Using Fake Reviews to Find Dangerous Extensions

Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data.

Comments on the fake Microsoft Authenticator browser extension show the reviews for these applications are either positive or very negative — basically calling it out as a scam. Image:

After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars.

“It’s great!,” the Google account Theresa Duncan enthused, improbably. “I’ve only had very occasional issues with it.”

“Very convenient and handing,” assessed Anna Jones, incomprehensibly.

Google’s Chrome Store said the email address tied to the account that published the knockoff Microsoft extension also was responsible for one called “iArtbook Digital Painting.” Before it was removed from the Chrome Store, iArtbook had garnered just 22 users and three reviews. As with the knockoff Microsoft extension, all three reviews were positive, and all were authored by accounts with first and last names, like Megan Vance, Olivia Knox, and Alison Graham.

Google’s Chrome Store doesn’t make it easy to search by reviewer. For that I turned to Hao Nguyen, the developer behind, which indexes and makes searchable a broad array of attributes about extensions available from Google.

Looking at the Google accounts that left positive reviews on both the now-defunct Microsoft Authenticator and iArtbook extensions, KrebsOnSecurity noticed that each left positive reviews on a handful of other extensions that have since been removed.

Reviews on the iArtbook extension were all from apparently fake Google accounts that each reviewed two other extensions, one of which was published by the same developer. This same pattern was observed across 45 now-defunct extensions.

Like an ever-expanding venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions. In total, roughly 24 hours worth of digging through unearthed more than 100 positive reviews on a network of patently fraudulent extensions.

Those reviews in turn lead to the relatively straightforward identification of:

-39 reviewers who were happy with extensions that spoofed major brands and requested financial data
-45 malicious extensions that collectively had close to 100,000 downloads
-25 developer accounts tied to multiple banned applications

The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts.

Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period.

More than 16,000 people downloaded a fake Microsoft Teams browser extension over the roughly two months it was available for download from the Google Chrome store.

Unlike malicious browser extensions that can turn your PC into a botnet or harvest your cookies, none of the extensions examined here request any special permissions from users. Once installed, however, they invariably prompt the user to provide personal and financial data — all the while pretending to be associated with major brand names.

In some cases, the fake reviewers and phony extension developers used in this scheme share names, such as the case with “brook ice,” the Google account that positively reviewed the malicious Adobe and Microsoft Teams extensions. The email address was used to register the developer account responsible for producing two of the phony extensions examined in this review (PhotoMath and Dollify).

Some of the data that informed this report. The full spreadsheet is available as a link at the end of the story.

As we can see from the spreadsheet snippet above, many of the Google accounts that penned positive reviews on patently bogus extensions left comments on multiple apps on the same day.

Additionally, Google’s account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email — suggesting a relatively few number of anonymous users are controlling the entire scheme. When the spreadsheet data shown above is sorted by email address of the extension developer, the grouping of the reviews by date becomes even clearer.

KrebsOnSecurity shared these findings with Google and will update this story in the event they respond. Either way, Google somehow already detected all of these extensions as fraudulent and removed them from its store.

However, there may be a future post here about how long that bad extension identification and removal process has taken over time. Overall, most of these extensions were available for two to three months before being taken down.

As for the “so what?” here? I performed this research mainly because I could, and I thought it was interesting enough to share. Also, I got fascinated with the idea that finding fake applications might be as simple as identifying and following the likely fake reviewers. I’m positive there is more to this network of fraudulent extensions than is documented here.

As this story illustrates, it pays to be judicious about installing extensions. Leaving aside these extensions which are outright fraudulent, so many legitimate extensions get abandoned or sold each year to shady marketers that it’s wise to only trust extensions that are actively maintained (and perhaps have a critical mass of users that would make noise if anything untoward happened with the software).

According to, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base.

The information that informed this report is searchable in this Google spreadsheet.

The Good, the Bad and the Ugly in Cybersecurity – Week 22

This week, French law enforcement authorities scored another victory against illicit Dark Web vendors. The popular marketplace “Le Monde Parallèle” has been in operation (in various stages) since early 2020. With the increase in large market takedowns over the past 24 months (e.g., DarkMarket, Wall Street Market, Valhalla), Le Monde Parallèle enjoyed quite a bit of success from refugees of those fallen markets. As was the case with other popular marketplaces, Parallèle specialized in the buying and selling of stolen electronic data, drugs, weapons and other ‘underground’ items.

