The Web’s Bot Containment Unit Needs Your Help

/0 Comments/in /by

Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.

Image: Ghostbusters.

Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.

Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.

Image: Shadowserver.org

Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.

And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.

But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.

Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.

“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”

To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.

“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control ​by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.

The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.

“These reports notify our constituents ​about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.

The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.

“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”

Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.

“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”

Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.

Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.

Update 10:46 a.m., ET: Added comment from Cisco.

This startup got a meeting with Mark Suster by getting clever with Google ads

/0 Comments/in /by

Startups have done some wild things to get the attention of VCs. In fact, Instacart founder Apoorva Mehta sent YC partner (at the time) Garry Tan a six-pack of beer through the service after missing the deadline for Y Combinator by two months.

Yesterday, the ingenuity of startups struck again.

Tadabase.io, an enterprise startup that offers no-code tools to help businesses automate their processes, has had an ad running that was… well, hyper targeted.

ProductHunt founder and WeekendFund investor Ryan Hoover discovered the ad and shared it on Twitter.

Hoover told TechCrunch he was Googling Mark Suster to facilitate an introduction between Suster and one of Hoover’s portfolio companies. Instead, he found a Google ad directed squarely at Suster from Tadabase.io.

“Mark Suster, you haven’t invested in nocode” read the paid listing. “Therefore, we put this ad here to get your attention. If you’re not Mark, please don’t click here and save us some money.”

I reached out to Suster, managing partner at UpFront Ventures, to see what he thought of the ad. He told me he “loved it” and has already contacted the CEO to set up a call for next week.

Whether this clever Google ad will result in an actual investment is yet to be determined. Also unclear: will Ryan Hoover get in on the deal?

I reached out to Tadabase founder and CEO Moe Levine via email to ask about the ad, how they went about targeting, and how he feels about his upcoming phone call next week. He hasn’t responded yet. I’ll update if/when he does.

The Good, the Bad and the Ugly in Cybersecurity – Week 11

/0 Comments/in /by

The Good

This week Microsoft, along with an extensive list of partners, took steps to successfully cripple one of the most prolific malicious botnets of the last decade. The Necurs botnet has been responsible for much of the pharmaceutical, stock pump-and-dump, dating and other common spam lures since 2012, and operated at its peak between 2015 and 2017. It was also heavily leveraged to distribute  prominent malware families including GameOver Zeus, FlawedAmmyy, Locky, Dridex, Scarab, Trickbot and many others.

The turning point came once Microsoft and industry partners were able to uncover the inner-workings of the Necurs DGA (Domain Generation Algorithm), the component of the network responsible for generating and registering C2 (Command-and-control) domains. According to Microsoft’s Digital Crime Unit, they were able to “accurately predict over six million unique domains that would be created in the next 25 months”. As a result, Microsoft were able to prevent these generated domains from being registered. In addition, a court order issued on March 5th allowed Microsoft to seize existing domains, effectively crippling the botnet’s current and future infrastructure.

image of tweet about Necurs takedown

This was a coordinated effort between Microsoft, ISPs, various domain registries, as well as law enforcement entities in India, Japan, France, Mexico, Colombia and many others. We know this is a long slow-burn of a fight, and there is always a chance that the botnet could rebound (ex: Kelihos), but this is a valiant and commendable effort. Cheers to all those involved and keep up the good fight.

The Bad

Alas, Microsoft are also in the bad news this week after the discovery of a critical and potentially wormable vulnerability in Microsoft’s SMBv3,  CVE-2020-0796. Essentially, this is an RCE (remote code execution) flaw in Microsoft Server Message Block 3.1.1 (SMBv3) when handling certain requests. An attacker could exploit the flaw by transmitting a specially crafted packet and gain arbitrary code execution on the targeted server or client. The flaw affects Microsoft Windows 10 Versions 1903 & 1909 (including Windows Server) across supported architectures (x32, x64, ARM64). According to various advisories (published and pulled and republished in the last 36 hours) the issue comes down to a memory corruption condition stemming from a buffer overflow in affected SMB servers. Microsoft has provided an update here and a workaround in their updated advisory for those who cannot patch.

