Fraud as a service: Scammers are using encrypted messaging to undercut BNPL revenue

Buy now, pay later (BNPL) is booming in popularity, particularly among the traditional credit-wary millennial and Gen Z consumer populations. With $680 billion in transaction volume by 2025 up for grabs, fintech startups and long-standing financial institutions alike are jumping into the mix with their own offerings.

But, as we’ve seen with other emerging tech trends, rapid growth leads to new challenges.

While many industry pundits would point to the recent Consumer Financial Protection Bureau (CFPB) probe into BNPL vendors as the sector’s biggest headwind, there’s another area that regulators and industry players should be concerned about: fraud. Cybercrime often acts as a barometer of economic trends, and as the BNPL market continues to soar, fraudsters are cashing in.

Rather than relegating their activities to dark web marketplaces, scammers are hiding in plain sight on encrypted messaging apps. They collaborate through publicly available forums on these platforms to target BNPL providers with new tactics.

The only way to get ahead of these scams is for BNPL vendors to ensure they have the right defense strategy in place to combat fraud on their own platforms and networks.

Payment fraud is going mainstream, and anyone with an internet connection can join in. Yet, rather than hoping that platforms remove these fraud forums from their services, BNPL providers and the merchants who use them can shore up their own properties by understanding exactly how they are at risk.

So, what do these new fraud methods look like, and how can providers protect against them? Let’s dive in.

The dark web versus the deep web: The rise of fraud as a service

The dark web has, for years, been home to cybercrime and has become an oasis for scammers looking to obtain compromised information. However, with the recent crackdown on dark web marketplaces, cybercriminals have turned to new and under-the-radar hubs to commit illegal activity.

Malign actors have set their sights on secure messaging apps, such as Telegram, to conduct their illegal activity. As a part of the deep web, which isn’t indexed by search engines, secure messaging apps are a haven for professional criminals hoping to remain anonymous.

Within these forums, fraudsters have evolved their attack strategies. Instead of solely buying and selling access to information, cybercriminals have begun to promote fraud as a service.

One example is a Telegram scheme in which cybercriminals steal from restaurants and food delivery services. By advertising their ability to purchase food and beverage orders with stolen information (e.g., log-in credentials or credit card numbers), they offer opportunistic diners a meal at a heavily discounted rate.

Unpacking SailPoint’s $6.9B sale to private equity firm Thoma Bravo

Good morning and happy Monday! It’s Early Stage week here at TechCrunch, which means that I have some prep work to do. That in mind, we’re briefly going to dig into SailPoint’s huge private equity buyout to divine what the transaction says about the value of technology companies.

The SailPoint sale comes amid a changing exit market for technology companies more broadly. Per exit data collated by CB Insights, while global M&A activity is stable thus far in 2022 compared to last year’s pace, IPO and SPAC exits fell sharply in the first quarter. That means that M&A is more important than ever for tech exits, making the SailPoint deal worth spending time on.

The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.

From a high level, SailPoint’s exit is not a mercy-killing. Before the deal was announced, the company’s stock price was effectively $50 per share, down only modestly from its 52-week high of a little more than $63 per share; compared to many public technology companies, that’s a very limited valuation haircut from peak levels.

Thoma Bravo will pay $65.25 per share in cash for SailPoint, which sells enterprise security products.

To understand why the company is selling, and why Thoma Bravo is buying, we’ll need to peek into the company’s results. That will bring us to the question of how the company is valued and what its price could mean for unicorns and other high-priced startups. This will be fun, and quick! Let’s go!

Is SailPoint a good business?

The how and why of raising OT security capital

Last year was huge for the cybersecurity market, fueled by rising incidents of cyberattacks, particularly ransomware that disrupted services and held companies hostage.

The numbers are striking: Investments in the space more than doubled from the year before to $29.3 billion, according to a recent report by investment bank Momentum Cyber. Two recent funding rounds, in November and February, even exceeded $1 billion. A record 286 M&A deals, worth $77.5 billion, were made, and 14 deals of those were over $1 billion each. This year is off to a promising start with Google’s $5.4 billion acquisition of Mandiant in March.

