Technology has become a great enabler but it can also be a killer. In this case, it has literally proven so for India’s lower-income residents, thanks to unscrupulous Chinese operators who have used spurious loan apps and hired Indian underlings to bilk the most vulnerable.
In just 10 months since the pandemic began, at least $3 billion worth of scam microloan transactions have taken place with a bulk of that siphoned off. 
The targets of these scams are people who are largely marginalised by the banking sector. Factoring in pandemic-induced joblessness and pay cuts that have led to an urgent need for cash, the dire situation of these people exacerbated in 2020, making them ripe for exploitation.
Yet, this appears to be only the tip of the iceberg. The other problem arising from the actions of these relatively few bad actors is that it has threatened the dynamic Chinese tech ecosystem within India. The top smartphone sellers in the country like Xiaomi, Oppo, Vivo, RealMe, OnePlus all have significant investments in the country.
Countless startups, many that have now grown up, like Paytm and Ola, have been nourished by significant chunks of Chinese money — $4 billion worth — from companies like Tencent and Alibaba’s Ant Financial.
THE UNDERSERVED
Within the great revolution that the internet has ushered in, there have been big strides in areas such as transportation (Ola), e-commerce (Flipkart), and food-tech (Zomato), along with the advancement of a whole host of automation, logistics, and cloud services outfits that have begun to empower businesses and consumers.
One area that has held much promise is the booming fintech market, which provides solutions in the form of consumer credit, supply chain finance, digital payment, wealth management, and insurance.

In India, specifically, the poor in smaller towns and in the countryside have always been starved of banking avenues. Private sector banks, which took off in the early 2000s, had made the calculation long ago that it would not be profitable on a per account basis to expand to the hinterland.
The Indian digital payments revolution tried to alleviate this problem experienced by unbanked, but poor internet infrastructure has made it difficult for financial inclusion to become commonplace and smartphones are not yet ubiquitous in these parts.
As a result, moneylenders who have always held sway in rural and semi-urban parts have continued to ply their trade. Even scores of unbanked urban Indians in big cities have to resort to borrowing money from these unsavoury sources. Many of these moneylenders charge upwards of 300% interest, which is why, when marginalised Indians got wind of easy-and instant-loan approvals from an array of fintech apps, borrowing from them was a no-brainer. 
They just didn’t realise, however, that they were being taken for a painful if not devastating ride.
DATA AS COLLATERAL
This is how the scam essentially works for the majority of borrowers. For example, a lady takes a loan — mostly a small one, say Rs 3,500 ($1) from a digital lending app, such as My Bank. But within a few days, she notices something odd; Rs 26,000 is deposited into her account from 14 or so different lending apps that had never been downloaded onto her phone.
Before she is able to make sense of what is going on, the borrower has been suddenly assailed by collection agents from all of these apps for the repayment of Rs 44,000 — 10 times the amount they borrowed.
When this already severely cash-strapped person is unable to repay her loans, they are threatened by collection agents who then morph her face onto naked bodies to create pornographic images of her.
The images are then sent to all of her contacts which the loan app had already accessed as part of the loan agreement, as well as the person’s WhatsApp groups. Personal data, which the lending app made sure it collected, was essentially used as collateral.
This kind of public humiliation and shame has resulted in six suicides in the state of Telangana so far.
THE PHANTOM MENACE
When an Indian consumer collective, Cashless Consumer, decided to investigate these occurrences, it discovered the scale and the horror of what was going on.
All of the user data is apparently stored in China and out of the 1,050 instant loan apps it checked — Loan Gram, Cash Train, Cash Bus, AAA Cash, Super Cash, Mint Cash, Happy Cash, Loan Card, Repay One, Money Box, Monkey box, Rupee Day, Cash Goo, among many, many others — only 300 apps had websites, albeit with scant information. Meanwhile, only 90 had physical addresses. According to Cashless Consumer, many of these apps breach Indian rules on lending.
Traditionally, banks and other non-banking financial companies that hand out loans have a whole host of documents that have to be provided before a loan is issued. Making the cut is not easy.
Enter digital lending apps who more or less are not required to follow such requirements and can issue microloans with a much shorter repayment window and brutally high interest rates, most often 1% a day, which compounds every two weeks. It’s difficult to see how a person with a modest income, let alone a pandemic induced cashflow crisis, would be able to pay this back.When SaveIndia Foundation, a team of cybersecurity professionals, investigated instant loan apps operating in India, they discovered that hundreds of these accounts operated abroad and usernames and passwords were in Mandarin.
Further probing revealed that Chinese nationals were using Indian proxies as directors and used local chartered accountants to set up companies. In one instance, one such accountant helped Chinese investors float 40 companies, 12 of which were loan apps that now have criminal cases booked against them.
Police from four different states in India finally arrested seven Chinese nationals earlier this month for running the show with 35 Indian deputies, some of whom travelled to China for “training”. Several of these Indians were directors of multiple companies that have since been implicated in microloan scams based out of Bengaluru, Pune, Hyderabad, and Gurugram.
Payment gateways providing online wallets to these companies such as PayTM, Razorpay, and Cashfree have also contributed to the fiasco, say critics, and have been accused of being shoddy in their due diligence. A simple scrutiny of the appropriate identification documents, known in India as Know Your Customer, would have stopped many of these companies, according to critics.
THE FIX?
Without a firm government decree that requires stringent checks on money-related apps, more monumental digitally-enabled disasters are a certainty.
Moreover, app purveyors like Google should be forced to authenticate every loan app in their store. While the Google store has shut down a few dozen operators, the scale of the problem is immense. Hundreds of loan apps whose origins are dubious at best are still abound.
Another equally dire consequence is that details of individuals given for the 14 million transactions all include copies of the Aadhaar, or the national identity card, which is part of the pan-India database. That information, along with Indian citizens’ facial images, now sit comfortably on Chinese servers and many are calling it a national security issue.
It is ironic that just 15 years ago, a microfinance revolution had built a dynamic industry in the same exact spot that many of the loan scams have popped up — the state of Telangana, which was once part of Andhra Pradesh.
The industry ultimately collapsed because borrowers were strongly encouraged to take multiple loans which became simply unpayable. Many committed suicide and the industry collapsed.
It seems that history is destined to repeat itself if checks and balances are not urgently established.
Related Coverage More

