Information Technology

Image source: Graphika; Edited: ZDNet
Social media research group Graphika has published a report today exposing a small network of 14 Twitter accounts that engaged in a coordinated campaign to criticize the Belgian government’s plan to ban Huawei from supplying 5G equipment to local telecommunications providers.
The accounts used fake names and posed as Belgium-based tech and 5G experts. They also used profile images generated using machine learning GAN algorithms, a technique that is gaining traction with more and more social media influence networks.
In a 33-page report [PDF] published today, Graphika researchers said the accounts spent their time retweeting content from popular accounts and mixing it with their own tweets that attacked the Belgian government’s decision to ban “high-risk” providers from its national 5G network, along with tweets that praised Huawei as a reliable investor and partner.
These tweets would often link to articles sponsored by Huawei itself, articles from news agencies registered at non-existing addresses, or articles with the same text and headline but hosted across multiple newly-registered news sites and blogs.
Some of the most common sources were domains like london-globe.com, newyorkglobe.co, toplinenews.eu, and eureporter.co.

Image: Graphika
Graphika researchers said that while past Twitter botnets worked in an automated fashion, this smaller network appeared to have been manually operated, with all tweets being hand-written for each of the 14 accounts.
But despite the small number of accounts that were part of this botnet, tweets were often amplified by other accounts, including what appeared to be a second network of Twitter bots.

“These were created in batches and featured a “house style” of pictures of mainly Western women, and handles that consisted of seven letters followed by eight numbers,” Graphica researchers said.
This campaign targeting the Belgian government did not go unnoticed and several Belgian tech and government workers also spotting it on their own last month.

So here’s the thread on Huawei I promised yesterday. It seems Huawei is using social media black ops tactics to try to convince policy-makers in Belgium that it can be trusted to build 5G networks. 🤨 pic.twitter.com/noZKM13RuD
— Michiel van Hulten (@mvanhulten) December 22, 2020

All in all, Graphika did not specifically conclude that any of the 14 accounts were controlled by Huawei or a related entity, leaving this question unanswered.
Nonetheless, Graphika noted that some Huawei employees in Western Europe had often retweeted some of this bot network’s content.
All 14 Twitter accounts have now been suspended. More

Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.
Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used many different kinds of attacks.
These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.
Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.
In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign which has the hallmarks of previous Trickbot activity.
These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link which will redirect them to a server which downloads a malicious payload.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Many of these emails are claiming that the user has been involved in a traffic infringement and points them towards a download of the ‘proof’ of their misdemeanor – a social engineering trick which can catch people off guard and panic them into downloading. In this case the download is a zip archive which contains a malicious Javascript file – a typical technique deployed by Trickbot campaigns – which connects to a server to download the final malware payload.
Analysis of this payload indicates that it connects to domains which are known to distribute Trickbot malware, indicating that it’s once again active and could pose a threat to enterprise networks.
“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations,” said Vinay Pidathala, director of security research at Menlo Security
“While Microsoft and it’s partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment,” he added.
An advisory on Trickbot by the UK’s National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot other malware exploiting known vulnerabilities to spread.
It’s also recommended that organisations apply two-factor authentication cross the network so that in the event of one machine being compromised by malware, it’s much harder for it to spread.
MORE ON CYBERSECURITY More

Telegram has developed a feature that lets users bring across their old WhatsApp messages.
Image: Getty Images/iStockphoto
Telegram has launched a new feature to help people move their chat history from other apps including WhatsApp.
Telegram was one of the major beneficiaries of the public backlash against Facebook in January updating WhatsApp’s privacy policy, which would allow it to share more information with businesses. 

Innovation

Telegram claimed to have gained 25 million new users after initial reports about the new policy, pushing its user numbers beyond 500 million. 
SEE: Network security policy (TechRepublic Premium)
Security experts generally recommend Signal as the most secure chat app, which also gained a lot of users who were fleeing from WhatsApp. Other secure chat app options include Threema and Wickr, which offer end-to-end encryption by default. The developers of these apps have also released source code for third-party audits, whereas Telegram has not.   
According to Telegram, it gained 100 million new users in January and it’s now developed a feature that lets users bring across their old WhatsApp messages to Telegram. The chat migration feature also works for chat histories in Line and KakaoTalk. The migration feature works for individual and group chats.
The feature takes advantage of WhatsApp’s already available export chat option.    

