Business messaging platform Gupshup raises $240 million from Tiger Global, Fidelity and others

Gupshup, a business messaging platform that began its journey in India 15 years ago, surprised many when it raised $100 million in April this year, roughly 10 years after its last financing round, and attained the coveted unicorn status. Now just three months later, the San Francisco-headquartered startup has secured even more capital from high-profile investors.

On Wednesday, Gupshup said it had raised an additional $240 million as part of the same Series F financing round. The new investment was led by Fidelity Management, Tiger Global, Think Investments, Malabar Investments, Harbor Spring Capital, certain accounts managed by Neuberger Berman Investment Advisers, and White Oak.

Neeraj Arora, formerly a high-profile executive at WhatsApp who played an instrumental role in helping the messaging platform sell to Facebook, also wrote a significant check to Gupshup in the new tranche of investment, which continues to value the startup at $1.4 billion as in April.

In an interview with TechCrunch earlier this week, Beerud Sheth, co-founder and chief executive of Gupshup, said he extended the financing round after receiving too many inbound requests from investors. The new investors will provide the startup with crucial insight and expertise, he said. The round is now closed, he said.

The startup, which operates a conversational messaging platform that is used by over 100,000 businesses and developers today to build their own messaging and conversational experiences to serve their users and customers, is beginning to consider exploring the public markets by next year, said Sheth, though he cautioned a final decision is yet to be made.

“Conversation is becoming a bigger part of doing business and it has partly been driven by the pandemic,” he said over a phone call. “Second, we have always been the leader in this space, but the product innovation we have focused on in the last two to three years has worked in our favor.”

The new investment, which includes some secondary buyback (some early investors and employees are selling their stakes), will be deployed into broadening the product offerings of Gupshup, he said. The startup is also eyeing some M&A opportunities and may close some deals this year, he added.

Some of the notable customers of Gupshup, which leads the business messaging market

Before Gupshup became so popular with businesses, it existed in a different avatar. For the first six years of its existence, Gupshup was best known for enabling users in India to send group messages to friends. (These cheap texts and other clever techniques enabled tens of millions of Indians to stay in touch with one another on phones a decade ago.)

That model eventually became unfeasible to continue, Sheth told TechCrunch in an earlier interview.

“For that service to work, Gupshup was subsidizing the messages. We were paying the cost to the mobile operators. The idea was that once we scale up, we will put advertisements in those messages. Long story short, we thought as the volume of messages increases, operators will lower their prices, but they didn’t. And also the regulator said we can’t put ads in the messages,” he said earlier this year.

That’s when Gupshup decided to pivot. “We were neither able to subsidize the messages, nor monetize our user base. But we had all of this advanced technology for high-performance messaging. So we switched from consumer model to enterprise model. So we started to serve banks, e-commerce firms, and airlines that need to send high-level messages and can afford to pay for it,” said Sheth, who also co-founder freelance workplace Elance in 1998.

Over the years, Gupshup has expanded to newer messaging channels, including conversational bots and it also helps businesses set up and run their WhatsApp channels to engage with customers.

Sheth said scores of major firms worldwide in banking, e-commerce, travel and hospitality and other sectors are among the clients of Gupshup. These firms are using Gupshup to send their customers transaction information and authentication codes, among other use cases. “These are not advertising or promotional messages. These are core service information,” he said.

“We have followed Gupshup’s progress for a long while and believe that they are the most evolved customer communications platform In India and increasingly in other emerging markets, with a leadership position in the most attractive and fastest growing sub-segments of the market,” said Sumeet Nagar, Managing Director of Malabar Investments, in a statement.

“We believe that Beerud and team have the unique opportunity to expand the addressable market on the back of new offerings and scale the business up significantly, which is a perfect recipe for massive value creation. I have known Beerud for over three decades, and all of us at Malabar are delighted to partner with Gupshup in the next stage of their journey.”

Atera raises $77M at a $500M valuation to help SMBs manage their remote networks like enterprises do

When it comes to software to help IT manage workers’ devices wherever they happen to be, enterprises have long been spoiled for choice — a situation that has come in especially handy in the last 18 months, when many offices globally have gone remote and people have logged into their systems from home. But the same can’t really be said for small and medium enterprises: as with so many other aspects of tech, they’ve long been overlooked when it comes to building modern IT management solutions tailored to their size and needs.

But there are signs of that changing. Today, a startup called Atera that has been building remote, and low-cost, predictive IT management solutions specifically for organizations with less than 1,000 employees, is announcing a funding round of $77 million — a sign of the demand in the market, and Atera’s own success in addressing it. The investment values Atera at $500 million, the company confirmed.