The Ministry of the Economy released the following statement following the arrest of two individuals involved with the administration and management of the market and its infrastructure:

“On May 17, 2021, DNRED agents carried out two home visits, in Paris and in the Metz region, following several months of investigation by the Cyberdouane service on the Darknet TOR aimed at identifying the administrators of the French-speaking platform ” Le Monde Parallèle ”(LMP), offering for sale various illicit products and services (drugs, false documents, weapons, carding, etc.).”

It is always good to see these law enforcement efforts pay off. This is the 3rd in line of large France-focused markets to be seized in recent memory, with the French DW Market and Black Hand going down in 2019 and 2018 respectively.

Also this week, we continue to see repercussions from the recent DarkSide ransomware attack against the Colonial Pipeline (both positive and negative). The United States Department of Homeland Security announced (on May 27) a new Security Directive designed to enable DHS to improve its ability to identify, respond to, and prevent malicious threats to critical pipeline infrastructure.

The announcement covers the basic goal of the directive, which will ultimately require pipeline owners and operators to swiftly and accurately report potential (and confirmed) cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Companies must also designate a Cybersecurity Coordinator, whom is to be available 365x24x7. All owners and operators will also be required to thoroughly review their current security countermeasures and procedures, identify gaps, take remediation actions, and report the findings and actions to TSA and CISA within 30 day. While it is unfortunate that it takes events like the Colonial Pipeline attack to shock some into reviewing their security posture, it is a necessary step…and will only become more so over time as these attacks continue to accelerate and expand.

The Bad

This week, Bose Corporation disclosed details around a data breach stemming back to March 2021.

The company filed a letter with the New Hampshire Office of the Attorney General stating that they had, in effect, experienced a sophisticated attack featuring a combination of ransomware and the theft of information. It is reported that during the attack some data specific to current and former employees was accessed. This includes specific HR and administrative data. In addition, the attackers were also able to gain access to “a very small number of individuals” all of whom have been notified accordingly. As a whole, exposure of external customers is extremely limited.

That said, there is a ‘good’ spin to the story. Upon discovering the attack, Bose was in a position to eradicate the threat and restore any affected or manipulated data. Even more importantly, Bose was not able to find any evidence to suggest that data was exfiltrated from the corporate environment. They were able to recover, restore AND avoided paying the ransom. In the end, it’s bad when anyone gets attack and compromised in this way. However, preparation and well-executed Incident Response can mean the difference between a ‘security event’ and a ‘security catastrophe..

The Ugly

This week, the Belgian Interior Ministry announced that they had been the target of a long-term cyberattack. The attack (discovered in March 2021) is said to potentially date back to 2019. It was noted in the announcement that Federal prosecutors had launched a full investigation in to the scale and origin of the attack.

The attack appears to be a low-and-slow espionage attack. No ransomware was ever deployed, no files were otherwise obfuscated or exfiltrated. There were also no disruptions in availability (aka denial-of-service). All this adds up to a more ‘traditional’ long-term cyber-espionage campaign. As the investigation is ongoing, authorities are rather restricted on comments. Experts have been quoted by the RTBF (Radio-télévision belge de la Communauté française) saying this appeared to be “more complex and well targeted, leading us to think it was espionage”. Authorities also state that the systems involved have since been secured and properly mitigated.

While attribution has not been fully stated or speculated, this does come at an interesting time. Multiple EU leaders recently met in Brussels to discuss the ongoing threat of cyberattacks and associated tensions with Russia (where many of these events seem to originate). “The level of Russian interference both with spies and with web manipulation has become truly alarming,” Italian Prime Minister Mario Draghi told a news conference.

These are fairly standard attacks…and it is also a great reminder that data is key in forensic investigations. But more importantly data-over-time! Connecting all the dots in a campaign of this style requires that your tools (EDR, XDR, SIEM) retain data for enough time to be meaningful. This does not mean 1 week, 2 weeks, 30 days. We need to think in terms of months and years with these attacks (and the investigations around them).

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Once a buzzword, digital transformation is reshaping markets

The notion of digital transformation evolved from a buzzword joke to a critical and accelerating fact during the COVID-19 pandemic. The changes wrought by a global shift to remote work and schooling are myriad, but in the business realm they have yielded a change in corporate behavior and consumer expectation — changes that showed up in a bushel of earnings reports this week.

TechCrunch may tend to have a private-company focus, but we do keep tabs on public companies in the tech world as they often provide hints, notes and other pointers on how startups may be faring. In this case, however, we’re working in reverse; startups have told us for several quarters now that their markets are picking up momentum as customers shake up their buying behavior with a distinct advantage for companies helping customers move into the digital realm. And public company results are now confirming the startups’ perspective.