“To move a chat from WhatsApp on iOS, open the Contact Info or Group Info page in WhatsApp, tap Export Chat, then choose Telegram in the Share menu,” Telegram explained. 
WhatsApp on iOS also lets users export chats directly from the chat list by swiping left on a chat, then choosing Export Chat.
In addition, Telegram announced a new feature that lets users report fake channels and groups that pose as famous people and organizations. Telegram says its moderators will investigate reports when users open a suspect profile page and tap Report > Fake Account. 
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
WhatsApp in mid-January decided to delay its privacy policy update due to confusion about what the update meant. It moved the deadline for accepting its new terms from February 8 to May 15. 
“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8,” WhatsApp said.  
“We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15.” More

Sophisticated attacks could put more tech suppliers at risk.
Image: Getty Images/iStockphoto
If you were hoping the SolarWinds hack was going to be a one-off, you’re out of luck. Expect more sophisticated and complicated attacks of the same type to come along sooner or later.
The SolarWinds hack – a supply chain attack that saw (most likely Russian state-backed) hackers use SolarWinds’ enterprise IT-monitoring software to deploy malware – hit a number of big-name US tech vendors. 

More on privacy

These include Microsoft, FireEye (which owns Mandiant), Mimecast, Palo Alto Networks, Qualys, Malwarebytes, and Fidelis. What really set this attack apart was that many of the targets were not just government agencies or businesses, but the security companies themselves.
SEE: Network security policy (TechRepublic Premium)
“What SolarWinds has taught us is that this landscape is more complex and more sophisticated. Is this a different attack? It is a really sophisticated attack,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity told ZDNet in an interview. 
“These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever,” she said.
“I believe that SolarWinds is a moment of reckoning in the industry. This is not going to change and we have to do better as a defender community and we have to be unified in our responses. We have been out there, leading in this response.” 

Jakkal takes a similar line to Microsoft president Brad Smith. “While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” said Smith in the wake of Microsoft’s disclosure about the attacks. 
“This is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he said.
“It’s an unprecedented time. Full stop,” says Jakkal. “Cybersecurity vendors getting hacked – that is a moment of reckoning.” 
Microsoft is also looking at security as a key area of growth. Microsoft CEO Satya Nadella announced at this week’s second-quarter earnings report that commercial cloud sales were through the roof and that Microsoft’s overall security business was now worth $10 billion a year in revenues.  
To put that in context, Microsoft’s cybersecurity business is worth about 14% of the $66.8 billion annual revenue run rate that the entire Microsoft cloud business is expected to make this year.
Microsoft’s security portfolio is vast. There’s Microsoft Defender for Mac, Windows and Linux endpoints, Defender for email and Defender for Office 365. Microsoft calls this business XDR or the extended detection and response portfolio, which has been bolstered by its security information and event-management (SIEM) platform, called Sentinel. 
SEE: How do we stop cyber weapons from getting out of control?
Jakkal is still upbeat about the prospects of the US cybersecurity and broader software industry rising to the threat demonstrated by the SolarWinds hack. She argues that by going after so many tech security providers, the hackers have shown that the industry needs to act as one.
“And we have come together. I’m really impressed to see how the cybersecurity industry – FireEye, Microsoft – how we can get together across private and public sectors to discuss how we can share more information between organizations.
“These are things we are considering. This is why it is a moment of reckoning, a moment of pause,” says Jakkal.  More

Electronic health records (EHR) provider Athena has agreed to pay $18.25 million to settle claims the company was involved in an illegal kickback scheme. 