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force

The Ugly

Now more than ever, we all need to be extra vigilant and aware of our information sources. We’ve already seen plenty of spam campaigns and blatant misinformation regarding Covid-19/Coronavirus, with the unscrupulous only too happy to try and cash in on a worried, information-hungry public. Sadly, but predictably, this week saw the emergence of an exploit kit playing on those same fears, the “Corona Virus Map Phish Method” kit, which is being sold in multiple underground forums. 

The kit in question is offered for $200 as is, or $700 with the seller’s own code signing certificate. It comes with a preloader that can be attached to an email. The code loads a working map displaying infection data on the victim’s machine, as well as the buyer’s payload of choice. The payload can be embedded directly or called via embedded URL, and the whole package can be bundled and sent via email without triggering a block by popular email providers.

One of the sites hosting a malicious map was highlighted in HC3’s (Health Sector Cybersecurity Coordination Center) March 10 alert, Fake Online Coronavirus Map Delivers Well-known Malware. In the scenario covered in the alert, the site was used to drop the AZORult trojan. That highlighted example is a web-centric attack, but it should be noted that we have seen pointers to these malicious sites spread via email and social media threads as well. 

Using this against the unassuming public is shameful, but at the same time, unfortunately, it reportedly works on “all Windows (XP-Win10, 32bit and 64bit)” and only requires some (any) version of Java to function. Aside from sidestepping email provider detections, the kit is built to evade Windows Defender and bypass UAC out of the box. SentinelOne customers can rest assured that the SentinelOne agent detects and effectively blocks the “Corona Virus Map Phish” kit, as demonstrated in the video below.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Pentagon asks court for time to reconsider JEDI award to Microsoft

/0 Comments/in /by

The JEDI contract award process might never be done. Following legal challenges from Amazon after the Pentagon’s massive, $10 billion cloud contract was awarded to Microsoft in October, the Pentagon indicated in court documents last night that it wishes to reconsider the award.

It’s just the latest plot twist in an epic government procurement saga.

Here’s what we know. The Pentagon filing is based on Amazon’s complaints about the technical part of the deal only. Amazon has said that it believes political interference influenced the awarding of the contract. However, the cloud computing giant also believes it beat Microsoft on the technical merits in a majority of instances required in the request for proposals issued by the Pentagon.

In fact, sources told TechCrunch, “AWS’s protest identified evaluation errors, clear deficiencies and unmistakable bias in six of the eight evaluation factors.”

Obviously Amazon was happy to hear this news. “We are pleased that the DoD has acknowledged ‘substantial and legitimate’ issues that affected the JEDI award decision, and that corrective action is necessary,” a spokesperson stated.

“We look forward to complete, fair, and effective corrective action that fully insulates the re-evaluation from political influence and corrects the many issues affecting the initial flawed award.”

As would expect, Microsoft thinks that the DoD made the correct choice, and believes the review will bear that out. “Over two years, the DoD reviewed dozens of factors and sub factors and found Microsoft equal or superior to AWS on every factor. We remain confident that Microsoft’s proposal was technologically superior, continues to offer the best value, and is the right choice for the DoD,” Microsoft VP of communications Frank Shaw said.

The court granted the Pentagon 120 days to review the results again, but indicated it could take longer. In the meantime, the project is at a standstill.

On Friday, the court issued a ruling that Amazon was likely to succeed on its complaint on merit, and that could have been the impetus of this latest action by the Pentagon.

In latest JEDI contract drama, AWS files motion to stop work on project

While the political influence piece might not be overtly part of this filing, it does lurk in the background. The president has made it clear that he doesn’t like Amazon founder and CEO Jeff Bezos, who also owns The Washington Post. As we wrote last year:

Amazon, for instance, could point to Jim Mattis’ book where he wrote that the president told the then Defense Secretary to “screw Bezos out of that $10 billion contract.” Mattis says he refused, saying he would go by the book, but it certainly leaves the door open to a conflict question.

As we previously reported, AWS CEO Andy Jassy stated at a press event at AWS re:Invent in December that the company believed there was political bias at play in the decision-making process.