The accelerating digital transformation is real, and we have the data to support the point.

What follows is a digest of notes concerning the recent earnings results from Box, Sprout Social, Yext, Snowflake and Salesforce. We’ll approach each in micro to save time, but as always there’s more digging to be done if you have time. Let’s go!

Enterprise earnings go up

Kicking off with Yext, the company beat expectations in its most recent quarter. Today its shares are up 18%. And a call with the company’s CEO Howard Lerman underscored our general thesis regarding the digital transformation’s acceleration.

In brief, Yext’s evolution from a company that plugged corporate information into external search engines to building and selling search tech itself has been resonating in the market. Why? Lerman explained that consumers more and more expect digital service in response to their questions — “who wants to call a 1-800 number,” he asked rhetorically — which is forcing companies to rethink the way they handle customer inquiries.

In turn, those companies are looking to companies like Yext that offer technology to better answer customer queries in a digital format. It’s customer-friendly, and could save companies money as call centers are expensive. A change in behavior accelerated by the pandemic is forcing companies to adapt, driving their purchase of more digital technologies like this.

It’s proof that a transformation doesn’t have to be dramatic to have pretty strong impacts on how corporations buy and sell online.

Boss of ATM Skimming Syndicate Arrested in Mexico

Florian “The Shark” Tudor, the alleged ringleader of a prolific ATM skimming gang that siphoned hundreds of millions of dollars from bank accounts of tourists visiting Mexico over the last eight years, was arrested in Mexico City on Thursday in response to an extradition warrant from a Romanian court.

Florian Tudor, at a 2020 press conference in Mexico in which he asserted he was a legitimate businessman and not a mafia boss. Image: OCCRP.

Tudor, a native of Craiova, Romania, moved to Mexico to set up Top Life Servicios, an ATM servicing company which managed a fleet of relatively new ATMs based in Mexico branded as Intacash.

Intacash was the central focus of a threepart investigation KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang working with Intacash that was bribing and otherwise coercing ATM technicians to install sophisticated Bluetooth-based skimmers inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

Follow-up reporting last year by the Organized Crime and Corruption Reporting Project (OCCRP) found Tudor and his associates compromised more than 100 ATMs across Mexico using skimmers that were able to remain in place undetected for years. The OCCRP, which dubbed Tudor’s group “The Riviera Maya Gang,” estimates the crime syndicate used cloned card data and stolen PINs to steal more than $1.2 billion from bank accounts of tourists visiting the region.

Last year, a Romanian court ordered Tudor’s capture following his conviction in absentia for attempted murder, blackmail and the creation of an organized crime network that specialized in human trafficking.

Mexican authorities have been examining bank accounts tied to Tudor and his companies, and investigators believe Tudor and his associates paid protection and hush money to various Mexican politicians and officials over the years. In February, the leader of Mexico’s Green Party stepped down after it emerged that he received funds from Tudor’s group.

This is the second time Mexican authorities have detained Tudor. In April 2019, Tudor and his deputy were arrested for illegal firearms possession. That arrest came just months after Tudor allegedly ordered the execution of a former bodyguard who was trying to help U.S. authorities bring down the group’s lucrative skimming operations.

Tudor’s arrest this week inside the premises of the Mexican Attorney General’s Office did not go smoothly, according to Mexican news outlets. El Universal reports that a brawl broke out between Tudor’s lawyers and officials at the Mexican AG’s office, and a video released by the news outlet on Twitter shows Tudor resisting arrest as he is being hauled out of the building hand and foot.

A Mexican judge will decide on Tudor’s extradition to Romania in the coming weeks.

Australian startup Pyn raises $8M seed to bring targeted communication in-house

Most marketers today know how to send targeted communications to customers, and there are many tools to help, but when it comes to sending personalized in-house messages, there aren’t nearly as many options. Pyn, an early-stage startup based in Australia, wants to change that, and today it announced an $8 million seed round.

Andreessen Horowitz led the investment with help from Accel and Ryan Sanders (the co-founder of BambooHR) and Scott Farquhar (co-founder and co-CEO at Atlassian).

That last one isn’t a coincidence, as Pyn co-founder and CEO Joris Luijke used to run HR at the company and later at Squarespace and other companies, and he saw a common problem trying to provide more targeted messages when communicating internally.

“I’ve been trying to do this my entire professional life, trying to personalize the communication that we’re sending to our people. So that’s what Pyn does. In a nutshell, we radically personalize employee communications,” Luijke explained. His co-founder Jon Williams was previously a co-founder at Culture Amp, an employee experience management platform he helped launch in 2011 (and which raised more than $150 million), so the two of them have been immersed in this idea.

