia, North and Latin America.

Group-IB believes UltraRank is responsible for a slew of hacks that other security firms previously attributed to at least three distinct cybercrime groups.

“Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” Group-IB wrote. “UltraRank combined attacks on single targets with supply chain attacks.”

ValidCC’s front man on multiple forums — a cybercriminal who uses the hacker handle “SPR” — told customers on Jan. 28 that the shop would close for good following what appeared to be a law enforcement takedown of its operations. SPR claims his site lost access to a significant inventory — more than 600,000 unsold stolen payment card accounts.

“As a result, we lost the proxy and destination backup servers,” SPR explained. “Besides, now it’s impossible to open and decrypt the backend. The database is in the hands of the police, but it’s encrypted.”

ValidCC had thousands of users, some of whom held significant balances of bitcoin stored in the shop when it ceased operations. SPR claims the site took in approximately $100,000 worth of virtual currency deposits each day from customers.

Many of those customers took to the various crime forums where the shop has a presence to voice suspicions that the proprietors had simply decided to walk away with their money at a time when Bitcoin was near record-high price levels.

SPR countered that ValidCC couldn’t return balances because it no longer had access to its own ledgers.

“We don’t know anything!,” SPR pleaded. “We don’t know users’ balances, or your account logins or passwords, or the [credit cards] you purchased, or anything else! You are free to think what you want, but our team has never conned or let anyone down since the beginning of our operations! Nobody would abandon a dairy cow and let it die in the field! We did not take this decision lightly!”

Group-IB said ValidCC was one of many cybercrime shops that stored some or all of its operational components at Media Land LLC, a major “bulletproof hosting” provider that supports a vast array of phishing sites, cybercrime forums and malware download servers.

Assuming SPR’s claims are truthful, it could be that law enforcement agencies targeted portions of Media Land’s digital infrastructure in some sort of coordinated action. However, so far there are no signs of any major uproar in the cybercrime underground directed at Yalishanda, the nickname used by the longtime proprietor of Media Land.

ValidCC’s demise comes close on the heels of the shuttering of Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data. On Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. Less than a month later, Joker announced he was closing the shop permanently.

And last week, authorities across Europe seized control over dozens of servers used to operate Emotet, a prolific malware strain and cybercrime-as-service operation. While there are no indications that action targeted any criminal groups apart from the Emotet gang, it is often the case that multiple cybercrime groups will share the same dodgy digital infrastructure providers, knowingly or unwittingly.

Gemini Advisory, a New York-based firm that closely monitors cybercriminal stores, said ValidCC’s administrators recently began recruiting stolen card data resellers who previously had sold their wares to Joker’s Stash.

Stas Alforov, Gemini’s director of research and development, said other card shops will quickly move in to capture the customers and suppliers who frequented ValidCC.

“There are still a bunch of other shops out there,” Alforov said. “There’s enough tier one shops out there that sell card-not-present data that haven’t dropped a beat and have even picked up volumes.”

Taking a Realistic View of Cyber Security Requirements for Digital Providers

A guest post by MrR3b00t, aka pwndefend’s Daniel Card 

In today’s rapidly evolving cybersecurity landscape, it seems that barely a day goes by without news of a new breach notification, from minor to major incidents, affecting organizations of all shapes and sizes. In the not too distant past (think early 2000s), most organizations stood up a perimeter firewall, deployed some antivirus and thought that rotating passwords every 30 days was enough to protect them. Since then, technology has been deployed at an ever increasing pace, threat actors have got more sophisticated, and regulations and compliance have become increasingly mandatory.

On top of that, due to the dominance of internet connectivity in modern day commerce and the provision of online services, many businesses have become digital providers, and that adds a whole extra dimension to their cybersecurity management and practices. Such businesses are not only primary targets for all kinds of data theft threats including ransomware, they are subject to increasing scrutiny by both customers and regulators.

It’s no surprise, then, that even well-resourced organizations find it difficult to keep up with security management and compliance requirements for modern service providers. And if you’re just starting out, trying to evaluate where you are and what you need to do to get up to speed before either the bad guys (threat actors) or the good guys (regulators, assurance tests) catch up with you can be a daunting task.

In this post, we look at what an organization that hasn’t really considered security up till now (for whatever reason) can do to help themselves not only increase their security posture but also prepare for a customer conducting some level of cyber assurance review on their organization. If you have yet to invest time or resources, do not have processes and procedures in place, and/or have a massive gap in your documentation levels, you will likely get a very hard time during and following an audit. It’s time to put this right!