The market is responding to the evolving threat landscape. As new types of attacks arise, security vendors respond with new tools in what has become a cat-and-mouse game. This dynamic has driven the market for decades, but things are heating up now that the stakes are higher with hits on critical infrastructure and the U.S. supporting Ukraine in the Russian invasion.

One security area that has been seeing particular interest of late is operational technology.

Many attacks last year targeted companies that provide basic necessities of life, and consumers felt the pain. In February 2021, someone gained unauthorized access to the water treatment system in Oldsmar, Florida, and tried unsuccessfully to add more lye to the water supply.

And last May, drivers on the East Coast panicked when they couldn’t get gasoline after a ransomware attack disrupted Colonial Pipeline’s distribution network. That month, a ransomware attack on Brazilian meat supplier JBS resulted in beef shortages in South America, North America and Australia. JBS ended up paying $11 million in ransom.

The transportation industry has also been hit hard in recent years, seeing a 186% increase in weekly attacks from 2020 to 2021, and a 900% increase in maritime attacks since 2017. Recent incidents include attacks on the New York Metropolitan Transportation Authority and the CSX Class I freight railroad.

Critical infrastructure attacks and regulation

All these attacks on critical sectors have led to a slew of federal action plans and regulations affecting the water sector, pipeline operators and other critical industries.

In one example, the Department of Homeland Security’s Transportation Systems Sector-Specific Plan cites a number of elevated risks, including cyber and aging equipment, in guiding industry efforts to strengthen infrastructure security and resilience.

As Russian attacks on Ukraine have intensified, the U.S. government is increasingly concerned about Russia launching cyberattacks on American businesses, especially critical infrastructure. On March 15, President Joe Biden signed into law the Cyber Incident Reporting Act, which requires critical infrastructure providers to report cyberattacks to the Cybersecurity and Infrastructure Security Agency within 72 hours and ransomware payments within 24 hours.

Then, on March 21, the president reiterated earlier warnings, citing “evolving intelligence that the Russian government is exploring options for potential cyberattacks.”

Then the U.S. Department of Justice unsealed indictments on March 24, charging four Russians who worked for the Russian government with hacking operational technology (OT) of companies in the energy sector around the world over six years.

Legacy equipment in a modern world

For decades, cybercriminals focused on stealing information they could monetize, but now that OT environments are increasingly connected to the Internet, bad actors are trying to shut down infrastructure and conduct cyber-physical attacks like in Oldsmar.

The advent of ransomware and targeted attacks on critical infrastructure have changed the game and are putting operational technology security in the spotlight. At the end of the day, OT security is a national security issue.

Cloud providers’ default retention policies are not enough: You better back your SaaS up

If there’s one thing that recent earnings reports from Microsoft, Google and Amazon made clear, it’s that their cloud businesses are booming.

While the shift to the cloud is well underway, many companies aren’t paying attention to a critical aspect of this growth: the dramatic increase in data generated by SaaS that is not adequately protected. This exposure can put companies at greater risk for ransomware attacks, breaches, compliance woes and much more.

The growth of enterprise SaaS is rapid and inevitable. Gartner expects end-user spending on SaaS to rise over 18% to $171.9 billion in 2022 from $145.5 billion in 2021 — and it’s easy to see why.

The SaaS model offers significant value to both service providers and customers, ranging from reduced costs to simplified management and maintenance. The benefits of SaaS are many: It eliminates the need to install and configure software; it gives the customer greater financial flexibility by moving from licensing fees to subscriptions; there is no need to purchase and maintain hardware; and new releases and upgrades are automatically deployed.

Without the right policies in place, organizations often have little visibility into what SaaS data they actually have; whether that data is in compliance, protected or compromised.

But despite its rapid growth and countless benefits, there are significant challenges associated with managing and protecting SaaS data. That’s a problem that can only get worse, as for many organizations, SaaS is the fastest-growing segment of their data.

Cloud providers’ default retention policies are not enough

Each cloud service provider (CSP) and SaaS provider has its own data retention policy, and once that policy expires, the customer is responsible for backing up, protecting, and, if needed, restoring the data in the event of a cyber attack.

Not only is the customer responsible, but data retention policies can differ based on the provider and the type of SaaS data. In the current world of rampant ransomware attacks and stringent privacy and compliance regulations, leaving data unmanaged and unprotected is a risk few organizations can take.