“What I would say is that it’s fairly obvious that we feel pretty strongly that it was not adjudicated fairly,” he said. He added, “I think that we ended up with a situation where there was political interference. When you have a sitting president, who has shared openly his disdain for a company, and the leader of that company, it makes it really difficult for government agencies, including the DoD, to make objective decisions without fear of reprisal.”

The story has been updated with a comment from Microsoft. We have requested comment from DoD and will update the story should they respond.

In latest JEDI contract drama, AWS files motion to stop work on project

Yext aims to deliver more coronavirus-related answers by making its site search free

/0 Comments/in /by

Yext says that in response to the COVID-19 pandemic, it’s making its Yext Answers site search product free for 90 days.

You might not see an obvious connection between site search and a worldwide pandemic. You might even think this sounds like a marketing gimmick. But Yext CEO Howard Lerman said that for the past 10 days, the company has seen a spike in coronavirus-related searches across sites that use Yext Answers.

After all, Lerman said Yext has a lot of customers in the healthcare industry, such as the IHA medical group. But even beyond that, companies are getting related questions, whether it’s a hotel getting asked about their cleaning procedures, or an airline being asked whether it’s safe to fly or a vodka company getting asked about whether vodka can be used as hand sanitizer.

Businesses could try to answer those questions on a single web page or blog post, but that’s probably not going to be comprehensive. Yext Answers offers a way to present and save this information in a much more structured way, so that a visitor can jump to the exact answer that interests them. In addition, it provides data on what visitors are searching for, so companies can answer the questions that people are actually asking.

Yext Answers

Yext is also offering a free plugin that includes frequently asked questions about the coronavirus, with answers sourced directly form the U.S. Centers for Disease Control and Prevention.

“We have a product that could be pretty useful right now,” Lerman said. “We don’t want people to be getting wrong answers in the time of a global pandemic.”

He added that the company would normally charge around $100,000 for three months of Yext Answers. However, the free offering will be limited to 1,000 entities (which can be FAQs, locations or anything else), and Lerman said most paying customers are already using more than that.

While the product is free, the company will still schedule an initial setup call with a Yext administrator and provide ongoing email support. You can read more on Yext’s new website.

Yext Answers helps businesses provide better site search

Live Coronavirus Map Used to Spread Malware

/0 Comments/in /by

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.

COVID-19 Outbreak | Defending Against the Psychology of Fear, Uncertainty and Doubt

/0 Comments/in /by

Earthquakes. Floods. Tsunamis. Wildfires. Landslides. Hurricanes. Tornados. SARS, H1N1 (swine flu). MERS. Ebola. HIV. AIDS. Zika. And now COVID-19, also known in the media as the coronavirus. 

Natural disasters and epidemics have much in common, including the tragic loss of human life. But there is a darker and more sinister connection–the use of this same human tragedy by bad actors to spread malware, launch phishing and spear-phishing campaigns, and commit fraud by exploiting emotion. Such is the case for the coronavirus, also known as COVID-19.

The World Health Organization (WHO) has been continuing to warn against the use of the coronavirus emergency to send phishing emails that contain malware. 

Using Fear to Aid and Abet Fraud

The bad actors don’t limit themselves to malware. The US Food and Drug Administration is also warning consumers about fraudulent products that “claim to prevent, treat, mitigate, diagnose or cure coronavirus disease 2019 (COVID-19).” It’s a full-court press when it comes to fraud.

In December of 2019, SentinelLabs released a groundbreaking report about the relationship between the cybercrime group TrickBot and North Korea, a recognized Advanced Persistent Threat (APT) actor. The use of TrickBots capabilities is magnified when the effective use of psychology is deployed against email recipients.

Recently, SentinelLabs identified a malicious campaign that uses a coronavirus healthcare notification from Canadian authorities to distribute malware aimed at financial institutions. 

Johns Hopkins University and the Center for Systems, Science, and Engineering have developed a map that models the spread of COVID-19 by country, region, state and city. As of March 10, 2020, the top countries are China, Italy, Iran, South Korea, Spain, France, Germany, the United States, and Japan. That means each country becomes the context for phishing emails that target large numbers of users.

Context is extremely important when crafting an email designed to deliver a malicious payload. Human nature has always responded to fear of loss more predictably than the potential for gain. For example, in the context of COVID-19, which email subject line would generate a higher likelihood of response?

