“FudCo” Spam Empire Tied to Pakistani Software Firm

/0 Comments/in /by

In May 2015, KrebsOnSecurity briefly profiledThe Manipulaters,” the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting, hosting and deploying malicious email. Six years later, a review of the social media postings from this group shows they are prospering, while rather poorly hiding their activities behind a software development firm in Lahore that has secretly enabled an entire generation of spammers and scammers.

The Web site in 2015 for the “Manipulaters Team,” a group of Pakistani hackers behind the dark web identity “Saim Raza,” who sells spam and malware tools and services.

The Manipulaters’ core brand in the underground is a shared cybercriminal identity named “Saim Raza,” who for the past decade across dozens of cybercrime sites and forums has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” etc.

The common acronym in nearly all of Saim Raza’s domains over the years — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

One of several current Fudtools sites run by The Manipulaters.

The current website for Saim Raza’s Fud Tools (above) offers phishing templates or “scam pages” for a variety of popular online sites like Office365 and Dropbox. They also sell “Doc Exploit” products that bundle malicious software with innocuous Microsoft Office documents; “scampage hosting” for phishing sites; a variety of spam blasting tools like HeartSender; and software designed to help spammers route their malicious email through compromised sites, accounts and services in the cloud.

For years leading up to 2015, “admin@manipulaters.com” was the name on the registration records for thousands of scam domains that spoofed some of the world’s top banks and brand names, but particularly Apple and Microsoft. When confronted about this, The Manipulaters founder Madih-ullah Riaz replied, “We do not deliberately host or allow any phishing or any other abusive website. Regarding phishing, whenever we receive complaint, we remove the services immediately. Also we are running business since 2006.”

The IT network of The Manipulaters, circa 2013. Image: Facebook

Two years later, KrebsOnSecurity received an email from Riaz asking to have his name and that of his business partner removed from the 2015 story, saying it had hurt his company’s ability to maintain stable hosting for their stable of domains.

“We run web hosting business and due to your post we got very serious problems especially no data center was accepting us,” Riaz wrote in a May 2017 email. “I can see you post on hard time criminals we are not criminals, at least it was not in our knowledge.”

Riaz said the problem was his company’s billing system erroneously used The Manipulators’ name and contact information instead of its clients in WHOIS registration records. That oversight, he said, caused many researchers to erroneously attribute to them activity that was coming from just a few bad customers.

“We work hard to earn money and it is my request, 2 years of my name in your wonderful article is enough punishment and we learned from our mistakes,” he concluded.

The Manipulaters have indeed learned a few new tricks, but keeping their underground operations air-gapped from their real-life identities is mercifully not one of them.

ZERO OPERATIONAL SECURITY

Phishing domain names registered to The Manipulaters included an address in Karachi, with the phone number 923218912562. That same phone number is shared in the WHOIS records for 4,000+ domains registered through domainprovider[.]work, a domain controlled by The Manipulaters that appears to be a reseller of another domain name provider.

One of Saim Raza’s many ads in the cybercrime underground for his Fudtools service promotes the domain fudpage[.]com, and the WHOIS records for that domain share the same Karachi phone number. Fudpage’s WHOIS records list the contact as “admin@apexgrand.com,” which is another email address used by The Manipulaters to register domains.

As I noted in 2015, The Manipulaters Team used domain name service (DNS) settings from another blatantly fraudulent service called ‘FreshSpamTools[.]eu,’ which was offered by a fellow Pakistani who also conveniently sold phishing toolkits targeting a number of big banks.

The WHOIS records for FreshSpamTools briefly list the email address bilal.waddaich@gmail.com, which corresponds to the email address for a Facebook account of a Bilal “Sunny” Ahmad Warraich (a.k.a. Bilal Waddaich).

Bilal Waddaich’s current Facebook profile photo includes many current and former employees of We Code Solutions.

Warraich’s Facebook profile says he works as an IT support specialist at a software development company in Lahore called We Code Solutions.

The We Code Solutions website.

A review of the hosting records for the company’s website wecodesolutions[.]pk show that over the past three years it has shared a server with just a handful of other domains, including:

-saimraza[.]tools
-fud[.]tools
-heartsender[.]net
-fudspampage[.]com
-fudteam[.]com
-autoshopscript[.]com
-wecodebilling[.]com
-antibotspanel[.]com
-sellonline[.]tools

FUD CO

The profile image atop Warraich’s Facebook page is a group photo of current and former We Code Solutions employees. Helpfully, many of the faces in that photo have been tagged and associated with their respective Facebook profiles.

For example, the Facebook profile of Burhan Ul Haq, a.k.a. “Burhan Shaxx” says he works in human relations and IT support for We Code Solutions. Scanning through Ul Haq’s endless selfies on Facebook, it’s impossible to ignore a series of photos featuring various birthday cakes and the words “Fud Co” written in icing on top.