The Tel Aviv-based startup has amassed some 7,000 customers to date, managing millions of endpoints — computers and other devices connected to them — across some 90 countries, providing real-time diagnostics across the datapoints generated by those devices to predict problems with hardware, software and network, or with security issues.

Atera’s aim is to use the funding both to continue building out that customer footprint, and to expand its product — specifically adding more functionality to the AI that it currently uses (and for which Atera has been granted patents) to run predictive analytics, one of the technologies that today are part and parcel of solutions targeting larger enterprises but typically are absent from much of the software out there aimed at SMBs.

“We are in essence democratizing capabilities that exist for enterprises but not for the other half of the economy, SMBs,” said Gil Pekelman, Atera’s CEO, in an interview.

The funding is being led by General Atlantic, and it is notable for being only the second time that Atera has ever raised money — the first was earlier this year, a $25 million round from K1 Investment Management, which is also in this latest round. Before this year, Atera, which was founded in 2016, turned profitable in 2017 and then intentionally went out of profit in 2019 as it used cash from its balance sheet to grow. Through all of that, it was bootstrapped. (And it still has cash from that initial round earlier this year.)

As Pekelman — who co-founded the company with Oshri Moyal (CTO) — describes it, Atera’s approach to remote monitoring and management, as the space is typically called, starts first with software clients installed at the endpoints that connect into a network, which give IT managers the ability to monitor a network, regardless of the actual physical range, as if it’s located in a single office. Around that architecture, Atera essentially monitors and collects “datapoints” covering activity from those devices — currently taking in some 40,000 datapoints per second.

To be clear, these datapoints are not related to what a person is working on, or any content at all, but how the devices behave, and the diagnostics that Atera amasses and focuses on cover three main areas: hardware performance, networking and software performance and security. Through this, Atera’s system can predict when something might be about to go wrong with a machine, or why a network connection might not be working as it should, or if there is some suspicious behavior that might need a security-oriented response. It supplements its work in the third area with integrations with third-party security software — Bitdefender and Acronis among them — and by issuing updated security patches for devices on the network.

The whole system is built to be run in a self-service way. You buy Atera’s products online, and there are no salespeople involved — in fact most of its marketing today is done through Facebook and Google, Pekelman said, which is one area where it will continue to invest. This is one reason why it’s not really targeted larger enterprises (the others are the level of customization that would be needed; as well as more sophisticated service level agreements). But it is also the reason why Atera is so cheap: it costs $89 per month per IT technician, regardless of the number of endpoints that are being managed.

“Our constituencies are up to 1,000 employees, which is a world that was in essence quite neglected up to now,” Pekelman said. “The market we are targeting and that we care about are these smaller guys and they just don’t have tools like these today.” Since model is $89 dollars per month per technician using the software, it means that a company with 500 people with four technicians is paying $356 per month to manage their networks, peanuts in the greater scheme of IT services, and one reason why Atera has caught on as more and more employees have gone remote, and are looking like they will stay that way.

And the fact that this model is thriving is also one of the reason and investors are interested.

“Atera has developed a compelling all-in-one platform that provides immense value for its customer base, and we are thrilled to be supporting the company in this important moment of its growth trajectory,” said Alex Crisses, MD, Global Head of New Investment Sourcing and Co-Head of Emerging Growth at General Atlantic, in a statement. “We are excited to work with a category-defining Israeli company, extending General Atlantic’s presence in the country’s cutting-edge technology sector and marking our fifth investment in the region. We look forward to partnering with Gil, Oshri, and the Atera team to help the company realize its vision.”

Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger

Threat actors have come to recognize the reality that today’s organizations operate fleets of devices encompassing all the major OS vendors – Apple, Microsoft, Google and many flavors of Linux – and are adapting accordingly. Threats that can be compiled on one platform but produce executables targeting many are a productivity boon to criminals, who now operate in an increasingly competitive environment trying to sell their wares.

The latest such threat to come to attention is XLoader, a Malware-as-a-Service info stealer and keylogger that researchers say was developed out of the ashes of FormBook. Unlike its Windows-only predecessor, XLoader targets both Windows and macOS. In this post, we take an initial look at the macOS version of XLoader, describe its behavior and show how XLoader can be detected on Apple’s Mac platform.

XLoader for Mac – Java Runtime For the Steal

The macOS sample we analyzed comes as both a standalone binary and as a compiled .jar file. The .jar file appears to be distributed as an attachment in a phishing lure, such as in this document Statement SKBMT 09818.jar.

XLoader is likely distributed by mail spam

Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago.