They bring personalization to Pyn by tracking information in existing systems that companies already use, such as Workday, BambooHR, Salesforce or Zendesk, and they can use this data much in the same way a marketer uses various types of information to send more personalized messages to customers.

That means you can cut down on the company-wide emails that might not be relevant to everyone and send messages that should matter more to the people receiving them. And as with a marketing communications tool, you can track how many people have opened the emails and how successful you were in hitting the mark.

David Ulevitch, general partner at a16z and lead investor in this deal, points out that Pyn also provides a library of customizable communications materials to help build culture and set policy across an organization. “It also treats employee communication channels as the rails upon which to orchestrate management practices across an organization [by delivering] a library of management playbooks,” Ulevitch wrote in a blog post announcing the investment.

The startup, which launched in 2019, currently has 10 employees, with teams working in Australia and the Bay Area in California. Williams says that already half the team is female and the plan is to continue putting diversity front and center as they build the company.

“Joris has mentioned ‘radical personalization’ as this specific mantra that we have, and I think if you translate that into an organization, that is all about inclusion in reality, and if we want to be able to cater for all the specific needs of people, we need to understand them. So [diversity is essential] to us,” Williams said.

While the company isn’t ready to discuss specifics in terms of customer numbers, it cites Shopify, Rubrik and Carta as early customers, and the founders say there was a lot of interest when the pandemic hit last year and the need for more frequent and meaningful types of communication became even more paramount.


mmhmm, the video conferencing software, kicks off summer with a bunch of new features

mmhmm, the communications platform developed by Phil Libin and the All Turtles team, is getting a variety of new features. According to Libin, there are parts of video communication today that can not only match what we get in the real world, but exceed it.

That’s how this next iteration of mmhmm is meant to deliver.

The new headline feature is mmhmm Chunky, which allows the presenter to break up their script and presentation into “chunks.” Think of the presenter the same way you think of slides in a deck. Each one gets the full edit treatment and final polish. With Chunky, mmhmm users can break up their presentation into chunks to perfect each individual bit of information.

A presenter can switch between live and pre-recorded chunks in a presentation. So you can imagine a salesman making a pitch and switching over to his explanation of the pricing as a pre-recorded piece of his pitch, or a teacher who has a pre-recorded chunk on a particular topic can throw to that mid-class.

But mmhmm didn’t just think about the creation side, but also the consumption side. Folks in the audience can jump around between chunks and slides to catch up, or even view in a sped-up mode to consume more quickly. Presenters can see where folks in the audience are as they present or later on.

Libin sees this feature as a way to supercharge time.

“At mmhmm, we stopped doing synchronous updates with our fully distributed team,” said Libin. “We don’t have meetings anymore where people take turns updating each other because it’s not very efficient. Now the team just sends around their quick presentations, and I can watch it in double speed because people can listen faster than people can talk. But we don’t have to do it at the same time. Then, when we actually talk synchronously, it’s reserved for that live back-and-forth about the important stuff.”

mmhmm is also announcing that it has developed its own video player, allowing folks to stream their mmhmm presentations to whichever website they’d like. As per usual, mmhmm will still work with Zoom, Google Meet, etc.

The new features list also includes an updated version of Copilot. For folks who remember, Copilot allowed one person to present and another person to “drive,” or art direct, the presentation from the background. Copilot 2.0 lets two people essentially video chat side by side, in whatever environment they’d like.

Libin showed me a presentation/conversation he did with a friend where they were both framed up in Libin’s house. He clarified that this feature works best with one-on-one conversations, or, one-on-one conversations in front of a large audience, such as a fireside chat.

Alongside mmhmm Chunky, streaming and Copilot 2.0, the platform is also doing a bit of spring cleaning with regards to organization. Users will have a Presentation Library where they can save and organize their best takes, and organizations can also use “Loaf” to store all the best videos and presentations company-wide for consumption later. The team also revamped Presets to make it easier to apply a preset to a bunch of slides at once or switch between presets more easily.

A couple other notes: mmhmm is working to bring the app to both iOS and Android very soon, and launch out of beta on Windows.

Libin explained that not every single feature described here will launch today, but rather you’ll see features trickle out each week as we head into summer. He’ll be giving a keynote on the new features here at 10 a.m. PT/1 p.m. ET.

Breinify announces $11M seed to bring data science to the marketing team

Breinify is a startup working to apply data science to personalization, and do it in a way that makes it accessible to nontechnical marketing employees to build more meaningful customer experiences. Today the company announced a funding round totaling $11 million.