Burhan Ul Haq’s photos show many Fud Co-themed cakes the We Code Solutions employees enjoyed on the anniversary of the Manipulaters Team.

Yes, from a review of the Facebook postings of We Code Solutions employees, it appears that for at least the last five years this group has celebrated an anniversary every May with a Fud Co cake, non-alcoholic sparkling wine, and a Fud Co party or group dinner. Let’s take a closer look at that delicious cake:

The head of We Code Solutions appears to be a guy named Rameez Shahzad, the older individual at the center of the group photo in Warraich’s Facebook profile. You can tell Shahzad is the boss because he is at the center of virtually every group photo he and other We Code Solutions employees posted to their respective Facebook pages.

We Code Solutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.

Shahzad’s postings on Facebook are even more revelatory: On Aug. 3, 2018, he posted a screenshot of someone logged into a WordPress site under the username Saim Raza — the same identity that’s been pimping Fud Co spam tools for close to a decade now.

“After [a] long time, Mailwizz ready,” Shahzad wrote as a caption to the photo:

We Code Solutions boss Rameez Shahzad posted on Facebook a screenshot of someone logged into a WordPress site with the username Saim Raza, the same cybercriminal identity that has peddled the FudTools spam empire for more than 10 years.

Whoever controlled the Saim Raza cybercriminal identity had a penchant for re-using the same password (“lovertears”) across dozens of Saim Raza email addresses. One of Saim Raza’s favorite email address variations was “game.changer@[pick ISP here]”. Another email address advertised by Saim Raza was “bluebtcus@gmail.com.”

So it was not surprising to see Rameez Shahzad post a screenshot to his Facebook account of his computer desktop, which shows he is logged into a Skype account that begins with the name “game.” and a Gmail account beginning with “bluebtc.”

Image: Scylla Intel

KrebsOnSecurity attempted to reach We Code Solutions via the contact email address on its website — info@wecodesolutions[.]pk — but the message bounced back, saying there was no such address. Similarly, a call to the Lahore phone number listed on the website produced an automated message saying the number is not in service. None of the We Code Solutions employees contacted directly via email or phone responded to requests for comment.

FAIL BY NUMBERS

This open-source research on The Manipulaters and We Code Solutions is damning enough. But the real icing on the Fud Co cake is that sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations.

That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Whoops.

Scylla co-founder Sasha Angus said the messages that flooded their inbox once they set up an email server on that domain quickly filled in many of the details they didn’t already have about The Manipulaters.

“We know the principals, their actual identities, where they are, where they hang out,” Angus said. “I’d say we have several thousand exhibits that we could put into evidence potentially. We have them six ways to Sunday as being the guys behind this Saim Raza spammer identity on the forums.”

Angus said he and a fellow researcher briefed U.S. prosecutors in 2019 about their findings on The Manipulaters, and that investigators expressed interest but also seemed overwhelmed by the volume of evidence that would need to be collected and preserved about this group’s activities.

“I think one of the things the investigators found challenging about this case was not who did what, but just how much bad stuff they’ve done over the years,” Angus said. “With these guys, you keep going down this rabbit hole that never ends because there’s always more, and it’s fairly astonishing. They are prolific. If they had halfway decent operational security, they could have been really successful. But thankfully, they don’t.”

The Good, the Bad and the Ugly in Cybersecurity – Week 36

/0 Comments/in /by

The Good

“Stalkerware” is a term that refers to commercial software used to monitor the digital activities of others, typically without their consent. Although there are legitimate uses for location tracking (think fleet vehicles) and activity monitoring (parental monitoring, say) some companies market software that stretches these boundaries and is intended to appeal to an audience of abusive partners, unscrupulous employers, cyber stalkers, and others who seek to control the behavior of their victims through covert surveillance. In the security industry, we often end up referring to these as PUPs or PUAs (Potentially Unwanted Programs/Applications) to alert users to their presence when detected.

However, in the case of “SpyFone”, they went beyond even the usual boundaries of commercial spyware, with a catalog of misbehavior that has now been called out by the FTC. The company and CEO have been found to have committed several misdeeds including illegally harvesting private information from SpyFone users and failing to secure that information from other hackers and identity thieves. They also failed to comply with a previous FTC order to fully investigate a hack of the company’s servers back in 2018.

The FTC has now banned both company and CEO from any further trading in surveillance software, not just in the US, but worldwide. In addition, the FTC has ordered the company behind SpyFone (Support King) and the CEO to “delete any information illegally collected from their stalkerware apps”, as well as “notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the device may not be secure”. Hopefully, this will serve as an example to other ne’er-do-wells thinking of dipping their feet into the murky world of Stalkerware apps: the FTC is watching you.

The Bad

This week, news broke of a particular seller on one underground forum selling a new evasion method with the hope of appealing to cybercriminals looking for an edge. The seller offered a Proof-of-Concept to execute code in GPUs made by Intel, AMD and Nvidia. Executing code directly from the GPU is attractive for malicious purposes as it may provide an avenue to bypass certain types of endpoint security controls.