“How to prevent the spread of the coronavirus in 3 easy steps.”

 

“URGENT: You have been in contact with a verified coronavirus patient.”

The first subject line does not create fear of loss, only the potential to gain more information about stopping the spread of the coronavirus. The second subject line attacks the heart of the matter – fear of death. A related behavior affects the belief in the scarcity of a valued item. With COVID-19, it could be the availability of test kits. 

“Don’t lose your chance to get these hard-to-find coronavirus test kits.”

The last email subject combines both fear of loss with scarcity. Thousands of years of human evolution have made us loss averse. This same evolution has also reinforced the primary purpose of our brain. And that is to keep us alive. Everything beyond that is a bonus.

It’s irrelevant that citizens can’t purchase these test kits, and that only the government has them. The fear of loss, the sense of urgency, and the amount of media dedicated to COVID-19 create conditions that override our common sense and force us to act based on primal fears. Death is the ultimate trump card.

Webinar | Employees Working From Home?
Join our experts and learn how to keep your enterprise running without being affected by the cybersecurity consequences of workforce transition.

Save my Spot

Exploiting Human Vulnerabilities

Criminals have become more advanced in their understanding of manipulating human emotion to achieve a targeted action. Social engineering is based on the premise that I can get you to take action you believe to be trusted, but which is actually malicious, using manipulation, influence, and deceit.

Nation-state actors have long relied upon social engineering to achieve targeted goals for espionage, system compromise, election influence, and social media manipulation. Business Email Compromise (BEC) relies upon convincing the recipient of an email that a sender is a person of authority and that a particular action (like transferring hundreds of thousands of dollars) should be done. 

The number one tactic used by adversarial governments and bad actors isn’t exploiting a vulnerability. It’s exploiting human weakness. In an article I wrote for The Hill, I outlined how Russia had successfully used the first attack with the malware known as Black Energy. The initial method of compromise? A spear-phishing email sent purportedly from the Ukrainian government. The attached Excel spreadsheet asked the user to enable macros.

And just like that, the initial payload was delivered. Nothing fancy. Just a sense of urgency (Ukrainian government) overriding common sense (never enable macros from an attachment). 

Nobody is Immune To Social Engineering

The psychology of fear, uncertainty, and doubt is a powerful weapon. During my time in law enforcement, I specialized in serial crime profiling and behavioral analysis interviewing. Getting someone to click on a link in an email isn’t nearly as difficult as getting someone to confess to murdering another human being.

In the behavioral analysis interview (BAI), I analyzed the case (context) and framed my questions accordingly. The goal of the BAI is to determine if the subject is being truthful or deceptive. If the subject is being deceptive, and it appears they could have committed the crime, then it’s time to move from gathering facts to the interrogation. Not every interview leads to an interrogation, however.

During the interrogation, the goal is to cause the subject to manifest anxiety to the point that the only way to relieve it is to be truthful. I taught these same techniques at the National Security Agency to damage assessment agents who had been involved in some of the most serious espionage cases in United States history. It is the same reason an employee might click on a suspicious link, or open a malware-laden document: to find out the answer and relieve the manifested anxiety of fear, uncertainty, and doubt.

What is the moral of this story? It’s that no matter how much security awareness training you do, how many posters on cyber hygiene you plaster in your offices, or how many weekly reminders you send out in an email, in the end, hundreds of thousands of years of human behavior will eventually win out. That means fear of loss (death) and self-preservation (relieving the anxiety/stress) will trump common sense.

Fear Doesn’t Work on Machines

However, there is a silver lining to these dark clouds on our horizon. The use of Artificial Intelligence and Machine Learning has shifted the balance of power from the attackers to those being attacked. Rather than responding to and recovering from attacks, AI/ML has increased the speed and precision of detection and prevention. 

The behaviors that have been ingrained into our DNA over thousands of centuries can be counterbalanced by the deliberate application of technology. Rather than requiring a user to determine whether something is ‘safe’, it’s easier to prevent it in the first place. It is easier to prevent a ransomware attack than it is to recover from one. And it is far easier to manage good press than bad

Artificial intelligence doesn’t give in to fear. It doesn’t have human emotions to be manipulated, and it can’t contract the coronavirus. This just may be the perfect antidote to fear, uncertainty, and doubt.