What is the Nature of Your Business?

If you are a shoe repair business that has a mainly non-digital service, your requirements will likely be low. The same can be said for a range of other organization types. However, let’s look at the type of organizations that are likely or certainly going to have compliance and audit requirements:

  • Independent Software Vendors
  • Cloud Services Providers (IaaS/PaaS)
  • Software as a Service Providers (SaaS)
  • Hosting Companies
  • Managed Services Providers (MSP)
  • Services forming part of the supply chain to government digital services
  • Services forming part of the supply chain to healthcare services
  • Services forming part of the supply chain to CNI
  • Business where sensitive data are being controlled or processed at volume
  • Financial Related Services
  • Payment Services Provider
  • E-Commerce Trader
  • Pension Services
  • Any regulated industry

The key differentiator here is where you are providing and operating a service for your customers. If you are providing an advisory service or your digital footprint and data processing levels are low, you will likely be able to manage by achieving something like the UK’s Cyber Essentials or equivalent.

If you write software or host services (e.g. SaaS), then you need to have security management in your business plans. That’s not me saying it, that’s markets demanding it. The old days of HR buying a service because they “like the look of it” still exist, but they are on their way out. Organizations are waking up to their digital security obligations (there are legal requirements – this isn’t a matter of choice) as well as the shifting marketplace forces which are now insisting providers operate services securely and with privacy at the forefront.

Four Simple Questions for Rapid Assessment

  • Would You or Could You Pass Cyber Essentials/Cyber Essentials Plus?
    If the answer is “no” then you need to pull your socks up (there’s a security pun in here somewhere). No, seriously. This is where you start as a bare minimum.
  • Do You Meet the Standards Required for PCI DSS?
    This is obviously quite complex as there are different levels and standards, but the acid test here is would you meet the lower bar for PCI compliance e.g., SAQ A?
  • Would You Pass ISO/IEC 27001:2013?
    Remember that for ISO/IEC 27001:2013, you will need to show ~ 3 months’ worth of evidence that you practise what your documents say. Whilst you could likely game this part (a bit like using a non-ACAS approved accreditation body), never forget this is your business and your customers that you are short changing in the long run.
  • Would You Pass a SOC2 Audit?
    Not for the faint hearted, these audits require substantial investments. This means they should form part of your business plan and not just be tacked on.

So What Does a Security Audit Look Like?

The first thing with any scenario is taking stock. If you have managed to conduct business so far without the beady eye of third party audits and security assurance activities, then your margins were probably healthy. At some point, a customer is going to ask for assurance and due diligence information. For many organizations, this is a prerequisite to their doing business with you at all.

This will generally flow like this:

  • the customer may conduct open source intelligence gathering
  • request for a Self-Assessment Review / Due Diligence Form
  • more detailed evidence requests
  • third-party audit
  • customer audit

Now depending upon the nature of the business, there may be a range of different activities. I can speak from my experience with supply management that this is how I operate:

  • I assess the services and the risk level for the business
  • I determine a likely assurance level
  • I conduct due diligence exercises
  • If red flags are raised, I generally move further down the assurance level route

From someone who has and does conduct assurance activities for customers looking to review their supply chain risk, I can only talk based on my experience; however, I can say this:

  • If I can’t find details about your security management capabilities and certifications on your website, I dig further.
  • If you evade or refuse to share documents such as change management policies/processes etc, I dig further.
  • If you try and hide behind “we can’t share policies or processes due to security” I raise another red flag.
  • If you don’t have documentation or can’t reasonably rapidly provide evidence, then I consider as a rule that you don’t manage risk and security to a reasonable level.

I must also add that willingness also goes a long way. If you don’t have the relevant certifications, standards, and capabilities today, that’s not to say you can’t achieve them. Honesty and integrity go a long way in my book.

That’s a view of how it works from a practitioner perspective. You must remember, though, it all depends on the nature, sensitivity and risk level of the services being provided or sought. Assurance efforts should be scaled appropriately to the level of risk the contract or service provides.

Conclusion

When assessing cyber security management and compliance requirements, you need to look not only at your business risk and model but also at your customers and make informed decisions about how you can provide assurance, not only to your board but also to your customers.