The seller states that the tool “allocates address space in GPU memory buffer, inserts and executes code from there”. They go on further to indicate that the technique can be used against Windows systems running OpenCL 2x and above. The original advertisement went up for sale in early August 2021. On the 25th of August, the same seller updated the thread simply stating “Sold”.

There have been other methodologies published in the past for executing code out of GPU, and other participants in the same forum were quick to point this out to the seller.

While the novelty of this seller’s product may be up for debate, the threat of such a tactic should be taken seriously. Attempting to execute code via various side channels has always been advantageous to enterprising attackers. There is plenty of academic research out there documenting similar tactics as well as in-the-wild examples. Whether the apparent buyer of this PoC will turn up on our radar remains to be seen, but we suspect that if the developer’s code has genuine utility, we’ll see that ‘Sold’ message revert to ‘For Sale’ again before too long.

The Ugly

An article published this week by NPR raised some fresh, and worrying, concerns related to the recent rash of MS Exchange server hacks committed by Chinese APT actor Hafnium. The article suggests that those attacks and others over recent years may have been committed specifically for the purpose of feeding and training a Chinese-built AI system with data on US citizens.

The article notes that four years ago, China was producing more research related to AI than any other country, and that it currently has over 1,000 AI firms. Combine this with the fact that it’s been an open secret among Western intelligence agencies that China is on a campaign to steal massive amounts of data and what might seem like random, untargeted attacks on small and medium-sized businesses running on-premises Exchange servers starts to take on a different complexion.

Former director of the NCSC (National Counterintelligence and Security Center) William Evanina recently testified in front of the Senate Committee on Intelligence claiming that a catalog of hacks in recent years had hovered up the PII (personally identifiable information) of more than 80% of all Americans.

“The Chinese have more data than we have on ourselves…So you have the OPM data breach…you have an entire security clearance file for someone, you have Anthem records, you have his Marriott point record, credit cards, Equifax, his loans, his mortgages, his credit score. They know everything about you…”

To what end? The South China Morning Post claims the country has a vision to be a world leader in AI by 2030 with a focus on “social governance, national defence construction, and industrial value chain”. According to Evanina, the name of the game is manipulation, at home and abroad. Whether it’s coercing individuals or stealing IP or curbing criticism, we all know that data means power, and China appears to be grabbing all the data it can get its hands on. Not for nothing has President Biden declared that cyber security is a matter of national and economic security, but it’s not just the government that needs to up its game. We are all targets now. We owe it to ourselves and each other to take our own cybersecurity posture more seriously.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Customer experience startup Clootrack raises $4M, helps brands see through their customers’ eyes

/0 Comments/in /by

Getting inside the mind of customers is a challenge as behaviors and demands shift, but Clootrack believes it has cracked the code in helping brands figure out how to do that.

It announced $4 million in Series A funding, led by Inventus Capital India, and included existing investors Unicorn India Ventures, IAN Fund and Salamander Excubator Angel Fund, as well as individual investment from Jiffy.ai CEO Babu Sivadasan. In total, the company raised $4.6 million, co-founder Shameel Abdulla told TechCrunch.

Clootrack is a real-time customer experience analytics platform that helps brands understand why customers stay or churn. Shameel Abdulla and Subbakrishna Rao, who both come from IT backgrounds, founded the company in 2017 after meeting years prior at Jiffstore, Abdulla’s second company that was acquired in 2015.

Clootrack team. Image Credits: Clootrack

Business-to-consumer and consumer brands often use customer satisfaction metrics like Net Promoter Score to understand the customer experience, but Abdulla said current methods don’t provide the “why” of those experiences and are slow, expensive and error-prone.

“The number of channels has increased, which means customers are talking to you, expressing their feedback and what they think in multiple places,” he added. “Word of mouth has gone digital, and you basically have to master the art of selling online.”

Clootrack turns the customer experience data from all of those first-party and third-party touchpoints — website feedback, chat bots, etc. — into granular, qualitative insights that give brands a look at drivers of the experience in hours rather than months so that they can stay on top of fast-moving trends.

Abdulla points to data that show a customer’s biggest driver of brand switch is the experience they receive. And, that if brands can reduce churns by 5%, they could be looking at an increase in profits of between 25% and 95%.

Most of the new funding will go to product development so that all data aggregations are gathered from all possible touchpoints. His ultimate goal is to be “the single platform for B2C firms.”

The company is currently working with over 150 customers in the areas of retail, direct-to-consumer, banking, automotive, travel and mobile app-based services. It is growing nine times year over year in revenue. It is mainly operating in India, but Clootrack is also onboarding companies in the U.S. and Europe.

Parag Dhol, managing director of Inventus, said he has known Abdulla for over five years. He had looked at one of Abdulla’s companies for investment, but had decided against it due to his firm being a Series A investor.