Morgan is the Chief Security Advisor for SentinelOne and a Senior Fellow at the Center for Digital Government. He has testified before Congress multiple times about the security of large government systems and is currently the chief technology analyst for Fox News Channel and Fox Business Network covering cybersecurity.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

AWS launches Bottlerocket, a Linux-based OS for container hosting

/0 Comments/in /by

AWS has launched its own open-source operating system for running containers on both virtual machines and bare metal hosts. Bottlerocket, as the new OS is called, is basically a stripped-down Linux distribution that’s akin to projects like CoreOS’s now-defunct Container Linux and Google’s container-optimized OS. The OS is currently in its developer preview phase, but you can test it as an Amazon Machine Image for EC2 (and by extension, under Amazon EKS, too).

As AWS chief evangelist Jeff Barr notes in his announcement, Bottlerocket supports Docker images and images that conform to the Open Container Initiative image format, which means it’ll basically run all Linux-based containers you can throw at it.

One feature that makes Bottlerocket stand out is that it does away with a package-based update system. Instead, it uses an image-based model that, as Barr notes, “allows for a rapid & complete rollback if necessary.” The idea here is that this makes updates easier. At the core of this update process is “The Update Framework,” an open-source project hosted by the Cloud Native Computing Foundation.

AWS says it will provide three years of support (after General Availability) for its own builds of Bottlerocket. As of now, the project is very much focused on AWS, of course, but the code is available on GitHub and chances are we will see others expand on AWS’ work.

The company is launching the project in cooperation with a number of partners, including Alcide, Armory, CrowdStrike, Datadog, New Relic, Sysdig, Tigera, Trend Micro and Waveworks.

“Container-optimized operating systems will give dev teams the additional speed and efficiency to run higher throughput workloads with better security and uptime,” said Michael Gerstenhaber, director of Product Management at Datadog.” We are excited to work with AWS on Bottlerocket, so that as customers take advantage of the increased scale they can continue to monitor these ephemeral environments with confidence.”

 

Assembled raises $3.1M led by Stripe to build ‘the operating system for support teams’

/0 Comments/in /by

CRM software accounts for one-quarter of all enterprise IT spend. But ironically, while a lot of money is spent on platforms like Salesforce or SAP to manage incoming calls and outgoing marketing and sales activity, not a lot of attention is given to the issue of how to help the teams using all that software work better.

What are the peak times for calls? What are the most common questions? Which staff are best skilled at what kinds of questions? And who is actually working at any given time? These are just some of the issues, but in many cases, there isn’t much in the way of tools used to help with these at all — organisations often just hack a spreadsheet platform like Google Sheets or a calendar app to get by, or do nothing at all.

Today, a startup called Assembled is coming out of stealth mode to address that gap in the market, with a platform that’s built specifically to address the kinds of questions and issues that customer support teams encounter and — answered well — can help them work much better.

Out of the gate, Assembled is announcing $3.1 million in seed funding led by Stripe — where the founding team previously worked — with participation also from Basis Set Ventures, Signalfire and several angel investors (who are also mostly former Stripe employees).

Assembled’s longer-term ambition is to build tools for what co-founder Ryan Wang describes as “the logistics of customer support.”

“We want to become the operating system for support teams,” he said. Most immediately, the company’s focus will be on agent performance. “Teams want to learn about their top performers and how they spend their time, and offer data to empower their decision-making.”

Stripe — the payments and related services provider that is now valued at $35 billion — has developed a sizable operation funding startups adjacent to its own interests in cultivating relationships with startups and other smaller businesses. You could consider it a strategic investor in Assembled: alongside Grammarly, Gofundme, Hopper and Harry’s, Stripe is one of Assembled’s marquee customers.

Wang, an ex-Stripe engineer who co-founded Assembled with his brother John and Assembled’s CEO Brian Sze (both also ex-Stripe), said in an interview that the idea for the startup came directly out of the pair’s experiences as early employees at Stripe.

The approach at the startup in its early days was very grass-roots: employees would get together outside the office to go through support tickets as a way of identifying trends and to talk through them to figure out what might need fixing, how to handle issues in the future and so on.