The investment was led by Gutbrain Ventures and PBJ Capital with participation from Streamlined Ventures, CXO Fund, Amino Capital, Startup Capital Ventures and Sterling Road.

Breinify co-founder and CEO Diane Keng says that she and co-founder and CTO Philipp Meisen started the company to bring predictive personalization based on data science to marketers with the goal of helping them improve a customer’s experience by personalizing messages tailored to individual tastes.

“We’re big believers that the world, especially consumer brands, really need strong predictive personalization. But when you think about consumer big brands or the retailers that you buy from, most of them aren’t data scientists, nor do they really know how to activate [machine learning] at scale,” Keng told TechCrunch.

She says that she wanted to make this type of technology more accessible by hiding the complexity behind the algorithms powering the platform. “Instead of telling you how powerful the algorithms are, we show you [what that means for the] consumer experience, and in the end what that means for both the consumer and you as a marketer individually,” she said.

That involves the kind of customizations you might expect around website messaging, emails, texts or whatever channel a marketer might be using to communicate with the buyer. “So the AI decides you should be shown these products, this offer, this specific promotion at this time, [whether it’s] the web, email or SMS. So you’re not getting the same content across different channels, and we do all that automatically for you, and that’s [driven by the algorithms],” she said.

Breinify launched in 2016 and participated in the TechCrunch Disrupt Startup Battlefield competition in San Francisco that year. She said it was early days for the company, but it helped them focus their approach. “I think it gave us a huge stage presence. It gave us a chance to test out the idea just to see where the market was in regards to needing a solution like this. We definitely learned a lot. I think it showed us that people were interested in personalization,” she said. And although the company didn’t win the competition, it ended up walking away with a funding deal.

Today the startup is growing fast and has 24 employees, up from 10 last year. Keng, who is an Asian woman, places a high premium on diversity.

“We partner with about four different kinds of diversity groups right now to source candidates, but at the end of the day, I think if you are someone that’s eager to learn, and you might not have all the skills yet, and you’re [part of an under-represented] group we encourage everyone to apply as much as possible. We put a lot of work into trying to create a really well-rounded group,” she said.

Box beats expectations, raises guidance as it looks for a comeback

Box executives have been dealing with activist investor Starboard Value over the last year, along with fighting through the pandemic like the rest of us. Today the company reported earnings for the first quarter of its fiscal 2022. Overall, it was a good quarter for the cloud content management company.

The firm reported revenue of $202.4 million, up 10% compared to its year-ago result, numbers that beat Box projections of between $200 million to $201 million. Yahoo Finance reports the analyst consensus was $200.5 million, so the company also bested street expectations.

The company has faced strong headwinds the past year, in spite of a climate that has been generally favorable to cloud companies like Box. A report like this was badly needed by the company as it faces a board fight with Starboard over its direction and leadership.

Company co-founder and CEO Aaron Levie is hoping this report will mark the beginning of a positive trend. “I think you’ve got a better economic climate right now for IT investment. And then secondarily, I think the trends of hybrid work, and the sort of long-term trends of digital transformation are very much supportive of our strategy,” he told TechCrunch in a post-earnings interview.

While Box acquired e-signature startup SignRequest in February, it won’t actually be incorporating that functionality into the platform until this summer. Levie said that what’s been driving the modest revenue growth is Box Shield, the company’s content security product and the platform tools, which enable customers to customize workflows and build applications on top of Box.

The company is also seeing success with large accounts. Levie says that he saw the number of customers spending more than $100,000 with it grow by nearly 50% compared to the year-ago quarter. One of Box’s growth strategies has been to expand the platform and then upsell additional platform services over time, and those numbers suggest that the effort is working.

While Levie was keeping his M&A cards close to the vest, he did say if the right opportunity came along to fuel additional growth through acquisition, he would definitely give strong consideration to further inorganic growth. “We’re going to continue to be very thoughtful on M&A. So we will only do M&A that we think is attractive in terms of price and the ability to accelerate our roadmap, or the ability to get into a part of a market that we’re not currently in,” Levie said.

A closer look at the financials

Box managed modest growth acceleration for the quarter, existing only if we consider the company’s results on a sequential basis. In simpler terms, Box’s newly reported 10% growth in the first quarter of its fiscal 2022 was better than the 8% growth it earned during the fourth quarter of its fiscal 2021, but worse than the 13% growth it managed in its year-ago Q1.