Dhol said market research needs an overhaul in India, where this type of technology is lagging behind the U.S.

“Clootrack has a very complementary team with Shameel being a complete CEO in terms of being a sales guy and serial entrepreneur who has learned his lessons, and Subbu, who is good at technology,” he added. “As CMOs realize the value in their unstructured data inside of their own database of the customer reviews and move to real-time feedback, these guys could make a serious dent in the space.”

Optimizing customer retention will be a priority in 2020

 

Barbershop technology startup theCut sharpens its platform with new $4.5M round

/0 Comments/in /by

TheCut, a technology platform designed to handle back-end operations for barbers, raised $4.5 million in new funding.

Nextgen Venture Partners led the round and was joined by Elevate Ventures, Singh Capital and Leadout Capital. The latest funding gives theCut $5.35 million in total funding since the company was founded in 2016, founder Obi Omile Jr. told TechCrunch.

Omile and Kush Patel created the mobile app that provides information and reviews on barbers for potential customers while also managing appointments, mobile payments and pricing on the back end for barbers.

“Kush and I both had terrible experiences with haircuts, and decided to build an app to help find good barbers,” Omile said. “We found there were great barbers, but no way to discover them. You can do a Google search, but it doesn’t list the individual barber. With theCut, you can discover an individual barber and discover if they are a great fit for you and won’t screw up your hair.”

The app also enables barbers, perhaps for the first time, to have a list of clients and keep notes and photos of hair styles, as well as track visits and spending. By providing payments, barbers can also leverage digital trends to provide additional services and extras to bring in more revenue. On the customer side, there is a search function with barber profile, photos of their work, ratings and reviews, a list of service offerings and pricing.

Omile said there are 400,000 to 600,000 barbers in the U.S., and it is one of the fastest-growth markets. As a result, the new funding will be used to hire additional talent, marketing and to grow the business across the country.

“We’ve gotten to a place where we are hitting our stride and seeing business catapulting, so we are in hiring mode,” he added.

Indeed, the company generated more than $500 million in revenue for barbers since its launch and is adding over 100,000 users each month. In addition, the app averages 1.5 million appointment bookings each month.

Next up, Omile wants to build out some new features like a digital store and the ability to process more physical payments by rolling out a card reader for in-person payments. TheCut will also focus on enabling barbers to have more personal relationships with their customers.

“We are building software to empower people to be the best version of themselves, in this case barbers,” he added. “The relationship with customers is an opportunity for the barber to make specific recommendations on products and create a grooming experience.”

As part of the investment, Leadout founder and managing partner Ali Rosenthal joined the company’s board of directors. She said Omile and Patel are the kind of founders that venture capitalists look for — experts in their markets and data-driven technologists.

“They had done so much with so little by the time we met them,” Rosenthal added. “They are creating a passionate community and set of modern, tech-driven features that are tailored to the needs of their customers.”

Growth tactics that will jump-start your customer base

 

Feature Spotlight: Ease Deployment and Minimize Risk With Ranger Pro™

/0 Comments/in /by

We are pleased to announce Ranger Pro, an available extension of Singularity Ranger®, which uses configurable job automation to conveniently and efficiently close agent deployment gaps. This exciting new option reduces stress and raises the productivity of an already overburdened Security team by offloading the ongoing and repetitive task of EPP/EDR agent installation. With peer-to-peer agent deployment, Ranger Pro finds and closes any agent deployment gaps, ensuring that no endpoint is left unsecured.

What Is An Agent Deployment Gap?

As SentinelOne customers already know, Singularity Ranger® is about proactive attack surface management. The first challenge that Ranger solves is visibility, showing you what is on your network.

Ranger uses a proprietary ML device fingerprinting engine (FPE) to find any IP-enabled device connected to your network without any additional agents, hardware, or network changes. Ranger creates a device inventory in moments, organized by device function and by security state: Secured, Unsecured, Unsupported, and Unknown.

  • Secured: These are endpoints that already have a Sentinel agent.
  • Unsecured: These devices can support an agent, but do not yet have one.
  • Unsupported: These devices, whether by hardware or software limitations, cannot support a Sentinel agent. Examples include OT (operational technology) devices, such as manufacturing process sensors.
  • Unknown: These are devices that the FPE could not yet categorize. The fingerprinting engine gets  ‘smarter’ the longer it observes device communication traffic.
Ranger can autonomously discover unprotected devices

It is the so-called unsecured endpoints that are of particular interest to Ranger Pro. Any such device represents a gap in your agent deployment and a potential attack surface to be exploited. The security gap needs to be closed before malware or ransomware can exploit it.

How Do These Gaps Happen?