Athenahealth Inc., an EHR vendor based in Watertown, Massachusetts, was accused of conducting kickback deals in order to promote the sale of athenaClinicals by whistleblowers.
AthenaClinicals a web-based EHR portal for accessing medical documentation, patient records, and exchanging data between care sites. The software is touted as a means for healthcare professionals to “focus on delivering care.”
On Thursday, the US Department of Justice (DoJ) said that Athena’s settlement will lay accusations of violating the False Claims Act and the Anti-Kickback Statute (AKS) to rest. 
US prosecutors allege that between 2014 through September 2020, Athena provided kickbacks to healthcare providers and other EHR vendors to induce them into purchasing AthenaClinicals software. 
According to the complaint, three marketing programs were used to allegedly facilitate the scheme. Prospective and existing clients were invited to complimentary, all-expenses-paid “Concierge Events” providing entertainment — including entry to the Masters Tournament and NFL games — and a “Lead Generation” program paid clients up to $3,000 for each new physician signed up “regardless of how much time, if any, the existing customer spent speaking to or meeting with the new client,” the DoJ said.
In addition, Athena allegedly entered into deals with competing vendors that were planning to exit the EHR industry and paid them for referrals that converted into new clients. 

“By offering and paying this illegal remuneration in cash and in kind, Athena submitted and caused its EHR clients to submit to federal health care programs false or fraudulent claims that resulted from violations of the AKS,” the US agency says. 
The lawsuit, together with a separate claim, were both filed under the whistleblower provisions of the False Claims Act in 2017 and later consolidated. These provisions allow citizens to sue on behalf of the US government. 
The individuals that flagged Athena’s reported kickback scheme may be entitled to compensation from the government, but figures are yet to be determined. 
In total, $9.12 million out of the $18.25 million settlement has been staked as “restitution” for the United States.
“This resolution demonstrates the department’s continued commitment to hold EHR companies accountable for the payment of unlawful kickbacks in any form,” commented Acting Assistant Attorney General Brian Boynton for the DOJ’s Civil Division. “EHR technology plays an important role in the provision of medical care, and it is critical that the selection of an EHR platform be made without the influence of improper financial inducements.”
ZDNet has reached out to Athena for comment and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Getty Images/iStockphoto
Google intends to ban and remove support from Chrome for digital certificates issued by Spanish certificate authority (CA) Camerfirma, the browser maker announced this week.

The ban will come into effect with the launch of Chrome 90, scheduled for release in mid-April 2021.
After the Chrome 90 launch, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will show an error and will not load in Chrome going forward.
The decision to ban Camerfirma certificates was announced on Monday after the company was given more than six weeks to explain a string of 26 incidents related to its certificate-issuance process.
The incidents, detailed by Mozilla on this page, go back to March 2017.
Two of the most recent have taken place this month, January 2021, even after the company was made aware it was under investigation in December 2020.
The incidents paint a picture of a company that has failed to meet industry-agreed quality and security standards in regards to the process of issuing TLS certificates for website operators, software makers, and enterprise system administrators.
Just Chrome for now

Across the years, browser makers have often banded together to kick out certificate authorities that don’t follow these rules. Other CAs that have been banned from Chrome in the past include Symantec, DigiNotar, and WoSign and its subsidiary StartCom.
This led to companies like DigiNotar filing for bankruptcy and Symantec selling its CA business to DigiCert after their certificates became pariahs inside modern browsers.
At the time of writing, no other browser maker has announced a similar ban on Camerfirma certs but industry experts expect similar decisions from the other three (Apple, Microsoft, and Mozilla) in the coming weeks.
Nevertheless, just the Google ban alone is more than enough to cripple Camerfirma’s business. With a market share of around 60% to 70%, the Chrome ban is a de-facto death blow.
A Camerfirma spokesperson has not returned a request for comment. More

Technology has become a great enabler but it can also be a killer. In this case, it has literally proven so for India’s lower-income residents, thanks to unscrupulous Chinese operators who have used spurious loan apps and hired Indian underlings to bilk the most vulnerable.
In just 10 months since the pandemic began, at least $3 billion worth of scam microloan transactions have taken place with a bulk of that siphoned off. 
The targets of these scams are people who are largely marginalised by the banking sector. Factoring in pandemic-induced joblessness and pay cuts that have led to an urgent need for cash, the dire situation of these people exacerbated in 2020, making them ripe for exploitation.
Yet, this appears to be only the tip of the iceberg. The other problem arising from the actions of these relatively few bad actors is that it has threatened the dynamic Chinese tech ecosystem within India. The top smartphone sellers in the country like Xiaomi, Oppo, Vivo, RealMe, OnePlus all have significant investments in the country.
Countless startups, many that have now grown up, like Paytm and Ola, have been nourished by significant chunks of Chinese money — $4 billion worth — from companies like Tencent and Alibaba’s Ant Financial.
THE UNDERSERVED
Within the great revolution that the internet has ushered in, there have been big strides in areas such as transportation (Ola), e-commerce (Flipkart), and food-tech (Zomato), along with the advancement of a whole host of automation, logistics, and cloud services outfits that have begun to empower businesses and consumers.
One area that has held much promise is the booming fintech market, which provides solutions in the form of consumer credit, supply chain finance, digital payment, wealth management, and insurance.