Nonetheless, Java is still a common requirement in enterprise environments and is still in use for some banking applications. As a result, many organizations will have users that either do or must install the Oracle version of Java to meet these needs. As a 3rd party plugin, the Oracle JRE is installed at /Library/Internet Plug-Ins/JavaAppletPlugin.plugin.

When the malware is executed as a .jar file, the execution chain begins with the OS-provided JavaLauncher at /System/Library/CoreServices/JavaLauncher.app.

XLoader’s execution chain begins with the JavaLauncher

The JavaLauncher is also populated in the Accessibility pane in System Preferences’ Privacy tab and a dialog is popped requesting the user to grant access for automation. As we shall see below, this is likely leveraged as part of the info stealer’s functionality.

The JavaLauncher requests access to control other applications

The com.oracle.JavaInstaller will also populate the ‘Full Disk Access’ table in the same tab. This remains unchecked by default and, at least on our test, no dialog was presented to the user to request permissions.

XLoader Behavior on macOS

On execution the malware drops a 32×32 pixel Windows image file in the user’s home directory called NVFFY.ico.

A Windows icon file is dropped in the user’s home folder

The user’s default image viewer – typically the built-in Preview.app – will be launched to display this image. At this point, one could imagine that even the most unsuspecting user opening the ‘Statement SKBT’ file is going to think that something is amiss.

The .ico file as presented to the victim

It’s unclear what the malware authors were thinking here: perhaps the sample is an early development or a test sample. Alternatively, this may be a reflection of the hazards of cross-platform malware, where the author’s assumptions on the Windows platform were not fully tested on a macOS device.

In any case, no interaction is required from the user and the malware continues to drop and execute the rest of its components. This involves dropping and executing a Mach-O file in the user’s Home folder. This file, kIbwf02l, writes a hidden application bundle, also located in the victim’s Home folder, and containing a copy of itself. It then writes and loads a user LaunchAgent with a program argument pointing to the copy in the hidden app bundle. From then on, the kIbwF02l file appears to be redundant but is not cleaned up by the malware.

Example of an XLoader LaunchAgent

The label for the LaunchAgent and the names of the hidden app and executable are all randomized and vary from execution to execution. The binary is passed the argument start as a launch parameter.

The hidden application is itself a barebones bundle containing only the Info.plist and the Mach-O executable.

XLoader’s hidden application bundle

A copy of the same executable, sans bundle and with the filename kIbwf02l, is also dropped in the User’s home directory.

Analysis of the XLoader Mach-O

The compiled Mach-O executable pointed to by the persistence agent is heavily stripped and obfuscated. As the image below indicates, static analysis using tools like strings will show little, and dynamic analysis is complicated by a number of anti-debugging features.

Left: the hidden app’s Info.plist. Right: strings and symbols in the executables

For the purposes of quick triage, we extracted the stackstrings from the Mach-O using otool to get an initial idea of the info stealer’s functionality. With further processing either manually or with radare2, we can match these strings to particular functions.

Stack strings found in XLoader’s macOS version

The strings here show that XLoader attempts to steal credentials from Chrome and Firefox browsers. We also see an indication that the malware calls the NSWorkspace API to identify the front window via the Accessibility API AXTitleFocusedWindow and leverages NSPasteboard, likely to copy information from the window of the user’s currently active process. Calling Accessibility APIs requires user consent as this functionality is controlled by TCC. As noted above, the JavaLauncher has such permissions.

Other researchers have suggested that XLoader’s internet traffic is laden with decoys to disguise the actual C2 used to transmit data. As we did not observe any credential stealing traffic in our test, we cannot confirm that suspicion, but XLoader’s internet traffic is certainly ‘noisy’. We observed the malware reaching out to a variety of known phishing and malware sites.

Some of the IP addresses contacted by the XLoader malware

One of a number of malicious domains XLoader contacts (VirusTotal)

Detecting XLoader Infostealer on macOS

At the end of this post we provide a number of macOS-specific Indicators of Compromise to help organizations and users in general identify an XLoader infection. SentinelOne customers are protected against this malware automatically, regardless of whether it is executed via the Java Runtime Environment or by the standalone XLoader Mach-O.

In our test, we set the agent to ‘Detect-only’ policy in order to observe the malware’s behaviour. Customers are advised to always use the ‘Protect’ policy which prevents execution of malware entirely.

In ‘Detect-only’ mode, the target’s Mac device will immediately alert the user via Notifications:

Security teams and IT administrators, meanwhile, would see something similar to the following in the Management console.

After remediation, the UI (version 21.7EA) on the device indicates that the threat has been successfully killed and quarantined.