Let’s look at Microsoft 365 as an example. Microsoft 365 adoption has been phenomenal, with nearly 300 million users and over 50% subscriber growth over the past two years. It is one of the most popular enterprise SaaS applications, and yet backup options are limited in terms of data stored on Azure.

Study: 30% of Log4Shell instances remain vulnerable

On December 9, 2021, a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was disclosed to the world and broke the internet.

As the third most used computer language, Java is practically ubiquitous, and its Log4j2 library is extremely popular, with an estimated 15 billion devices around the globe currently running Java. The worst part is that Log4j is hard to find and easy to exploit, which places hundreds of millions of Java-based applications, databases and devices at severe risk.

The full scope of risk presented by the vulnerability is unprecedented, spanning every type of organization across every industry. Due to the ease of the exploit combined with the difficulty in uncovering the vulnerability within your organization, Log4Shell is the proverbial needle in a haystack.

Cybersecurity and Infrastructure Security Agency director Jen Easterly noted that Log4Shell is the “most serious” vulnerability she has witnessed in her decades-long career. She urged business leaders not to delay remediation processes, noting that this vulnerability could take years to address. Remediating this vulnerability would not be a simple, one-and-done process, and multiple detection methods would be required.

Quick to patch, quicker to exploit

As many companies prepared to operate with skeleton IT staff in the last two weeks of 2021, hackers and attackers saw an opportunity. It didn’t take long for this critical Java vulnerability to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours following the vulnerability’s disclosure.

What’s worse, as part of an ongoing information-gathering operation, notorious Chinese hacking group APT41, which breached local government agencies in at least six U.S. states in the last 10 months, quickly leveraged Log4Shell as the primary vector to infiltrate at least two of the states’ computer systems.

As war escalates in Europe, it’s ‘shields up’ for the cybersecurity industry

In unprecedented times, even government bureaucracy moves quickly. As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — issued an unprecedented warning recommending that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”

The blanket warning is for all industries to take notice. Indeed, it’s a juxtaposition of sorts to think the cybersecurity industry is vulnerable to cyberattack, but for many nation state groups, this is their first port of call.

Inspired by the spike in attacks on cybersecurity agencies globally, a report from Reposify assessed the state of the cybersecurity industry’s external attack surface (EAS). It coincides with CISA’s warning, and highlights critical areas of concern for the sector and how they mirror trends amongst pharmaceutical and financial companies, providing vital insight into where organizations can focus their efforts, and reinforce the digital perimeter.

The first step to resiliency is to reduce the likelihood of a damaging cyber intrusion in the first place.

The report examined 35 cybersecurity companies and their 350+ subsidiaries with shocking results: during only a two-week period in January 2022, more than 200,000 exposed assets were uncovered at top firms, 42% of which were identified as high-severity issues.

As CISA outlines in its “Shields Up” guidance, the first step to resiliency is to reduce the likelihood of a damaging cyber intrusion in the first place. Recognizing the problem is only the first in a series of actionable moves organizations can make to minimize their external weaknesses to bad actors.

If addressing digital perimeter exposures is the foundation, zoning-in on problem areas is the framing. A deep dive into these deficiencies points to clear solutions all industries – cybersecurity or otherwise – can embrace to protect themselves.

What do companies need to do?

Many factors, including the transition to remote work environments, increased reliance on third-party vendors, digital transformation and offloading services onto the cloud, have significantly increased companies’ external attack surface.

According to the report, the rise of remote access sites saw 89% of identified assets classified as part of the unofficial perimeter. Similarly, 87% of databases were unaccounted for, along with 67% of development tools and 62% of all network assets.

Databases were found to be among the most vulnerable to cybersecurity threat, with over half (51%) of cybersecurity companies hosting an exposed database. Nearly all (97.14%) of security agencies have exposed assets on their Amazon Web Services (AWS), and 86% of those analyzed have at least one sensitive remote access service exposed to the internet.

A CISO’s playbook for responding to zero-day exploits

SolarWinds, Colonial Pipeline, MSFT Exchange — these names have become synonymous with infamous cybersecurity events. We keep calling every new zero-day exploit a “wake-up call,” but all we have been doing is collectively hitting the snooze button.