It was probably a great way for the team to really stay in touch with what customers needed and wanted. But eventually this approach presented a problem: How do you scale this kind of process? To a tech person, the solution would be obvious: build a platform that can help you do this.

“Within the landscape of CRM, we could see that tech hadn’t really been applied to the business of supporting customer support,” Wang said. “That is why we left. We’d understood that it was a broad problem.”

A tool to help improve workforce management for customer support teams is a no-brainer for a company already trying to address these issues through its own home-baked solutions. Wang noted that one of its current customers had built out such an extensive map of data on Google Sheets trying to address customer support workforce management that “they broke Google Sheets. It was just too big.”

Indeed, Bob van Winden, Stripe’s head of operations, noted: “Millions of businesses rely on Stripe every day. To support them, we obsess over every detail of delivering fast, reliable customer service, including free 24×7 phone and chat support. This led us to Assembled, which our global support teams are using to stay coordinated and focused on helping Stripe’s users thrive.”

Less obvious is the use case when a company has never identified these issues, or sees them but haven’t made efforts to try to solve them because it seems too difficult. (The classic issues here are that Assembled is “too clever by half,” or “too ahead of its time.”) That presents both an open market for Assembled, but also a greenfield challenge.

One route to customers has been to integrate with more established CRM packages. Currently Assembled integrates with Salesforce, Kustomer and Zendesk, so that it can source data from these to provide more insights to users.

Another is to provide a set of tools that speak to the wider trend for analytics and data-based insights that can be used to improve how a company works. Indeed, just as Kustomer has disrupted the idea of a CRM being focused on a narrow funnel of inbound requests, Assembled also is rethinking how to parse data to figure out what a customer support person should be doing and when. 

The startup provides a way to forecast inbound support query volumes, and to map that into staffing plans that cover multiple channels like chat, email, phone and social media. The staffing plan, in turn, also acts as a scheduling tool to set up group and single calendars for individuals.

A team’s activity, meanwhile, is tracked through a set of metrics the whole team can see and use to calibrate their work better.

Going forward, you can imagine Assembled expanding in a couple of different directions. One might be to offer workforce management to more teams beyond customer support, but that also have to work out how to manage inbound requests and turn them into more efficient work plans. Another might be to continue expanding the kinds of tools it might provide to customer support teams to continue complementing basic CRMs, in particular as customer support comes to mean different things, depending on who the “customer” actually is.

“We see the term ‘customer support’ evolving,” Wang said. “The big struggle is what the encompassing term should be instead. Generally, our view is that we want to transform and elevate what customer support means. It’s not just about call centers, but any drivers of customer experience related to your products.”

Crafty Web Skimming Domain Spoofs “https”

/0 Comments/in /by

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.

The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.

Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.

“There is a subtle difference in the URI path loading both scripts,” Segura wrote. “The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.”

Segura says there are two ways e-commerce sites are being compromised here:

  • Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
  • A script that references an external JavaScript, hosted on a malicious site (in this case, http[.]ps)

Malwarebytes assesses that the tricks this domain uses to obfuscate the malicious code are tied to various site-hacking malware campaigns dating back to 2016. By the way, an installation of Malwarebytes on a test machine used for this investigation blocked the http[.]ps script from loading on each of the compromised sites I found.

Finally, the “.ps” bit of the malicious skimming domain refers to the country code top-level-domain (ccTLD) for the State of Palestine. The domain was registered on Feb. 7.

If you run an e-commerce Web site, it would be a great idea to read up on leveraging Content Security Policy (CSP) response headers and Subresource Integrity security features offered by modern Web browsers. These offer mitigation options to prevent your site from being used in these card skimming attacks. Ryan Barnett at Akamai penned a comprehensive blog post on these approaches not long ago that is well worth reading [full disclosure: Akamai is an advertiser on this site].

I’ve been playing recently with privacy.com, which among other things offers a free service that allows users to generate a unique, one-time credit card number for each online transaction (privacy.com makes money from the interchange fees paid by merchants). The beauty of this approach is if your credit card details do get swiped by one of these site skimmers, you won’t have to change your credit card information at dozens of other sites and services you frequent.