We often hear the question, “How do these gaps happen?” There are a number of possibilities. First, you may not have completed your initial agent rollout, but thought you did. Limited visibility is a real challenge facing IT security, and our solution tackles that challenge head-on. As previously mentioned, Ranger will spotlight any unsecured devices. In this way, it helps Security confidently answer the question, “Have I completed my agent rollout?” And if that answer is no, you will know exactly where to look. (And please, hold that thought for two paragraphs more…)

Another likely scenario is a hardware replacement cycle: new user endpoints or servers were purchased and put into service by IT, perhaps without a Sentinel agent installed to protect against known and unknown threats. Similarly, new employees are onboarded, often with new laptops or desktops which need autonomous cybersecurity protection, detection, and response.

In all of these cases, Ranger would show when an endpoint needs a Sentinel agent. Security teams can configure the solution to alert anytime such an unsecured endpoint is found.

Why Did We Create Ranger Pro?

After finding the coverage gap, the inevitable next step facing the security team is closing the gap. Security administrators can indeed choose to do so manually via the SentinelOne Management Console, but such repetitive tasks are begging to be automated.

No one suggests that installing an agent is not a necessary cause worthy of Security’s attention, only that such a task comes at the opportunity cost of a SOC analyst’s valuable time. Security teams are often stretched way too thin and need sensible automation to help them do their job more effectively.

Moreover, how long would the endpoint remain in the wild without a Sentinel agent keeping watch? After all, SOC analysts are on the front lines of a high-stakes battle for the security of the organization against all threats. Much like nurses and physicians in a hospital emergency room, security staff are often forced to triage events, giving their time and focus to the most pressing matters of the day. SentinelOne created Ranger Pro to solve this pain.

Slashing an uncertain response time to a matter of moments, Ranger Pro is both a highly configurable and reliably automated means of completing your Sentinel agent rollout to unsecured endpoints.

An available add-on, Ranger Pro includes all of the Ranger capabilities available for your chosen functionality level – Singularity Core, Control, or Complete – with the added convenience and repeatability of automated deployment. Inevitably, the next question is, “How does it work?”

How Does Ranger Pro Work?

The following sequence walks you through the process.

First, by using the networked device inventory capability, an administrator notices a few unsecured endpoints. In this example site, there are five endpoints, four of which are unsecured. The admin selects 2 of those 4 endpoints – she could have just as easily selected all 4, but perhaps this is her first experience with Ranger Pro’s automated agent deployment and so wants to test it on a subset.

Under the Actions pull-down, she selects Deploy Agent.

Selecting unsecured devices for Agent deployment

The Auto Deploy pop-up window is opened, and the administrator selects the appropriate Agent deployment package.

Selecting the Agent deployment package

Once the package is chosen, the administrator enters the master passphrase credentials for her secure credential vault. SentinelOne does not have access to the credentials.

Entering the Master Passphrase credentials
Entering the Master Passphrase credentials

Then the admin selects the appropriate site to assign the endpoints.

Completing Auto-Deploy configuration

And then Ranger Pro is off to the races, handling the details of Agent installation.

Switching to the Task Management context, the administrator can check the job status as it moves from “Pending” to “In Progress” to “Completed.”

Keeping an eye on job status via Task Management

Ranger Pro examines nearby secured endpoints and selects the one which can most efficiently install the Agent via the peer-to-peer deployment mechanism. Here the first Agent installation is completed.

Ranger Pro autonomously deploys the correct agent

Once Ranger Pro completes the installation and the next device inventory scan is done, the updated inventory reflects the newly secured endpoints. In this example, we installed an agent on two endpoints. In practice, a security administrator is just as likely to have configured the agent installation for all unsecured endpoints on this site. Or, perhaps this was the first attempt using Ranger Pro and the admin just wanted to explore the process on a subset of endpoints.

Once the admin is comfortable and confident with the auto-deploy capability, she can easily tackle the remaining endpoints’ agent installation with a few simple clicks.

A few clicks and you can auto-deploy agents across an entire site

Summary

Ranger Pro provides a convenient means of quickly and reliably installing a SentinelOne endpoint security agent on unsecured endpoints. The best part? Ranger does not need extra agents to manage your network attack surface; its AI is woven into the Sentinel agent itself. Using peer-to-peer agent deployment, Ranger Pro conveniently finds and closes any agent deployment gaps, providing security administrators with yet another way of proactively reducing their attack surface.

To explore Ranger and Ranger Pro, visit our solution page, read the datasheet, and when you are ready, contact us to discuss how SentinelOne can help your team do more.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Pixalate tunes into $18.1M for fraud prevention in television, mobile advertising

/0 Comments/in /by

Pixalate raised $18.1 million in growth capital for its fraud protection, privacy and compliance analytics platform that monitors connected television and mobile advertising.

Western Technology Investment and Javelin Venture Partners led the latest funding round, which brings Pixalate’s total funding to $22.7 million to date. This includes a $4.6 million Series A round raised back in 2014, Jalal Nasir, founder and CEO of Pixalate, told TechCrunch.