Conclusion

XLoader is an interesting and somewhat unusual example in the macOS malware world. It’s dependency on Java and its functionality suggests it is primarily targeting organizations where the threat actors expect Java applications to be in use. Among other things, that includes certain online banking applications, and the attractiveness from a criminal’s perspective of a keylogger and info stealer in that environment can certainly be understood. It is also worth noting that the malware’s minimum system requirement is 10.6 Snow Leopard (over 10 years old), so the author’s are certainly casting their net wide. On the other hand, the implementation on macOS is clumsy at best and is likely to raise suspicions. No doubt the malware authors will be looking to improve on this in future iterations.

Indicators of Compromise

SHA1 Hashes

XLoader Mach-O Executable: KIbwf02l
7edead477048b47d2ac3abdc4baef12579c3c348

Suspected Phishing lure attachment: Statement SKBMT 09818.jar
cf51d75ae620a06df19c1fb29739de0dc2b34915

Example Persistence LaunchAgent: com.j85H64iPLnW.rXxHYP
cb3e7ac4e2e83335421f8bbc0cf953cb820e2e27

Contacted IPs
128.65.195.232
162.0.229.244
184.168.131.241
204.11.56.48
216.239.38.21
34.102.136.180
63.250.34.223
64.190.62.111
64.32.8.70
72.29.74.90

Interesting Strings

.appMacOSContentsInfo.plist
.exe.dll
/logins.json
10.:1.1OS X XLNG:
200 OK
80987dat=&=&un=&br=&os=1
DB1ChromeURL:
guidURL: Firefox
NSStringstringWithCString:encoding:
open
passtokenemailloginsigninaccountHost: &GETPUTPOSTOPTIONSGET
r%s <</dev/null
Recovery
rm -rf
rm unzip nss3.zip -d
saltysalt
UTF8StringNSPasteboardstringForType:generalPasteboardpublic.utf8-plain-text
UTF8StringNSWorkspacesharedWorkspaceprocessIdentifierfrontmostApplicationAXTitleAXFocusedWindow

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box unwraps its answer to the $3.8B e-signature market: Box Sign

Box released its new native e-signature product Box Sign on Monday, providing e-signature capability and unlimited signatures as part of Box’s business and enterprise plans at no additional cost.

The launch comes five months after the Redwood City, California-based company agreed to acquire e-signature startup SignRequest for $55 million.

Box CEO Aaron Levie told TechCrunch the company is already securing content management for 100,000 businesses, and Box Sign represents “a breakthrough product for the company” — a new category in which Box can help customers with business processes.

“We are building out a content cloud that powers the lifecycle of content so customers can retain and manage it,” Levie said. “Everyday, there are more transactions around onboarding a customer, closing a deal or an audit, but these are still done manually. We are moving that to digital and enabling the request of signatures around the content.”

Here’s how it works: Users can send documents for e-signature directly from Box to anyone, even those without a Box account. Places for signature requests and approvals can be created anywhere on the document. All of this integrates across popular apps like Salesforce and includes email reminders and deadline notifications. As with Box’s offerings, the signatures are also secure and compliant.

The global e-signature software market was estimated to be around $1.8 billion in 2020, according to Prescient & Strategic Intelligence, while IDC expects it to grow to $3.8 billion by 2023.

Levie considers the market still early as less than one-third of organizations use e-signature due to legacy tool limitations and cost barriers, revealing massive future opportunities. However, that may be changing: Box worked with banks during the pandemic that were still relying on mailing, scanning and faxing documents to help them adapt to digital processes. It also surveyed its customers last year around product capabilities, and the No. 1 “ask” was e-signature, he said.

He mentioned major players DocuSign and Adobe Sign — two products it will continue to integrate with — among the array of technology within the space. He said that Box is not trying to compete with any player, but saw a need from customers and wanted to proceed with an option for them.

The e-signature offering also follows the hiring of Diego Dugatkin in June as Box’s new chief product officer. Prior to joining, Dugatkin was vice president of product management for Adobe Document Cloud and led strategy and execution for Adobe’s suite of products, including Adobe Sign.

“Our strategy has been for many years to expand our portfolio and power more advanced use cases, as well as a vision to have one platform to manage everything,” Levie said. “Diego has two decades of tremendous domain experience, and he will make a massive dent in powering this for us.”

In addition to the e-signature product, Box also introduced its Enterprise Plus plan that includes all of the company’s major add-ons, as well as advanced e-signature capabilities that will be available later this summer, the company said.

 

Nium crosses $1B valuation with $200M Riverwood Capital-led round

Business-to-business payments platform Nium announced Monday that it raised more than $200 million in Series D funding and saw its valuation rise above $1 billion.

The company, now Singapore-based but shifting to the Bay Area, touted the investment as making it “the first B2B payments unicorn from Southeast Asia.”