<!–> chang/Getty Images It sounds more like science fiction than reality, but Swiss newspaper Aargauer Zeitung reports that approximately three million smart toothbrushes were hijacked by hackers to launch a Distributed Denial of Service (DDoS) attack. These innocuous bathroom gadgets – transformed into soldiers in a botnet army – knocked out a Swiss company for several hours, […] More

Everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It’s also what is used to lock down pretty much every secure communications and networking application and device out there.  So we should […] More

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Acer has confirmed a cyberattack on its offices in India this week after hackers with the Desorden Group claimed to have breached servers and stolen 60GB of files. The group emailed ZDNet about the hack, claiming to have customer and corporate business data as well as financial information. When asked, the hackers denied it was a ransomware attack and claimed to have access to the company’s servers “over time.”A spokesperson from Acer confirmed the hack, telling ZDNet that their security team recently detected an “isolated attack” on its local after-sales service system in India.”Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems,” an Acer spokesperson said. “We are notifying all potentially affected customers in India. The incident has been reported to local law enforcement and the Indian Computer Emergency Response Team, and has no material impact to our operations and business continuity.” After receiving the message from Acer, ZDNet asked the hackers whether they still had access. “Acer is a global network of vulnerable systems. We no longer have access to their India servers. This is all we can reveal now,” the hackers said in a follow-up message. This is the second cyberattack Acer has suffered this year after being hit with ransomware in March.

The REvil ransomware group claimed the attack and demanded a $50 million ransom, one of the highest reported at the time. Acer offered to pay the group $10 million, which was rejected by the hackers. The Record reported that the data stolen recently by the Desorden Group was posted to cybercriminal forum RAID as well as being sent to reporters. Acer India was hit with a similar cyberattack in 2012 by a Turkish cybercriminal group, according to DataBreaches.net. The attackers defaced the company website and leaked 20,000 user credentials at the time. DataBreaches.net reported last month that the Desorden Group recently claimed to have hacked into the Malaysian servers of ABX Express Enterprise on September 23.Like the latest attack, the group sent reporters portions of the stolen files and posted them into the RAID forum. They claimed to have stolen 200GB of information including the data of millions of Malaysians. In messages to the site, the group said their name stands for “chaos and disorder” and had reorganized after originally going by the name “Chaos CC.”The group said it plans to attack supply chains and cause “disorder and chaos” that affects as many people as possible. The Desorden Group said it plans to hold data ransom and sell it if they are not paid. At the time, they claimed to have been negotiating a ransom with an unnamed Italian automotive supply company.  More

Image: ZDNet
Spammers have inundated the Python Package Index (PyPI) portal and the GitLab source code hosting website with garbage content, flooding both with ads for shady sites and services.
The attacks were unrelated to each other.
PyPI flooded with more than 10,000 listings
The biggest of the two attacks took place on PyPI, the official package repository for the Python programming language, and a website that hosts tens of thousands of Python libraries.
For the past month, spammers have been abusing the fact that anyone can create entries on the PyPI website to generate pages for non-existent Python libraries that basically served as giant SEO ads for various shady sites.
The pages usually contained a soup of search-engine-friendly keywords for various topics, ranging from gaming to porn and from movie streaming to giveaways, and a shortened link at the bottom, often leading to a site trying to obtain payment card data, according to ZDNet’s tests.

Reached out comment earlier today, the PyPI team said it was aware of the SEO spam flood.
“Our admins are working to address the spam,” Ewa Jodlowska, Executive Director of the Python Software Foundation, told ZDNet in an email on Monday.

“By the nature of pypi.org, anyone can publish to it so it is relatively common,” she added.
Shortly after the exec’s email, many of the spam listings created on the PyPI portal began to be removed, an operation that appears to be still underway.
GitLab project owners spammed via email
But while the spam attack on PyPI appears to have been going on for at least a month, a new one was detected at GitLab, a website that allows developers and companies to host and sync work on source code repositories.
An unknown threat actor appears to have spammed the Issues Tracker for thousands of GitLab projects with spam content on Sunday and Monday that, each, triggered an email to account holders. Just like the spam on PyPI, these comments also redirected users to shady sites.

Spamming source code repositories appears to be a new tactic for spam groups, which in previous years have usually focused on blogs, forums, and news portals, which have often seen their comment sections flooded with shady links.
GitLab was obviously not prepared for this kind of attack because its email system was overwhelmed and slowed down, with legitimate emails being delayed and queued, according to an incident status report the company published on Monday.

We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues. https://t.co/FRkUs3EQOU
— GitLab.com Status (@gitlabstatus) February 8, 2021

Things are back to normal now, but both incidents show the dangers of leaving systems open and unprotected on the internet.
While spam is not a sexy attack vector, many companies will often fail to secure servers, web apps, and subdomains and will often have these resources abused to either host or participate in spam attacks.
For example, Microsoft, one year later, still has a problem with spam groups hijacking subdomains on its official microsoft.com site to host shady content. More