The company, with offices in Palo Alto and London, analyzes over 5 million apps across five app stores and more 2 billion IP addresses across 300 million connected television devices to detect and report fraudulent advertising activity for its customers. In fact, there are over 40 types of invalid traffic, Nasir said.

Nasir grew up going to livestock shows with his grandfather and learned how to spot defects in animals, and he has carried that kind of insight to Pixalate, which can detect the difference between real and fake users of content and if fraudulent ads are being stacked or hidden behind real advertising that zaps smartphone batteries or siphons internet usage and even ad revenue.

Navigating ad fraud and consumer privacy abuse in programmatic advertising

Digital advertising is big business. Nasir cited Association of National Advertisers research that estimated $200 billion will be spent globally in digital advertising this year. This is up from $10 billion a year prior to 2010. Meanwhile, estimated ad fraud will cost the industry $35 billion, he added.

“Advertisers are paying a premium to be in front of the right audience, based on consumption data,” Nasir said. “Unfortunately, that data may not be authorized by the user or it is being transmitted without their consent.”

While many of Pixalate’s competitors focus on first-party risks, the company is taking a third-party approach, mainly due to people spending so much time on their devices. Some of the insights the company has found include that 16% of Apple’s apps don’t have privacy policies in place, while that number is 22% in Google’s app store. More crime and more government regulations around privacy mean that advertisers are demanding more answers, he said.

The new funding will go toward adding more privacy and data features to its product, doubling the sales and customer teams and expanding its office in London, while also opening a new office in Singapore.

The company grew 1,200% in revenue since 2014 and is gathering over 2 terabytes of data per month. In addition to the five app stores Pixalate is already monitoring, Nasir intends to add some of the China-based stores like Tencent and Baidu.

Noah Doyle, managing director at Javelin Venture Partners, is also monitoring the digital advertising ecosystem and said with networks growing, every linkage point exposes a place in an app where bad actors can come in, which was inaccessible in the past, and advertisers need a way to protect that.

“Jalal and Amin (Bandeali) have insight from where the fraud could take place and created a unique way to solve this large problem,” Doyle added. “We were impressed by their insight and vision to create an analytical approach to capturing every data point in a series of transactions —  more data than other players in the industry — for comprehensive visibility to help advertisers and marketers maintain quality in their advertising.”

Audio out-of-home advertising is reinventing personalization

 

Explosion snags $6M on $120M valuation to expand machine learning platform

/0 Comments/in /by

Explosion, a company that has combined an open source machine learning library with a set of commercial developer tools, announced a $6 million Series A today on a $120 million valuation. The round was led by SignalFire, and the company reported that today’s investment represents 5% of its value.

Oana Olteanu from SignalFire will be joining the board under the terms of the deal, which includes warrants of $12 million in additional investment at the same price.

“Fundamentally, Explosion is a software company and we build developer tools for AI and machine learning and natural language processing. So our goal is to make developers more productive and more focused on their natural language processing, so basically understanding large volumes of text, and training machine learning models to help with that and automate some processes,” company co-founder and CEO Ines Montani told me.

The company started in 2016 when Montani met her co-founder, Matthew Honnibal in Berlin where he was working on the spaCy open source machine learning library. Since then, that open source project has been downloaded over 40 million times.

In 2017, they added Prodigy, a commercial product for generating data for the machine learning model. “Machine learning is code plus data, so to really get the most out of the technologies you almost always want to train your models and build custom systems because what’s really most valuable are problems that are super specific to you and your business and what you’re trying to find out, and so we saw that the area of creating training data, training these machine learning models, was something that people didn’t pay very much attention to at all,” she said.

The next step is a product called Prodigy Teams, which is a big reason the company is taking on this investment. “Prodigy Teams  is [a hosted service that] adds user management and collaboration features to Prodigy, and you can run it in the cloud without compromising on what people love most about Prodigy, which is the data privacy, so no data ever needs to get seen by our servers,” she said. They do this by letting the data sit on the customer’s private cluster in a private cloud, and then use Prodigy Team’s management features in the public cloud service.

Today, they have 500 companies using Prodigy including Microsoft and Bayer in addition to the huge community of millions of open source users. They’ve built all this with just 6 early employees, a number that has grown to 17 recently and they hope to reach 20 by year’s end.

She believes if you’re thinking too much about diversity in your hiring process, you probably have a problem already. “If you go into hiring and you’re thinking like, oh, how can I make sure that the way I’m hiring is diverse, I think that already shows that there’s maybe a problem,” she said.

“If you have a company, and it’s 50 dudes in their 20s, it’s not surprising that you might have problems attracting people who are not white dudes in their 20s. But in our case, our strategy is to hire good people and good people are often very diverse people, and again if you play by the [startup] playbook, you could be limited in a lot of other ways.”

She said that they have never seen themselves as a traditional startup following some conventional playbook. “We didn’t raise any investment money [until now]. We grew the team organically, and we focused on being profitable and independent [before we got outside investment],” she said.