With Box, however, instead of judging it by normal rules, we’re hunting in its numbers each quarter for signs of promised acceleration. By that standard, Box met its own goals.

How did investors react? Shares of the company were mixed after-hours, including a sharp dip and recovery in the value of its equity. The street appears to be confused by the results, weighing the report and working out whether its moderately accelerating growth is sufficiently enticing to warrant holding onto its equity, or more perversely if its growth is not expansive enough to fend off external parties hunting for more dramatic changes at the firm.

Sticking to a high-level view of Box’s results, apart from its growth numbers Box has done a good job shaking fluff out of its operations. The company’s operating margins (GAAP and not) improved, and cash generation also picked up.

Perhaps most importantly, Box raised its guidance from “the range of $840 million to $848 million” to “$845 to $853 million.” Is that a lot? No. It’s +$5 million to both the lower and upper-bounds of its targets. But if you squint, the company’s Q4 to Q1 revenue acceleration, and upgraded guidance, could be an early indicator of a return to form.

Levie admitted that 2020 was a tough year for Box. “Obviously, last year was a complicated year in terms of the macro environment, the pandemic, just lots of different variables to deal with…” he said. But the CEO continues to think that his organization is set up for future growth.

Will Box manage to perform well enough to keep activist shareholders content? Levie thinks if he can string together more quarters like this one, he can keep Starboard at bay. “I think when you look at the next three quarters, the ability to guide up on revenue, the ability to guide up on profitability. We think it’s a very very strong earnings report and we think it shows a lot of the momentum in the business that we have right now.”

When Apple Admits macOS Malware Is A Problem – It’s Time To Take Notice

You could almost hear the collective sigh of relief across the macOS security research community last week when Craig Federighi, Apple’s Senior VP of Software Engineering, finally spoke up about the problem that many of us have been voicing for several years now: Macs get malware, and Apple are struggling to cope with it.

For some, it’s a tune that can be hard to hear, so good has Apple’s marketing been over the years about the security of its platform. “Apple has built-in tools like XProtect to protect the Mac”, you will hear people say. “Apple has barriers to distribution like codesigning, Gatekeeper and Notarization”; and perhaps the most oft-cited one of all: “The Mac has such small market share it’s not worth the time of financially-motivated malware authors”.

As we’ll see in this post, that last assertion is demonstrably false, and as Apple has now also publicly admitted for the first time, Apple’s layers of security have not prevented malware from becoming a problem for Mac users and indeed for businesses with Mac fleets.

But let’s be clear: our aim here is not to bash Apple. As a hardware, software and services developer and supplier, Apple has many things to do besides malware hunting, detection and protection. Rather, our aim is to illustrate the very real problems facing Apple and Apple users from a growing malware problem that the OS vendor rightly says is “unacceptable”. Help is out there, but Mac users first need to hear what Mr Federighi and the macOS security research community is trying to tell them.

Apple Admit It: Macs Have a Malware Problem

Let’s start with what Apple has now publicly stated. In a wide-ranging testimony ostensibly about iOS security last week, Apple’s Senior VP for Software Engineering, Craig Federighi noted that Macs can be safe:

“If operated correctly, much like that car, if you know how to operate a car and obey the rules of the road and are very cautious, yes. If not, I’ve had a couple of family members who have gotten some malware on their Macs.”

The kind of malware that incautious users can easily end up with after a few innocent web searches include well-known families such as Adload, Shlayer and SilverSparrow.

Some of the malware that targets macOS users work as ‘pay per install’ delivery platforms that are sold to unscrupulous developers both to inject unwanted advertisements into a user’s browsing experience and to load the user’s Mac with unwanted programs. Such programs typically use high-pressure marketing tactics to lure unwary users into signing up for expensive subscriptions for applications that have very little or no utility. In some cases, these include scareware security programs.

Federighi also noted that gaining access to or control of user data, cameras, and microphones is “incredibly valuable to an attacker”. As many macOS users and developers have noted with frustration over recent iterations of Apple’s operating system, access to these has been increasingly locked down behind so-called ‘transparency, consent and control’ mechanisms that are supposed to keep malware out. These have largely proven ineffective against malware due to multiple known bypasses.

Federighi did not make reference to targeted attacks facing developers and businesses from known and unknown threat actors, but some high-profile incidents such as XcodeSpy and XCSSET have hit the headlines in the last 12 months.

Regarding Apple’s approach to fighting malware, Federighi explained that “Each week, Apple identifies a couple of pieces of malware on its own or with help of third parties” and that the company is engaged in “an endless game of whack-a-mole” in its attempt to fight the “significantly larger malware problem” facing Mac users.