Riverwood Capital led the round, in which Temasek, Visa, Vertex Ventures, Atinum Capital, Beacon Venture Capital and Rocket Capital Investment participated, along with a group of angel investors like DoorDash’s Gokul Rajaram, FIS’ Vicky Bindra and Tribe Capital’s Arjun Sethi. Including the new funding, Nium has raised $300 million to date, Prajit Nanu, co-founder and CEO, told TechCrunch.

The B2B payments sector is already hot, yet underpenetrated, according to some experts. To give an idea just how hot, Nium was seeking $150 million for its Series D round, received commitments of $300 million from eager investors and settled on $200 million, Nanu said.

“This is our fourth or fifth fundraise, but we have never had this kind of interest before — we even had our term sheets in five days,” he added. “I believe this interest is because we’ve successfully managed to create a global platform that is heavily regulated, which gives us access to a lot of networks. This is an environment where payment is visible, and our core is powering frictionless commerce and enabling anyone to use our platform.”

Nium’s new round adds fuel to a fire shared by a number of companies all going after a global B2B payments market valued at $120 trillion annually: last week, Paystand raised $50 million in Series C funding to make B2B payments cashless, while Dwolla raised $21 million for its API that allows companies to build and facilitate fast payments. In March, Higo brought in $3.3 million to do the same in Latin America, while Balance, developing a B2B payments platform that allows merchants to offer a variety of payment methods. raised $5.5 million in February.

Nium’s approach is to provide access to a global payment infrastructure, including card issuance, accounts receivable and payable, and banking-as-a-service through a single API. The company’s network enables customers to then send funds to more than 100 countries, pay out in more than 60 currencies, accept funds in seven currencies and issue cards in more than 40 countries, Nanu said. The company also boasts money transfer, card issuances and banking licenses in 11 jurisdictions.

Francisco Alvarez-Demalde, co-founding partner and managing partner at Riverwood, said in an email that the combination of software — plus regulatory licenses — and operating a fintech infrastructure platform on behalf of neobanks and corporates is a global trend experiencing hyper-growth.

Riverwood followed Nium for many years, and its future vision was what got the firm interested in being a part of this round. Alvarez-Demalde said that “Nium has the incredible combination of a great market opportunity, a talented founder and team, and we believe the company is poised for global growth based on underlying secular technology trends like increasing real-time payment capabilities and the proliferation of cross border commerce.

“As a central payment infrastructure in one API, Nium is a catalyst that unlocks cross-border payments, local accounts and card issuance with a network of local market licenses, partners and banking relationships to facilitate moving money across the world,” he added. “Enterprises of all types are embedding financial services as part of their consumer experience, and Nium is a key global enabler of this trend.”

Nanu said the new funding enables the company to move to the United States, which represents 3% of Nium’s revenue. He wants to increase that to 20% over the next 18 months, as well as expand in Latin America. The investment also gives the company a 12- to 18-month runway for further M&A activity.  In June, Nium acquired virtual card issuance company Ixaris, and in July acquired Wirecard Forex India to expose it to India’s market. He also plans to expand the company’s payments network infrastructure, invest in product development and add to Nium’s 700-person headcount.

Nium already counts hundreds of enterprise companies as clients and plans to onboard thousands more in the next year. The company processes $8 billion in payments annually and has issued more than 30 million virtual cards since 2015. Meanwhile, revenue grew by over 280% year over year.

All of this growth puts the company on a trajectory for an initial public offering, Nanu said. He has already spoken to people who will help the company formally kick off that journey in the first quarter of 2022.

“Unlike other companies that raise money for new products, we aim to expand in the existing sets of what we do,” Nanu said. “The U.S. is a new market, but we have a good brand and will use the new round to provide a better experience to the customer.”

 

ActiveFence comes out of the shadows with $100M in funding and tech that detects online harm, now valued at $500M+

Online abuse, disinformation, fraud and other malicious content is growing and getting more complex to track. Today, a startup called ActiveFence, which has quietly built a tech platform to suss out threats as they are being formed and planned, to make it easier for trust and safety teams to combat them on platforms, is coming out of the shadows to announce significant funding on the back of a surge of large organizations using its services.

The startup, co-headquartered in New York and Tel Aviv, has raised $100 million, funding that it will use to continue developing its tools and to continue expanding its customer base. To date, ActiveFence says that its customers include companies in social media, audio and video streaming, file sharing, gaming, marketplaces and other technologies — it has yet to disclose any specific names but says that its tools collectively cover “billions” of users. Governments and brands are two other categories that it is targeting as it continues to expand. It has been around since 2018 and is growing at around 100% annually.