But the discovery of the newest widespread critical vulnerability, Log4Shell, ruined the industry’s holiday season. It’s the biggest cybersecurity threat to emerge in years, thanks to the near ubiquity of Java in web applications and the popularity of the Log4j library. Due to its unprecedented scale, compounded by the fact that it is not easy to find, getting rid of this bug from your IT environment isn’t a “one-and-done” activity.

Security teams across the globe are once again racing to remediate a software flaw, even as attackers have begun targeting the low-hanging fruit — public web servers — at a recently reported rate of 100 attempts per minute. A mere seven days after its discovery, more than 1.8 million attacks had been detected against half of all corporate networks.

Are you awake now?

I’ve participated in many urgent Log4Shell briefings with Qualys customers (who include 19,000+ enterprises worldwide, 64% of Forbes Global 100), and it’s clear that dealing with a constant barrage of zero-day vulnerabilities is one of the greatest challenges faced by today’s security teams.

Just like inventorying, gathering and analyzing threat intelligence is crucial to provide the necessary foundation for security teams to take calculated and intentional steps.

It can be overwhelming to prioritize fixes and patches when responding to a zero-day exploit like Log4Shell. Here are a few steps to respond to security threats that we have learned and cataloged over the years:

Establish a standard operating procedure

Create a detailed standard operating procedure that includes step-by-step activities tailored to the vulnerability type.

For a zero-day response, the following information must be included:

  • Process flow for responses. If you need help, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created an excellent guide.
  • Categorize the vulnerability by the type, severity and required response times. There should be a specific category for critical zero-day vulnerabilities.
  • Pre-determined service-level agreements for each response team.
  • Procedure for declaring and communicating an incident (this could be a reference to the incident response standard operating procedure).
  • Steps for tracking, reporting, and concluding the incident and returning to normal operations.

Constant compliance is security theater

As a former CTO, I know that integrations are required to deliver data-driven products online. I’ve designed transactional data systems that integrated with global telecom networks, applicant tracking systems and cloud-based infrastructures. Powerful integrations are not hard to conceive. It’s easy to identify data you would like to share between two different systems.

An integration, however, is beset by the same suite of pitfalls that any product feature or technological innovation may require, with one big wrinkle: At least half of the requirements were never designed with you, your use case or your organizational goals in mind.

The complex relationship of your vendors, technology and your overall business makes integrations a hard problem. It also makes potential solutions very brittle. If the problem you’re trying to solve is a SOC 2 audit or ISO 27001 certification to drive sales, an integration will not make passing your audit quicker. In reality, it will make it harder to achieve.

The problem you’re trying to solve

Before widely published security standards like SOC 2 or ISO 27001, much of security work was siloed into specific business functions like board management, HR or infotech. Each group designed best practices according to the expertise of their leaders. Few buyers ever asked questions.

Having a published standard with a validated testing or audit methodology provides an important new signal in your entire organization’s maturity. Buyers can point at specific credentials and require companies to accomplish an independent assessment to be certified. As the number and variety of vendors have grown, buyers have increasingly identified efficient tools to analyze your security stance.

The best time to implement an integration is when you’re sure it’s useful.

If the problem you’re trying to solve is trust via certification, does a technical integration accelerate compliance?

Integrations inhibit compliance and increase risk

There are zero integration requirements for SOC 2, ISO 27001, HIPAA or even CMMC, and there is no published security standard that requires an integration to achieve compliance. Even common standards such as PCI-DSS, GDPR or CCPA can be achieved without integrations, deployed agents or enterprise technology.

This is because all security standards are designed to not require any specific technology, personnel or processes. The authors of standards such as ISO 27001 recognize that each company is increasingly unique. For example, companies that offer an on-prem or private cloud deployment model are likely not required to comply with the monitoring portion of the SOC 2 Security standard during audit. Services organizations that develop intellectual property, such as software for their customers, are likely not required to comply with the change management portions of ISO 27001 and SOC 2 Security.