Malware vs macOS – How High Are the Barriers?

Perhaps the most important message for anyone running macOS, particularly businesses with a fleet of Macs, is that the barriers for an attacker to achieve code execution are not as high as they may have been led to believe.

Apple has invested heavily in touting Gatekeeper as the primary barrier to unwanted programs, and backed that up with requirements for code signing and Notarization. We’ve discussed Gatekeeper – really a set of related technologies – in the past. Nothing much has changed with respect to that: it relies on downloaded files being tagged with an extended attribute which is then examined by the OS to see whether it is allowed to execute. There are several points of failure here, all of which in-the-wild malware regularly exploit, and which we’ve described before.

More recent technologies like Notarization are also defeasible by the removal of the same extended attribute: in short, if the attribute doesn’t exist or is removed, the Notarization check won’t come into play.

More worryingly still, there have now been numerous cases of malware actually being notarized by Apple. This in part is what Federighi likely meant by saying “it’s an endless game of whack-a-mole”. Malware gets past Apple’s notarization checks, is discovered after the fact, and the certificate is revoked. The malware authors then re-sign the code with a different developer ID and we all get to go again.

One of many recent examples of notarized malware found in the wild

When it comes to code signing and the new M1 Macs, there’s also a couple of gotchas to watch out for: while it’s widely believed that M1 Macs are somehow more secure because code signing requirements are stricter, the fact is M1 Macs can run unsigned code via Rosetta.

Running unsigned code on an M1 Mac via Rosetta

Similarly, even when an M1 Mac does check for a code signature, it does not require that the code signature belongs to a known developer. Code signed with an ad hoc signature will run without hindrance, and ad hoc signatures can be created on the fly by other code or by malicious insiders. This technique is currently being used by XCSSET malware for the express purposes of running on M1 Macs.

Code from XCSSET malware showing ad hoc code signing

Testing Known Malware? Beware A False Sense of Security

While we’re on the subject of code signing and certificate checks like Notarization and OCSP, there’s another important caveat to bear in mind when assessing how safe your Macs are from real world macOS malware.

As a security solution vendor, SentinelOne encourages customers to test the efficacy of their security solutions – whether 3rd party or provided by Apple as part of the macOS platform – but depending on what you test, you may get misleading results.

As we noted above, Apple regularly revokes code signing certificates belonging to developers found to distribute malware, and via Notarization, Apple can block specific samples of code that have been notarized by revoking their notarization ticket.

That means if you set about testing a particular known malware family with a sample whose code signature and/or notarization ticket has been revoked by Apple, you will of course see that sample blocked on your test. Importantly, however, you can’t conclude from that test that you’re going to block other samples of the same malware family.

For example, this sample of SilverSparrow malware can be downloaded from the blog of a popular macOS security researcher and will appear to be blocked by the OS if you try to run it:

Blocking a sample via certificate revocation

However, remove the signature or re-sign the malware with a different signature and the same sample will pass those checks (to test that, you would need to use a clean environment from the first test, since once the code is blocked the local device will remember that code is blocked even if you re-sign it or manipulate it in other ways).

Relying on code signatures as a first line of defense is fine, but given the ‘endless game of whack-a-mole’ whereby the same malware just comes back with a different certificate, it’s a barrier that is easily cleared.

What you really want to know is whether you have protection against malware families, not individual samples. Apple provides a built-in technology called XProtect to scan executable files for known malware families. Let’s see how well that works.

Why XProtect Alone Won’t Protect You From Malware

As we noted above, one of the main malware families you can run across in the wild is Adload. This family of malware has been around for some years now, has a number of different variants, and is particularly tricky to remove once it gets a hold in a system. XProtect certainly has some signatures for Adload: 14 of its 157 malware YARA rules are dedicated to Adload variants.

Apple’s XProtect contains 14 different YARA rules for Adload malware

However, it’s trivial to find Adload samples on VirusTotal that are not detected by XProtect, some as old as three years, others a few months.

Known samples of Adload malware not detected by XProtect

But perhaps that’s not a fair test. It’s easy to pick holes in a security solution for the odd detection miss here or there. Let’s take a selection of known malware families: Bundlore, Shlayer, SilverSparrow, RLoad/Lador, all of which are detected by static AV engines on VirusTotal (the list of 20 hashes as well as those above are provided at the end of this post).

A variety of common macOS malware found on VirusTotal

Again, as can be seen from the image of the first eight shown above, the dates these were first detected vary from 2018 to a few months ago. Let’s see how XProtect does with these. If you want to try this at home you will need to install YARA, and then point YARA to the XProtect.yara file.