The $100 million being announced today actually covers two rounds: its most recent Series B led by CRV and Highland Europe, as well as a Series A it never announced led by Grove Ventures and Norwest Venture Partners. Vintage Investment Partners, Resolute Ventures and other unnamed backers also participated. It’s not disclosing valuation but I understand it’s over $500 million.

“We are very honored to be ActiveFence partners from the very earliest days of the company, and to be part of this important journey to make the internet a safer place and see their unprecedented success with the world’s leading internet platforms,” said Lotan Levkowitz, general partner at Grove Ventures, in a statement.

The increased presence of social media and online chatter on other platforms has put a strong spotlight on how those forums are used by bad actors to spread malicious content. ActiveFence’s particular approach is a set of algorithms that tap into innovations in AI (natural language processing) and to map relationships between conversations. It crawls all of the obvious, and less obvious and harder-to-reach parts of the internet to pick up on chatter that is typically where a lot of the malicious content and campaigns are born — some 3 million sources in all — before they become higher-profile issues.  It’s built both on the concept of big data analytics as well as understanding that the long tail of content online has a value if it can be tapped effectively.

“We take a fundamentally different approach to trust, safety and content moderation,” Noam Schwartz, the co-founder and CEO, said in an interview. “We are proactively searching the darkest corners of the web and looking for bad actors in order to understand the sources of malicious content. Our customers then know what’s coming. They don’t need to wait for the damage, or for internal research teams to identify the next scam or disinformation campaign. We work with some of the most important companies in the world, but even tiny, super niche platforms have risks.”

The insights that ActiveFence gathers are then packaged up in an API that its customers can then feed into whatever other systems they use to track or mitigate traffic on their own platforms.

ActiveFence is not the only company building technology to help platform operators, governments and brands to have a better picture of what is going on in the wider online world. Factmata has built algorithms to better understand and track sentiments online; Primer (which also recently raised a big round) also uses NLP to help its customers track online information, with its customers including government organizations that used its technology to track misinformation during election campaigns; Bolster (formerly called RedMarlin) is another.

Some of the bigger platforms have also gotten more proactive in bringing tracking technology and talent in-house: Facebook acquired Bloomsbury AI several years ago for this purpose; Twitter has acquired Fabula (and is working on a bigger efforts like Birdwatch to build better tools), and earlier this year Discord picked up Sentropy, another online abuse tracker. In some cases, companies that more regularly compete against each other for eyeballs and dollars are even teaming up to collaborate on efforts.

Indeed, may well be that ultimately there will exist multiple efforts and multiple companies doing good work in this area, not unlike other corners of the world of security, which might need more than one hammer thrown at problems to crack them. In this particular case, the growth of the startup to date, and its effectiveness in identifying early warning signs, is one reason why investors have been interested in ActiveFence.

“We are pleased to support ActiveFence in this important mission” commented Izhar Armony, the lead investor from CRV, in a statement. “We believe they are ready for the next phase of growth and that they can maintain leadership in the dynamic and fast growing trust and safety market.”

“ActiveFence has emerged as a clear leader in the developing online trust and safety category. This round will help the company to accelerate the growth momentum we witnessed in the past few years,” said Dror Nahumi, general partner at Norwest Venture Partners, in a statement.

Sedna banks $34M for a platform that parses large volumes of email and chat to automatically action items within them

Many have tried to do away with it, but email refuses to die… although in the process it might be (figuratively speaking) killing some of us with the workload it brings on to triage and use it. A startup called Sedna has built a system to help with that — specifically for enterprise and other business customers — by “reading” the text of emails, and chats, and automatically actioning items within them so that you don’t have to. And today, it’s announcing funding of $34 million to expand its work.

The funding, a Series B, is being led by Insight Partners, with Stride.VC, Chalfen Ventures and the SAP.iO fund (part of SAP) also participating. The funding will be used to continue building out more data science around Sedna’s core functionality, with the aim of moving into a wider set of verticals over time. Currently its main business is in the area of supply chain players, with Glencore, Norden, and Bunge among its customers. Other customers in areas like finance include the neobank Starling. London-based Sedna is not disclosing valuation.

Bill Dobie, Sedna’s CEO and founder originally from Vancouver but now in London, said the idea for the company was hatched out of his own experience.

“I spent years building software to help users be more productive, but no matter what we built we never really reduced people’s workload,” he said. The reason: the millstone that is called email, with its endless, unsolicited, inbound messages, some of which (just enough not to ignore) might be important. “What really struck me was how long it spent to move items out of and into email,” he said of the “to-do’s” that arose out of there.