Manging cyber security for non-micro businesses where you control and/or process customer data, provide managed or hosted services means you will almost certainly need more than a note saying you think your services are secure if you want to do business with larger organizations.

Hopefully, this post helps people understand a bit more about the assurance space. Cyber security management is a business challenge and capability; it’s not just a technical thing!


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Rapid7 acquires Kubernetes security startup Alcide for $50M

Boston-based security operations company Rapid7 has been making moves into the cloud recently, and this morning it announced that it has acquired Kubernetes security startup Alcide for $50 million.

As the world shifts to cloud native using Kubernetes to manage containerized workloads, it’s tricky ensuring that the containers are configured correctly to keep them safe. What’s more, Kubernetes is designed to automate the management of containers, taking humans out of the loop and making it even more imperative that the security protocols are applied in an automated fashion as well.

Brian Johnson, SVP of Cloud Security at Rapid7 says that this requires a specialized kind of security product and that’s why his company is buying Alcide. “Companies operating in the cloud need to be able to identify and respond to risk in real time, and looking at cloud infrastructure or containers independently simply doesn’t provide enough context to truly understand where you are vulnerable,” he explained.

“With the addition of Alcide, we can help organizations obtain comprehensive, unified visibility across their entire cloud infrastructure and cloud-native applications so that they can continue to rapidly innovate while still remaining secure,” he added.

Today’s purchase builds on the company’s acquisition of DivvyCloud last April for $145 million. That’s almost $200 million for the two companies that allow Rapid7 to help protect cloud workloads in a fairly broad way.

It’s also part of an industry trend with a number of Kubernetes security startups coming off the board in the last year as bigger companies look to enhance their container security chops by buying talent and technology. This includes VMware nabbing Octarine last May, Cisco getting PortShift in October and Red Hat buying StackRox last month.

Alcide was founded in 2016 in Tel Aviv, part of the active Israeli security startup scene. It raised about $12 million along the way, according to Crunchbase data.

Lightspeed’s Gaurav Gupta and Grafana Labs’ Raj Dutt will tell us why they financially tied the knot (twice!)

Many founders only know their own experience fundraising and don’t hear much about what other founders went through. On Extra Crunch Live on Wednesday, we’re going to remedy that.

Grafana Labs has raised upward of $75 million since it launched in 2014. Lightspeed Venture Partners, and partner Gaurav Gupta to be specific, led both the startup’s Series A and Series B rounds. As far as commitments go, that’s a pretty significant one.

The new and improved Extra Crunch Live pairs founders and the investors who led their earlier rounds to talk about how the deal went down, from the moment they met to the conversations they had (including some disagreements) to the relationship as it exists today. Hell, we may even take a peek at the original pitch deck that made it all happen.

Then, we’ll turn our eyes back to you, the audience. That same founder/investor duo (in this case, Grafana Labs CEO Raj Dutt and LVP’s Gaurav Gupta) will take a look at your pitch decks and give their own feedback. (If you haven’t yet submitted a pitch deck to be torn down on Extra Crunch Live, you can do so here.)

The hour-long episode is sandwiched between two 30-minute rounds of networking. From start to finish, it goes from 11:30 a.m. PST/2:30 p.m. EST to 1:30 p.m. PST/4:30 p.m. EST. And Extra Crunch Live will come to you at the same time, every week, with a new pair of speakers.

So let’s learn a little bit more about Gupta and Dutt.

Before becoming an investor, Gupta enjoyed a rich career in the product development sphere, holding positions at Elastic (where he led product management), Splunk (VP of Products), as well as Google, Gateway and the McKenna Group. He joined Lightspeed in 2019 as a partner, focusing primarily on enterprise software. He’s led investments in Impira, Blameless, Hasura and Panther, and of course, Grafana. He sits on the board of the last three companies in that list.

Dutt is the co-founder and CEO at Grafana Labs, but the fast-growing company isn’t his first go at entrepreneurialism. Dutt also founded and led Voxel, a cloud-hosting startup that was acquired by Internap for $30 million in 2012.

We’re absolutely thrilled to have Gupta and Dutt join us on our first episode of Extra Crunch Live in 2021. As a reminder, Extra Crunch Live is for Extra Crunch members only. We’re coming to you with a new pair of speakers every week, and you can catch everything you missed on-demand if you can’t join us live. It’s worth the cost of the subscription on its own, but EC members also get access to our premium content, including market maps and investor surveys. Long story short? Subscribe, smarty. You won’t regret it.