Israel’s cybersecurity startups post another record year in 2021

Over the past decade, the Israeli cybersecurity industry has secured its place as a formidable wellspring of technological innovation. No longer famous only for its high level of human technological capital born and bred in elite army intelligence units, the Israeli industry has matured into a veritable ecosystem of its own. With enough capital in this booming ecosystem to grow massive category leaders and cultivate internal M&A, Israeli startups are now major players in the global cybersecurity industry.

In last year’s recap of the Israeli cybersecurity ecosystem, we anticipated that the record-breaking rounds of 2020 and marked-up valuations would continue in 2021, but upon collecting and assessing this past year’s data, we were taken aback by the magnitude. Israeli cybersecurity startups in 2021 raised a stunning $8.84 billion, more than triple the amount in 2020 ($2.75 billion). Investments last year were distributed across 135 rounds, up from 109 in 2020, with 15 startups raising more than one funding round last year.

The cybersecurity market today has limited patience, and a “go big or go home” mindset has permeated as founders focus on laying the groundwork for reaching unicorn status, building multibillion-dollar companies, going public and more. Cybersecurity in Israel has become a polarized market that accepts only two types of startups: potential unicorns and actual unicorns.

Image Credits: YL Ventures

With such early and constantly growing investments, the industry has taken on a new approach that favors the survival of the fittest. It quickly becomes clear who will stay the course and catapult to growth and success, and who will look for the nearest exit with no time to linger in limbo.

Off to a running start

In order to achieve this growth, founders are making their goals distinctly clear in investment board rooms. They require more funding for a strong head start and later on for entering the unicorn club at record speed. Fortunately, such sizable amounts of capital are readily available.

Capital allocation for growth rounds in 2021 skewed towards the later stages

Capital allocation for growth rounds in 2021 skewed toward the later stages. Image Credits: YL Ventures

The total amount raised in seed rounds last year increased slightly to $233 million from $203 million in 2020, but Series A rounds surged 140% to a whopping $693 million from $288 million a year earlier. At the other end of the spectrum, growth rounds (Series C and above) rose 300% to an astounding $6.46 billion in 2021 from $1.63 billion in 2020.

“As entrepreneurs, [2021] has drastically changed the industry’s rules,” says Assaf Hefetz, co-founder of Snyk, an Israeli cloud-native application security unicorn. “As threats abound and with skyrocketing demand for innovative solutions, Israeli cybersecurity startups now have an invaluable opportunity to grow big and grow fast. The table stakes are higher [ … ] and in such a competitive arena you have to stand out, or fold.”

The average seed round increased by 35% in 2021

The average seed round increased by 35% in 2021, but fewer startups were minted. Image Credits: YL Ventures

The average seed round increased by 35% to $7 million from $5.2 million. As investments rise, so does the bar for entry into the market. Only 58 new startups were founded in 2021 compared with 2020’s 64, a testament to the competitive and highly ambitious landscape.

The coming reckoning: Showing ROI from threat intelligence

Threat intelligence has been a part of cyber defense processes in the private sector for nearly a decade now. Many threat intelligence teams were initially composed of classically trained intel operators from the public sector, where they focused on gathering data to thwart national security threats. And as these teams grew and adjusted to protecting against customer data breaches and disruptions to services, growing pains associated with working in a corporate environment were to be expected.

Expectations are changing, though. Security operations is maturing, and as threats have continued to evolve, enterprises have made significant investments in security infrastructure. C-suites and boards are increasingly involved in security decision-making, and studies show that they are doubling down on security investments, which are expected to rise to $458.9 billion in 2025 from $262.4 billion in 2021.

But with increased investment comes scrutiny and rigorous competition for dollars across IT and security teams. However, for threat intelligence teams, it appears old habits die hard. Many remain in the government intel mindset, focused on funneling data to the security operations center (SOC) and have limited experience in extending threat intelligence to other parts of the business, communicating the resulting value and justifying the investment required.

Delivering curated threat intelligence to more teams that need it, enabled with bi-directional integration, will allow CISOs and their team to prove threat intelligence is far from a cost center.

After nearly a decade of threat intelligence going corporate, a reckoning is coming. It’s time for CISOs and threat intel teams to start working together and prove that threat intelligence is not a cost center, but drives value across all security operations.

As threat intel teams mature, here are three recommendations to help create a shift in mindset and demonstrate the full value it provides.

Think of the threat intel team as the providers of a product