Out of that, Sedna was built to “read” emails and give them more context and direction. Its system removes duplicates of action items and essentially increases the strike rate when it comes people’s inboxes: what’s in there is more likely to be what you really need to see. And it does so at a very quick speed.

“Our main value is the sheer scale at which we operate,” Dobie said. “We read millions or even billions of messages in sub second response times.” Indeed, while many of us are not getting “millions” of emails, there is a world of messaging out there that needs reading beyond that. Think, for example, of the volume of data that will be coming down the pike from IoT-based diagnostics.

“Smart” inboxes have definitely become a thing for consumers — although arguably none work as well as you wish they did. What’s notable about Sedna has been how it’s tuned its particular algorithms to specific verticals, letting them get smarter around the kind of content and work practices in particular organizations.

Right now the work is driven by an API framework, with elements of “low code” formatting to let people shape their own Sedna experiences. The aim will be to make that even easier over time. AN API driven frame work right now, some low code we’re heading into, but mostly its SAP or shipping or trading system that understands the transaction under way, then Sedna uses a decision tree to categories. 

Another area where Sedna might grow is in how it handles the information that it ingests. Currently, the company’s tech can be interconnected by a customer to then hand off certain work to RPA systems, as well as to specific humans. There is an obvious route to developing some of the second stage of software there — or alternatively, it’s a sign of how something like Sedna might get snapped up, or copied by one of the big RPA players.

“Bill started reimagining email where it was most broken and therefore hardest to fix—large teams managing huge volumes and complicated processes,” said Rebecca Liu-Doyle, principal at Insight Partners, in a statement. “Today, Sedna’s power is in its ability to introduce immense speed, simplicity, and delight to any inbox experience, regardless of scale or complexity. We are excited to partner with the Sedna team as they continue to make digital communication more intelligent for teams in global supply chain and beyond.” Liu-Doyle is joining the board with this round.

SAP is a strategic investor in this round, as Sedna potentially helps its customers be more productive while using SAP systems. “SAP continues to partner with SEDNA to deliver value to SAP customers. The ability to turn complex information into simpler intelligent collaboration has been a growing priority for many SAP customers,” said Stefan Sauer, global transport solutions Lead at SAP, in a statement.

PlugwalkJoe Does the Perp Walk

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor.

One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.

But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.

Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.

O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.

Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.

As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.

FEMALE TARGETS

All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.

Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.

The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.

On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”

The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.


BAD REACTION

Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.

Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.

According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.

“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.

Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.

FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.

The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.

A copy of the indictment is here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 30

The Good

It was a year ago almost to the week that we reported on a mass cyber hack against at least 130 social media celebrities. As we reported at the time, Twitter accounts belonging to the likes of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Apple and Uber were all breached and used to pull off a Bitcoin scam that netted the hackers over $100,000 in less than 24 hours. This week, it looks as though cybercops have caught up with yet another of the alleged perpetrators.

Police in Spain arrested a 22-year old British man, Joseph O’Connor, on suspicion of being behind the attack. Three others, two from the U.S and another from the U.K, have already been charged in the case. O’Connor faces computer intrusion charges relating to the Twitter hack as well as similar intrusions of TikTok and Snapchat. The Department of Justice says he is also being charged with cyberstalking a juvenile.

With the help of the U.K.’s National Crime Agency, the Spanish National Police arrested O’Connor on Wednesday after a request from U.S. authorities following a criminal complaint filed in the U.S. District Court for the Northern District of California. Once again, international law enforcement cooperation has proven vital in bringing those who perpetrate cyber crimes to justice.

The Bad

There was already plenty of controversy swirling around the Tokyo Olympics – from Russia’s stealth involvement to whether the event should even be taking place given the ongoing pandemic – but of course, cyber attackers had to get in on the act, too.

Initially, news broke early in the week apparently from a Japanese government source suggesting that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a Darknet “leaks” website following a breach. A spokesperson for the Tokyo 2020 Olympics International Communications Team later contradicted that claim, saying the government source was mistaken.

While it seems there had been some leaks, these were not related to a breach of the ticket portal. Rather, it appears some ticket holders as well as Olympic Village volunteers had been infected with malware and leaked their own credentials.

It seems these individuals were infected with infostealer malware that exfiltrated credentials stored in their browsers. The data was subsequently offered for sale on underground marketplaces.

While it’s certainly welcome to learn that a general breach of the Olympics ticket portal hasn’t taken place, there are concerns that threat actors are targeting the event. The FBI released an alert this week warning that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats against entities associated with the Tokyo 2020 Summer Olympics. All involved are advised to remain vigilant and maintain best practices in their network and digital environments.