Oh, and here’s a look at other speakers you can expect to see on Extra Crunch Live:

Aydin Senkut (Felicis) + Kevin Busque (Guideline) — February 10
Steve Loughlin (Accel) + Jason Boehmig (Ironclad) — February 17
Matt Harris (Bain Capital Ventures) + Isaac Oates (Justworks) — February 24

And that’s just the February slate!

All the details to register for this upcoming episode (and more) are available below. Can’t wait to see you there!

Weights & Biases raises $45M for its machine learning tools

Weights & Biases, a startup building tools for machine learning practitioners, is announcing that it has raised $45 million in Series B funding.

The company was founded by Lukas Biewald, Chris Van Pelt and Shawn Lewis — Biewald and Van Pelt previously founded CrowdFlower/Figure Eight (acquired by Appen). Weights & Biases says it now has more than 70,000 users at more than 200 enterprises.

Biewald (whom I’ve known since college) argued that while machine learning practitioners are often compared to software developers, “they’re more like scientists in some ways than engineers.” It’s a process that involves numerous experiments, and Weights & Biases’ core product allows practitioners to track those experiments, while the company also offers tools around data set versioning, model evaluation and pipeline management.

“If you have a model that’s controlling a self-driving car and the car crashes, you really want to know what happened,” Biewald said. “If you built that model years ago and you’ve run all these experiments since then, it can be hard to systematically trace through what happened” unless you’re using experiment tracking.

He described the startup as “an early leader” in this market, and as competing tools emerge, he said it’s also differentiated because it is “completely focused on the ML practitioner” rather than top-down enterprise sales. Similarly, he said that as machine learning has been adopted more widely, Weights & Biases is occasionally confronted by a “high-class problem.”

Weights & Biases screenshot

Image Credits: Weights & Biases

“We’re not interested in selling to companies that are doing machine learning for machine learning’s sake,” Biewald said. “With some companies, there’s a mandate from the CEO to sprinkle some machine learning in the company. That’s just really depressing to me, to not have any impact. But I would actually say the vast majority of companies that we talk to really do something useful.”

For example, he said agriculture giant John Deere is using the startup’s platform to continually improve the way it uses robotics to spray fertilizer, rather than pesticides, to kill weeds and pests. And there are pharmaceutical companies using the platform for how they model how different molecules will behave.

Weights & Biases previously raised $20 million in funding. The new round was led by Insight Partners, with participation from Coatue, Trinity Ventures and Bloomberg Beta. Insight’s George Mathew is joining the board of directors.

“I’ve never seen a MLOps category leader with such a high NPS and deep customer focus as Weights and Biases,” Mathew said in a statement. “It’s an honor to make my first investment at Insight to serve an ML practitioner user-base that grew 60x these last two years.”

The startup says it will use the funding to continue hiring in engineering, growth, sales and customer success.

Databricks raises $1B at $28B valuation as it reaches $425M ARR

Another hour, another billion-dollar round. That’s how February is kicking off. This time it’s Databricks, which just raised $1 billion Series G at a whopping $28 billion post-money valuation.

Databricks is a data-and-AI focused company that interacts with corporate information stored in the public cloud.

News of the new round began leaking last week. Franklin Templeton led the round, which also included new investors Fidelity and Whale Rock. Databricks also raised part of the capital from major cloud vendors including AWS, Alphabet via its CapitalG vehicle, and Salesforce Ventures. Microsoft is a previous investor, and it took part in the round as well.

But we’re not done! Other prior investors including a16z, T. Rowe Price, Tiger Global, BlackRock and Coatue were also involved along with Alkeon Capital Management.

Consider that Databricks just raised a bushel of capital from a mix of cloud companies it works with, public investors it wants as shareholders when it goes public and some private money that is enjoying a stiff markup from their last check into the company.

The company has made its mark with a series of four open-source products with a core data lake product call Delta Lake leading the way. You may recall that another hot data lake company, Snowflake, raised almost a half a billion dollars on a $12.4 billion valuation a year ago before going public last September with a valuation twice that. Databricks has already exceeded that public valuation with this round — as a private company.

When we spoke to Databricks CEO Ali Ghodsi at the time of his company’s $400 million round in 2019, one which valued the company at $6.2 billion at the time, he said his company was the fastest-growing enterprise cloud software companies ever, and that’s saying something.