In India, specifically, the poor in smaller towns and in the countryside have always been starved of banking avenues. Private sector banks, which took off in the early 2000s, had made the calculation long ago that it would not be profitable on a per account basis to expand to the hinterland.
The Indian digital payments revolution tried to alleviate this problem experienced by unbanked, but poor internet infrastructure has made it difficult for financial inclusion to become commonplace and smartphones are not yet ubiquitous in these parts.
As a result, moneylenders who have always held sway in rural and semi-urban parts have continued to ply their trade. Even scores of unbanked urban Indians in big cities have to resort to borrowing money from these unsavoury sources. Many of these moneylenders charge upwards of 300% interest, which is why, when marginalised Indians got wind of easy-and instant-loan approvals from an array of fintech apps, borrowing from them was a no-brainer. 
They just didn’t realise, however, that they were being taken for a painful if not devastating ride.
DATA AS COLLATERAL
This is how the scam essentially works for the majority of borrowers. For example, a lady takes a loan — mostly a small one, say Rs 3,500 ($1) from a digital lending app, such as My Bank. But within a few days, she notices something odd; Rs 26,000 is deposited into her account from 14 or so different lending apps that had never been downloaded onto her phone.
Before she is able to make sense of what is going on, the borrower has been suddenly assailed by collection agents from all of these apps for the repayment of Rs 44,000 — 10 times the amount they borrowed.
When this already severely cash-strapped person is unable to repay her loans, they are threatened by collection agents who then morph her face onto naked bodies to create pornographic images of her.
The images are then sent to all of her contacts which the loan app had already accessed as part of the loan agreement, as well as the person’s WhatsApp groups. Personal data, which the lending app made sure it collected, was essentially used as collateral.
This kind of public humiliation and shame has resulted in six suicides in the state of Telangana so far.
THE PHANTOM MENACE
When an Indian consumer collective, Cashless Consumer, decided to investigate these occurrences, it discovered the scale and the horror of what was going on.
All of the user data is apparently stored in China and out of the 1,050 instant loan apps it checked — Loan Gram, Cash Train, Cash Bus, AAA Cash, Super Cash, Mint Cash, Happy Cash, Loan Card, Repay One, Money Box, Monkey box, Rupee Day, Cash Goo, among many, many others — only 300 apps had websites, albeit with scant information. Meanwhile, only 90 had physical addresses. According to Cashless Consumer, many of these apps breach Indian rules on lending.
Traditionally, banks and other non-banking financial companies that hand out loans have a whole host of documents that have to be provided before a loan is issued. Making the cut is not easy.
Enter digital lending apps who more or less are not required to follow such requirements and can issue microloans with a much shorter repayment window and brutally high interest rates, most often 1% a day, which compounds every two weeks. It’s difficult to see how a person with a modest income, let alone a pandemic induced cashflow crisis, would be able to pay this back.When SaveIndia Foundation, a team of cybersecurity professionals, investigated instant loan apps operating in India, they discovered that hundreds of these accounts operated abroad and usernames and passwords were in Mandarin.
Further probing revealed that Chinese nationals were using Indian proxies as directors and used local chartered accountants to set up companies. In one instance, one such accountant helped Chinese investors float 40 companies, 12 of which were loan apps that now have criminal cases booked against them.
Police from four different states in India finally arrested seven Chinese nationals earlier this month for running the show with 35 Indian deputies, some of whom travelled to China for “training”. Several of these Indians were directors of multiple companies that have since been implicated in microloan scams based out of Bengaluru, Pune, Hyderabad, and Gurugram.
Payment gateways providing online wallets to these companies such as PayTM, Razorpay, and Cashfree have also contributed to the fiasco, say critics, and have been accused of being shoddy in their due diligence. A simple scrutiny of the appropriate identification documents, known in India as Know Your Customer, would have stopped many of these companies, according to critics.
THE FIX?
Without a firm government decree that requires stringent checks on money-related apps, more monumental digitally-enabled disasters are a certainty.
Moreover, app purveyors like Google should be forced to authenticate every loan app in their store. While the Google store has shut down a few dozen operators, the scale of the problem is immense. Hundreds of loan apps whose origins are dubious at best are still abound.
Another equally dire consequence is that details of individuals given for the 14 million transactions all include copies of the Aadhaar, or the national identity card, which is part of the pan-India database. That information, along with Indian citizens’ facial images, now sit comfortably on Chinese servers and many are calling it a national security issue.
It is ironic that just 15 years ago, a microfinance revolution had built a dynamic industry in the same exact spot that many of the loan scams have popped up — the state of Telangana, which was once part of Andhra Pradesh.
The industry ultimately collapsed because borrowers were strongly encouraged to take multiple loans which became simply unpayable. Many committed suicide and the industry collapsed.
It seems that history is destined to repeat itself if checks and balances are not urgently established.
Related Coverage More