The Ugly

News has been breaking across mainstream media since Sunday regarding the use of iOS and Android spyware being sold to authoritarian regimes by private security contractor NSO. Apparently, the spyware platform known as “Pegasus” is meant to be used to target ‘persons of interest’ to governments and law enforcement agencies, but campaigners such as Amnesty International claim that the spyware is used by oppressive regimes to facilitate human rights violations around the world on a massive scale.

While opinion remains divided as to the true extent of the use of NSO’s spyware in the wild, there’s no doubt that there are genuine concerns that the spyware has been used to expose activists, journalists and politicians critical of certain governments.

Meanwhile, researchers claim that they have proof that the Pegasus spyware has successfully infected iPhone 11 and iPhone 12 models through iMessage zero-click attacks. Pegasus marketing material offers prospective clients unlimited access to targets’ mobile devices while “leaving no trace on the target devices”.

Source: Pegasus marketing material

NSO, for its part, disputes the claims made in the most recent revelations, arguing that the number of targets is substantially lower than the 50,000 claimed by campaigners, and that the company vets all its clients to ensure abuses do not occur.

Amidst all of this is another ongoing debate about Apple’s approach to security. The famously-secretive device manufacturer argues that iPhone security is enhanced by its opaque, proprietary operating system and Apple’s tight reign on application distribution. Many security researchers and privacy activists, on the other hand, say that such a ‘security by obscurity’ approach only serves to abet criminals by  making it impossible for users to detect whether their devices have been compromised.

It’s a debate that’s not going to go away any time soon. Readers might like to reflect on whether they would be happy using desktop and laptop computers that, by design, were unable to run any third-party security software. If one feels nervous at the prospect of leaving computer security entirely in the hands of an OS vendor, it’s hard to imagine why we should be comfortable doing the same with our phones.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Paystand banks $50M to make B2B payments cashless and with no fees

It’s pretty easy for individuals to send money back and forth, and there are lots of cash apps from which to choose. On the commercial side, however, one business trying to send $100,000 the same way is not as easy.

Paystand wants to change that. The Scotts Valley, California-based company is using cloud technology and the Ethereum blockchain as the engine for its Paystand Bank Network that enables business-to-business payments with zero fees.

The company raised $50 million Series C funding led by NewView Capital, with participation from SoftBank’s SB Opportunity Fund and King River Capital. This brings the company’s total funding to $85 million, Paystand co-founder and CEO Jeremy Almond told TechCrunch.

During the 2008 economic downturn, Almond’s family lost their home. He decided to go back to graduate school and did his thesis on how commercial banking could be better and how digital transformation would be the answer. Gleaning his company vision from the enterprise side, Almond said what Venmo does for consumers, Paystand does for commercial transactions between mid-market and enterprise customers.

“Revenue is the lifeblood of a business, and money has become software, yet everything is in the cloud except for revenue,” he added.

He estimates that almost half of enterprise payments still involve a paper check, while fintech bets heavily on cards that come with 2% to 3% transaction fees, which Almond said is untenable when a business is routinely sending $100,000 invoices. Paystand is charging a flat monthly rate rather than a fee per transaction.

Paystand’s platform. Image Credits: Paystand

On the consumer side, companies like Square and Stripe were among the first wave of companies predominantly focused on accounts payable and then building business process software on top of an existing infrastructure.

Paystand’s view of the world is that the accounts receivables side is harder and why there aren’t many competitors. This is why Paystand is surfing the next wave of fintech, driven by blockchain and decentralized finance, to transform the $125 trillion B2B payment industry by offering an autonomous, cashless and feeless payment network that will be an alternative to cards, Almond said.

Customers using Paystand over a three-year period are able to yield average benefits like 50% savings on the cost of receivables and $850,000 savings on transaction fees. The company is seeing a 200% increase in monthly network payment value and customers grew two-fold in the past year.

The company said it will use the new funding to continue to grow the business by investing in open infrastructure. Specifically, Almond would like to reboot digital finance, starting with B2B payments, and reimagine the entire CFO stack.

“I’ve wanted something like this to exist for 20 years,” Almond said. “Sometimes it is the unsexy areas that can have the biggest impacts.”

As part of the investment, Jazmin Medina, principal at NewView Capital, will join Paystand’s board. She told TechCrunch that while the venture firm is a generalist, it is rooted in fintech and fintech infrastructure.

She also agrees with Almond that the B2B payments space is lagging in terms of innovation and has “strong conviction” in what Almond is doing to help mid-market companies proactively manage their cash needs.

“There is a wide blue ocean of the payment industry, and all of these companies have to be entirely digital to stay competitive,” Medina added. “There is a glaring hole if your revenue is holding you back because you are not digital. That is why the time is now.”