But more than the money, Montani says that they needed to find an investor that would understand and support the open source side of the business, even while they got capital to expand all parts of the company. “Open source is a community of users, customers and employees. They are real people, and [they are not] pawns in [some] startup game, and it’s not a game. It’s real, and these are real people,” she said.

“They deserve more than just my eyeballs and grand promises. […] And so it’s very important that even if we’re selling a small stake in our company for some capital [to build our next] product [that open source remains at] the core of our company and that’s something we don’t want to compromise on,” Montani said.

Companies betting on data must value people as much as AI

Box, Zoom chief product officers discuss how the changing workplace drove their latest collaboration

/0 Comments/in /by

If the past 18 months is any indication, the nature of the workplace is changing. And while Box and Zoom already have integrations together, it makes sense for them to continue to work more closely.

Their newest collaboration is the Box app for Zoom, a new type of in-product integration that allows users to bring apps into a Zoom meeting to provide the full Box experience.

While in Zoom, users can securely and directly access Box to browse, preview and share files from Zoom — even if they are not taking part in an active meeting. This new feature follows a Zoom integration Box launched last year with its “Recommended Apps” section that enables access to Zoom from Box so that workflows aren’t disrupted.

The companies’ chief product officers, Diego Dugatkin with Box and Oded Gal with Zoom, discussed with TechCrunch why seamless partnerships like these are a solution for the changing workplace.

The Zoom-Five9 deal is a big bet for the video conferencing company

With digitization happening everywhere, an integration of “best-in-breed” products for collaboration is essential, Dugatkin said. Not only that, people don’t want to be moving from app to app, instead wanting to stay in one environment.

“It’s access to content while never having to leave the Zoom platform,” he added.

It’s also access to content and contacts in different situations. When everyone was in an office, meeting at a moment’s notice internally was not a challenge. Now, more people are understanding the value of flexibility, and both Gal and Dugatkin expect that spending some time at home and some time in the office will not change anytime soon.

As a result, across the spectrum of a company, there is an increasing need for allowing and even empowering people to work from anywhere, Dugatkin said. That then leads to a conversation about sharing documents in a secure way for companies, which this collaboration enables.

The new Box and Zoom integration enables meeting in a hybrid workplace: chat, video, audio, computers or mobile devices, and also being able to access content from all of those methods, Gal said.

“Companies need to be dynamic as people make the decision of how they want to work,” he added. “The digital world is providing that flexibility.”

This long-term partnership is just scratching the surface of the continuous improvement the companies have planned, Dugatkin said.

Dugatkin and Gal expect to continue offering seamless integration before, during and after meetings: utilizing Box’s cloud storage, while also offering the ability for offline communication between people so that they can keep the workflow going.

“As Diego said about digitization, we are seeing continuous collaboration enhanced with the communication aspect of meetings day in and day out,” Gal added. “Being able to connect between asynchronous and synchronous with Zoom is addressing the future of work and how it is shaping where we go in the future.”

15-Year-Old Malware Proxy Network VIP72 Goes Dark

/0 Comments/in /by

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

An ad circa 2005 for A311 Death, a powerful banking trojan authored by “Corpse,” the administrator of the early Russian hacking clique Prodexteam. Image: Google Translate via Archive.org.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.”

One denizen of a Russian language crime forum who complained about the unexplained closure of VIP72 last month said they noticed a change in the site’s domain name infrastructure just prior to the service’s disappearance. But that claim could not be verified, as there simply are no signs that any of that infrastructure changed prior to VIP72’s demise.

In fact, until mid-August VIP72’s main home page and supporting infrastructure had remained at the same U.S.-based Internet address for more than a decade — a remarkable achievement for such a high-profile cybercrime service.

Cybercrime forums in multiple languages are littered with tutorials about how to use VIP72 to hide one’s location while engaging in financial fraud. From examining some of those tutorials, it is clear that VIP72 is quite popular among cybercriminals who engage in “credential stuffing” — taking lists of usernames and passwords stolen from one site and testing how many of those credentials work at other sites.

Corpse/Revive also long operated an extremely popular service called check2ip[.]com, which promised customers the ability to quickly tell whether a given Internet address is flagged by any security companies as malicious or spammy.

Hosted on the same Internet address as VIP72 for the past decade until mid-August 2021, Check2IP also advertised the ability to let customers detect “DNS leaks,” instances where configuration errors can expose the true Internet address of hidden cybercrime infrastructure and services online.

Check2IP is so popular that it has become a verbal shorthand for basic due diligence in certain cybercrime communities. Also, Check2IP has been incorporated into a variety of cybercrime services online — but especially those involved in mass-mailing malicious and phishous email messages.

Check2IP, an IP reputation service that told visitors whether their Internet address was flagged in any spam or malware block lists.