Image: APH
The Office of the Australian Information Commissioner (OAIC) has declared the Department of Home Affairs does not have adequate governance and systems of accountability in place to comply with statutory time frames for processing freedom of information (FOI) requests for non-personal information.
Its findings were made following an investigation into the Peter Dutton-overseen department’s statutory processing periods specified under the Freedom of Information Act 1982.
“Over the past four financial years, more than 50% of the FOI requests to Home Affairs for non-personal information were processed outside of the statutory processing period,” the OAIC said.
Offering a handful of recommendations, the commissioner has suggested Home Affairs appoint an “information champion”.
“Senior support, in the form of a senior information champion who is a member of the department’s executive with sufficient seniority, such as the chief operating officer, who may be supported by an information governance board, will play a key role in promoting FOI Act compliance within the department,” the OAIC says in its report [PDF].
The OAIC has also recommended the creation of a manual, staff training, and compliance audits of performance moving forward.
In compiling its report, the commissioner provided a timeline for the steps the department has taken up until the OAIC probe, such as implementing modern FOI handling technology capabilities.

In 2017, Home Affairs launched an online form to assist applicants and a year later commenced use of HotDocs software for decision letters and other correspondence.
“The department has become primarily digital, eliminating the creation of paper records and has been in the process of digitising incoming mail and existing paper records,” the report adds.
In March 2020, the department published statistics on the General Skilled Migration program which reduced the frequency of FOI requests for this information, and a month later, it provided remote access to use Adobe Pro software to members of the FOI Section, coinciding with stay at home orders in response to COVID-19 measures.
In the same month, Home Affairs introduced FOI management dashboards to provide information on the status of FOI caseloads and individual requests and in May it provided temporary additional resourcing to process FOI requests for personal information.
The OAIC said such steps have improved compliance with statutory processing requirements.
Earlier this week, the OAIC ordered Home Affairs to cost up the amount owed for each individual and pay compensation for “mistakenly” releasing the personal information of 9,251 asylum seekers.
It was determined the former Department of Immigration and Border Protection at the time had “interfered” with the privacy of these individuals by accidentally publishing their full names, nationalities, locations, arrival dates, and boat arrival information on its website in 2014.
Following the publishing of their personal information, the asylum seekers launched legal action against the department. The asylum seekers in New South Wales, Western Australia, and the Northern Territory claimed the breach exposed them to persecution from authorities in their home countries.
A total of 1,297 applications were lodged as part of the legal case requesting that compensation be paid because those affected suffered loss or damage due to the data breach.
The commissioner said the compensation to be paid to participating class members would range from AU$500 to more than $20,000 and would be determined on a case-by-case basis by the department.
MORE FROM THE DUTTON SUPERMINISTRY More