The company makes money by offering each of those open-source products as a software service and it’s doing exceedingly well at it, so much so that investors were tripping over each other to be part of this deal. In fact, Ghodsi said in a conversation with TechCrunch today that his company had targeted a much more modest $200 million raise, but that figure grew as more parties wanted to invest funds into the company. Even with that, Databricks had to turn capital away, he added, after deciding to cap the round at $1 billion.

The extra $800 million that the company raised will be used for M&A opportunities with an eye on talent, spend on establishing a Lakehouse concept, international expansion, while also expanding its engineering team, the CEO said.

Ghodsi also made clear that he does not intend to let the percentage of revenue that the company spends on R&D to drop, as is common at modern software companies — as many SaaS companies grow, they expend more of their revenue on sales and marketing efforts over product spend, something that Databricks wants to avoid by continuing to invest in engineering talent.

Why? Because Ghodsi says that the pace of innovation in AI is so rapid that IP becomes outdated in just a few years. That means that companies that want to lead in this space will have to stay on the bleeding edge of their market or fall back swiftly.

The Databricks model appears to be working well, with the company closing 2020 at $425 million in annual recurring revenue, or ARR. That figure, up 75% from the year-ago period, is also up from a $350 million run rate at the end of its Q3 2020. (For more on Databricks’ business, product and growth, head here.)

Notably Ghodsi told TechCrunch that this deal only started to come together in December. It’s February 1st today, which means that it took on this bushel of new funding remarkably quickly.

Finally, at $425 million in ARR, is the CEO worried about having a valuation sitting at roughly a 65x multiple? Ghodsi said that he is not. He said that he told his company during an all-hands earlier today that the AI market is a long journey, one that he hopes to be on for decades, and the stock market will go up and down. His point, as far as I could read into it, was that so long as Databricks keeps growing as it has, its valuation will take care of itself (and that seems to be the case so far with this company).

What’s certainly true is that Databricks is now as rich as it has ever been, as large as it has ever been, and in a market that is maturing. Let’s see what it can do with all this money.

Best practices as a service is a key investment theme to watch in 2021

Enterprise IT has been completely transformed by SaaS the past decade. Okta last week published a report that showed that the largest companies now use 175 apps, a doubling over the past few years. More professionals have more tools to do their jobs than ever before. It’s an explosion of creativity and expressiveness and operational latitude — but also a recipe for disaster.

It’s one thing to give people and businesses tools — and something else to train them to use those tools effectively. Worse, as the number and complexity of software has skyrocketed the past decade, it’s only become harder for end users to grapple with offering their customers the best possible experience.

That’s the opportunity for a range of new tools that are designed to guide — sometimes forcefully — people to use the software they have in the best possible way, in what you might dub “best practices as a service.” It’s software that is opinionated on what “best” looks like within its domain, and ensures that as many people follow that model as possible with minimal dissension. It’s simplicity-in-a-box for a complex world.

Let me give some examples from a few major fields of startups in e-commerce, security, web development and finally, in my chosen profession, writing to illustrate what I mean.

Salesforce promotes former Vlocity CEO David Schmaier to president and CPO

Last year I penned a post positing that Salesforce’s propensity to purchase mature enterprise companies not only provided new technology, but was also helping to produce a profusion of executive talent. As though to prove my point, the company announced today that it was promoting former Vlocity CEO David Schmaier to president and chief product officer.

Schmaier came to the organization last year when Salesforce acquired his company for $1.33 billion. It seemed like a good match, given that Vlocity sold Salesforce solutions designed for certain niches like financial services, health, energy and utilities and government and nonprofits.

As a result, Schmaier knew the product set and the company well. Last June, he was named CEO of the Salesforce Industries division, which was created after the Vlocity acquisition. The connection was clear to Schmaier as he told me at the time of his promotion last year:

“I’ve been involved in various mergers and acquisitions over my 30-year career, and this is the most unique one I’ve ever seen because the products are already 100% integrated because we built our six vertical applications on top of the Salesforce platform. So they’re already 100% Salesforce, which is really kind of amazing. So that’s going to make this that much simpler,” he said.

Brent Leary, founder and principal analyst at CRM Essentials, says that Schmaier’s history in building Vlocity makes this promotion pretty easy given the direction of the company, as well as the industry. “Over the last several years we’ve seen just how important developing industry-specific solutions have become to the major players in the space, and Schmaier’s promotion reaffirms this while illustrating how important creating verticals is to their platform [and] to the future of Salesforce,” he told me.