% mdfind -name XProtect.bundle | grep -i coreservices
% yara -w /Library/Apple/System/Library/CoreServices/XProtect.bundle/Resources/XProtect.yara 

I use a few functions in my shell profile to make this easier (the xprotect_families.txt file is a list of XProtect rule names that can be extracted from this file on SentineLabs github, but it isn’t necessary to run the test).

Adding functions to your shell profile can make it easier to test XProtect with a local YARA installation

Unfortunately, XProtect doesn’t have a signature for any of these 20 samples from common, known malware families.

What should we conclude from this? As stated at the outset, we’re not Apple-bashing here: XProtect does do a decent job of blocking the macOS malware that it knows about, particularly since recent versions of the OS ensure files are scanned by XProtect even if they are missing the extended attribute.

The problem is there’s just a lot more malware out there than XProtect knows about. Yes, Apple has another tool, the, that can remediate some known malware infections, again if it knows about them, but there are other problems with, chief among them the frequency with which it runs (or doesn’t run). We’ve written about before at length here and here.


For enterprises running macOS fleets, the macOS malware problem isn’t going to go away on its own or be solved by relying on Apple’s built-in tools, welcome as they are. A solution like SentinelOne brings to the table the missing detection, protection, visibility and control features that macOS lacks. Developed in-house with native support for Apple silicon, kextless and 365+ data retention options, we have a long-term investment in securing Macs. We are Mac users, too, and security is our business.

If you would like to see how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

Samples Used


The 1st XProtect Test

2nd XProtect Test

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Sinch, a Swedish customer engagement giant, raises $1.1B, SoftBank and Temasek participating

Sinch — a Twilio competitor based out of Sweden that provides a suite of services to companies to build communications and specifically “customer engagement” into their services by way of APIs — has been on a steady funding and acquisitions march in the last several months to scale its business, and today comes the latest development on that front.

The company has announced that it has raised another $1.1 billion in a direct share issue, with significant chunks of that funding coming from Temasek and SoftBank, in order to continue building its business.

Specifically, the company — which is traded on the Swedish stock exchange Nasdaq Stockhom and currently has a market cap of around $11 billion — said that it was making a new share issue of 7,232,077 shares at SEK 1,300 per share, raising approximately SEK 9.4 billion (equivalent to around $1.1 billion at current rates).

Sinch said that investors buying the shares included “selected Swedish and international investors of institutional character,” highlighting that Temasek and SB Management (a direct subsidiary of SoftBank Group Corp.) would  respectively take SEK 2,085 million and 0.7 million shares. This works out to a $252 million investment for Temasek, and $110 million for SoftBank.

SoftBank last December took a $690 million stake in Sinch (when it was valued at $8.2 billion). That was just ahead of the company scooping up Inteliquent in the U.S. in January for $1.14 billion to move a little closer to Twilio’s home turf.

Sinch is not saying much more beyond the announcement of the share issue for now, except that the raise was made to shore up its financial position ahead of more M&A activity.

“Sinch has an active M&A-agenda and a track record of successful acquisitions, making [it] well placed to drive continued consolidation of the messaging and [communications platform as a service, CPaaS] market,” it said in a short statement. “Furthermore, the increased financial flexibility that the directed new share issue entails further strengthens the Company’s position as a relevant and competitive buyer.”

The company is profitable and active in more than 40 markets, and CEO Oscar Werner said in Sinch’s most recent earnings report that in the last quarter alone that its communications APIs — which work across channels like SMS, WhatsApp, Facebook Messenger, chatbots, voice and video — handled 40 billion mobile messages.

Notably, its strategy has a strong foothold in the U.S. because of the Inteliquent acquisition. It will be interesting to see how and if it continues to consolidate to build up market share in that part of the world, or whether it focuses elsewhere, given the heft of two very strong Asian investors now in its stable. 

“Becoming a leader in the U.S. voice market is key to establish Sinch as the leading global cloud communications platform,” said Werner in January.

While Sinch has focused much of its business, as has Twilio, around an API-based model focused on communications services, its acquisition of Inteliquent also gave it access to a large, legacy Infrastructure-as-a-Service (IaaS) product set, aimed at telcos to provide off-net call termination (when a call is handed off from one carrier to another) and toll-free numbers.

Tellingly, when Sinch acquired Inteliquent, the two divisions each accounted for roughly half of its total business, but the CPaaS business is growing at twice the rate of IaaS, which points to how Sinch views the future for itself, too.