It remains unclear what happened to VIP72; users report that the anonymity network is still functioning even though the service’s website has been gone for two weeks. That makes sense since the infected systems that get resold through VIP72 are still infected and will happily continue to forward traffic so long as they remain infected. Perhaps the domain was seized in a law enforcement operation.

But it could be that the service simply decided to stop accepting new customers because it had trouble competing with an influx of newer, more sophisticated criminal proxy services, as well as with the rise of “bulletproof” residential proxy networks. For most of its existence until recently, VIP72 normally had several hundred thousand compromised systems available for rent. By the time its website vanished last month — that number had dwindled to fewer than 25,000 systems globally.

Gift Card Gang Extracts Cash From 100k Inboxes Daily

/0 Comments/in /by

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf victims, when that option is available.  For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

The Gift Card Gang’s Footprint

How do the compromised email credentials break down in terms of ISPs and email providers? There are victims on nearly all major email networks, but Bill said several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said.  “I don’t know why they’re getting popped so heavily.”

That may sound like a lot of hacked inboxes, but Bill said some of the bigger ISPs represented in his data have tens or hundreds of millions of customers.

Measuring which ISPs and email providers have the biggest numbers of compromised customers is not so simple in many cases, nor is identifying companies with employees whose email accounts have been hacked.

This kind of mapping is often more difficult than it used to be because so many organizations have now outsourced their email to cloud services like Gmail and Microsoft Office365 — where users can access their email, files and chat records all in one place.

“It’s a little complicated with Office 365 because it’s one thing to say okay how many Hotmail connections are you seeing per day in all this credential-stuffing activity, and you can see the testing against Hotmail’s site,” Bill said. “But with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.”

On top of that, it’s also difficult to know how much activity you’re not seeing.

Looking at the small set of Internet address blocks he knows are associated with Microsoft 365 email infrastructure, Bill examined the IMAP traffic flowing from this group to those blocks. Bill said that in the first week of April 2021, he identified 15,000 compromised Office365 accounts being accessed by this group, spread over 6,500 different organizations that use Office365.

“So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,” Bill explained. “And with our puny visibility into probably less than one percent of overall password stuffing traffic aimed at Microsoft, we’re seeing 600 Office accounts being breached a day. So if I’m only seeing one percent, that means we’re likely talking about tens of thousands of Office365 accounts compromised daily worldwide.”

In a December 2020 blog post about how Microsoft is moving away from passwords to more robust authentication approaches, the software giant said an average of one in every 250 corporate accounts is compromised each month. As of last year, Microsoft had nearly 240 million active users, according to this analysis.

“To me, this is an important story because for years people have been like, yeah we know email isn’t very secure, but this generic statement doesn’t have any teeth to it,” Bill said. “I don’t feel like anyone has been able to call attention to the numbers that show why email is so insecure.”

Bill says that in general companies have a great many more tools available for securing and analyzing employee email traffic when that access is funneled through a Web page or VPN, versus when that access happens via IMAP.

“It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”

Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.

“For context, our research indicates that multi-factor authentication prevents more than 99.9% of account compromises,” reads a statement from Microsoft. “Moreover, for enterprise customers, innovations like Security Defaults, which disables basic authentication and requires users to enroll a second factor, have already significantly decreased the proportion of compromised accounts. In addition, for consumer accounts, adding a second authentication factor is required on all accounts.”

A Mess That’s Likely to Stay That Way

Bill said he’s frustrated by having such visibility into this credential testing botnet while being unable to do much about it. He’s shared his data with some of the bigger ISPs in Europe, but says months later he’s still seeing those same inboxes being accessed by the gift card gang.

The problem, Bill says, is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP. That is, they lack any sort of instrumentation to be able to tell the difference between legitimate and suspicious logins for their customers who read their messages using an email client.

“My guess is in a lot of cases the IMAP servers by default aren’t logging every search request, so [the ISP] can’t go back and see this happening,” Bill said.

Confounding the challenge, there isn’t much of an upside for ISPs interested in voluntarily monitoring their IMAP traffic for hacked accounts.

“Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

Which means those 10,000 customers are then going to start receiving error messages whenever they try to access their email.

“Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”

Indictators of Compromise (IoCs)

It’s not often KrebsOnSecurity has occasion to publish so-called “indicators of compromise” (IoC)s, but hopefully some ISPs may find the information here useful. This group automates the searching of inboxes for specific domains and trademarks associated with gift card activity and other accounts with stored electronic value, such as rewards points and mileage programs.

This file includes the top inbox search terms used in a single 24 hour period by the gift card gang. The numbers on the left in the spreadsheet represent the number of times during that 24 hour period where the gift card gang ran a search for that term in a compromised inbox.

Some of the search terms are focused on specific brands — such as Amazon gift cards or Hilton Honors points; others are for major gift card networks like CashStar, which issues cards that are white-labeled by dozens of brands like Target and Nordstrom. Inboxes hacked by this gang will likely be searched on many of these terms over the span of just a few days.