In a Q&A on the Salesforce website announcing the promotion, Schmaier talked about the challenges companies faced in the last year. “There’s no question 2020 was a challenging year. We are operating in this all-digital, work from anywhere world and things won’t go back to where they were, nor should they. One of the silver linings has been seeing what companies can do when there is no alternative and the imperative is to connect with their customers in entirely new ways,”

In his new position it will be Schmaier’s job to figure out how to help them do that.

It’s worth noting that there has been some turnover in the C Suite recently at Salesforce. Just today the company also announced that long-time CFO Mark Hawkins was retiring. He will be replaced by Amy Weaver, who was formerly the company’s chief legal officer. Meanwhile, last week the company hired former Hearsay Social co-founder and CEO Clara Shih to run Salesforce Service Cloud.

U.K. Arrest in ‘SMS Bandits’ Phishing Service

Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies.

The U.K.’s National Crime Agency (NCA) declined to name the suspect, but confirmed that the Metropolitan Police Service’s cyber crime unit had detained an individual from Birmingham in connection to a business that supplied “criminal services related to phishing offenses.”

The proprietors of the phishing service were variously known on cybercrime forums under handles such as SMSBandits, “Gmuni,” “Bamit9,” and “Uncle Munis.” SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service for the mass sending of text messages designed to phish account credentials for different popular websites and steal personal and financial data for resale.

Image: osint.fans

Sasha Angus is a partner at Scylla Intel, a cyber intelligence startup that did a great deal of research into the SMS Bandits leading up to the arrest. Angus said the phishing lures sent by the SMS Bandits were unusually well-done and free of grammar and spelling mistakes that often make it easy to spot a phony message.

“Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most,” Angus said.

According to Scylla, the SMS Bandits made a number of operational security (or “opsec”) mistakes that made it relatively easy to find out who they were in real life, but the technical side SMS Bandits’ operation was rather advanced.

“They were launching fairly high-volume smishing campaigns from SMS gateways, but overall their opsec was fairly lousy,” Angus said. “But on the telecom front they were using fairly sophisticated tactics.”

The proprietor of the SMS Bandits, telling the world he lives in Birmingham.

For example, the SMS Bandits automated systems to check whether the phone number list provided by their customers was indeed tied to actual mobile numbers, and not landlines that might tip off telecommunications companies about mass spam campaigns.

“The telcos are monitoring for malicious SMS messages on a number of fronts,” Angus said. “One way to tip off an SMS gateway or wireless provider is to start blasting text messages to phone numbers that can’t receive them.”

Scylla gathered reams of evidence showing the SMS Bandits used email addresses and passwords stolen through its services to validate a variety of account credentials — from PayPal to bank accounts and utilities providers. They would then offload the working credentials onto marketplaces they controlled, and to third-party vendors. One of SMS Bandits’ key offerings: An “auto-shop” web panel for selling stolen account credentials.

SMS Bandits also provided their own “bulletproof hosting” service advertised as a platform that supported “freedom of speach” [sic] where customers could “host any content without restriction.” Invariably, that content constituted sites designed to phish credentials from users of various online services.

The “bulletproof” offerings of Muni Hosting (pronounced “Money Hosting”).

The SMS Bandits phishing service is tied to another crime-friendly service called “OTP Agency,” a bulk SMS provider that appears catered to phishers: The service’s administrator stated on multiple forums that he worked directly with the SMS Bandits.

Otp[.]agency advertises a service designed to help intercept one-time passwords needed to log in to various websites. The customer enters the target’s phone number and name, and OTP Agency will initiate an automated phone call to the target that alerts them about unauthorized activity on their account.

The call prompts the target to enter a one-time password generated by their phone’s mobile app, and that code is then relayed back to the scammer’s user panel at the OTP Agency website.

“We call the holder with an automatic calling bot, with a very believable script, they enter the OTP on the phone, and you’ll see it in real time,” OTP Agency explained on their Telegram channel. The service, which costs anywhere from $40 to $125 per week, advertises unlimited international calling, as well as multiple call scripts and voice accents.

One of the pricing plans available to OTP Agency users.

The volume of SMS-based phishing skyrocketed in 2020 — by more than 328 percent — according to a recent report from Proofpoint, a security firm that processes more than 80 percent of North America’s mobile messages [Full disclosure: Proofpoint is currently an advertiser on this site].