67.4 F
Tuesday, April 23, 2019


Home Tech

‘Land Lordz’ Service Powers Airbnb Scams


Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “Land Lordz,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings.

The ne’er-do-well who set up the account below has been paying $550 a month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings. Currently, this scammer has just four dozen listings, virtually all of which are for properties in London and the surrounding United Kingdom.

‘Land Lordz’ Service Powers Airbnb Scams 1

The Land Lordz administrative panel for a scammer who’s running dozens of Airbnb scams in the United Kingdom.

Your typical victim will respond to an advertisement for a listing provided at Airbnb.com, and be assured they can pay through Airbnb, which offers buyer protection and refunds for unhappy customers. But when the interested party inquires about the listing, they are sent a link to a site that looks like Airbnb.com but which is actually a phishing page.

In the case of these particular fraudsters, their fake page was “airbnb.longterm-airbnb[.]co[.]uk” (I’ve added brackets to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes pictures of the requested property, and steers visitors toward signing in or to creating a new account. The fake site simply forwards all requests on this page to Airbnb.com, and records any usernames and passwords submitted through the site.

‘Land Lordz’ Service Powers Airbnb Scams 2

The fake Airbnb site used by the scammers logged all Airbnb credentials submitted by new and existing users.

Here’s a look at some of the properties listed for rent by these scammers. All of the names and images on these listings have been lifted from other legitimate listings.

‘Land Lordz’ Service Powers Airbnb Scams 3

Fake properties for rent, as listed by the Land Lordz Airbnb scam service.

The Land Lordz service includes several sets of default positive comments from fake past reviewers that can be used to populate the phony listings. The non-existent home and apartment rentals offered by these scammers are all sold on monthly rates, and the seller’s page says buyers must pay a deposit of the first month before the date is locked in.

‘Land Lordz’ Service Powers Airbnb Scams 4

A phony comments generator page.

The Land Lordz panel lets the scammer keep track of all messages with would-be victims, who are strung along and told the reservation on the residence will be lifted unless a cash deposit is made within 72 hours. Here’s one from would-be victim Shanon, on March 28, 2019, to the scammers.

Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc

Scammer: “Hello, The property is still available for your dates. The price is € 250 + €500 secure deposit. As security deposit needs to be added ,discount needs to be applied please follow the airbnb link” (which goes to the fake Airbnb page).

Alex Holden, chief information security officer of Hold Security LLC and the researcher who shared screen shots of this fraud panel, said the scammers appear to be advertising their fake listings primarily via Gumtree, a free classifieds service in the U.K.

People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.

Like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date:

‘Land Lordz’ Service Powers Airbnb Scams 5

The subject of this victim’s message “pickup of keys” says it all.

This 2018 story from travel blog goatsontheroad.com tells the tale of a couple that was very nearly scammed by a Land Lordz-like trap, before the wife figures out they’re no longer on airbnb.com.

It’s important to note that these scams can just as likely target users of Airbnb as they can other services, such as craigslist.com and booking.com. Be wary of clicking on links in emails from property hosts, and make sure you are always on Airbnb or whatever site you think you’re on.

Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org, Airbnb currently does not support any type of multi-factor authentication that users can enable.

Airbnb.com says if the company detects something phishy about a login for your account it may ask you to enter a security code sent to your phone or email address, or verify some of your account details.

In case anyone would like to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk, airbnb.pt-anuncio[.]com, airbnb.request-online[.]com, and airbnb-invoice[.]com. Some of the bank accounts and payment recipients from scams tied to these listings are pictured here.

‘Land Lordz’ Service Powers Airbnb Scams 6

Tags: Airbnb scam page, alex holden, goatsontheroad.com, Gumtree, Hold Security LLC, Land Lords, Land Lordz

You can skip to the end and leave a comment. Pinging is currently not allowed.

Experts: Breach at IT Outsourcing Giant Wipro


Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [NYSE:WIT] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident.

Experts: Breach at IT Outsourcing Giant Wipro 7Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

On April 9, KrebsOnSecurity reached out to Wipro for comment. That prompted an email on Apr. 10 from Vipin Nair, Wipro’s head of communications. Nair said he was traveling and needed a few days to gather more information before offering an official response.

On Friday, Apr. 12, Nair sent a statement that acknowledged none of the questions Wipro was asked about an alleged security incident involving attacks against its own customers.

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Wipro has not responded to multiple additional requests for comment. Since then, two more sources with knowledge of the investigation have come forward to confirm the outlines of the incident described above.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time. The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Wipro says it has more than 170,000 employees helping clients across six continents with Fortune 500 customers in healthcare, banking, communications and other industries. In March 2018, Wipro said it passed the $8 billion mark in annual IT services revenue.

The apparent breach comes amid shifting fortunes at Wipro. On March 5, the State of Nebraska abruptly canceled a contract with Wipro after spending $6 million with the company. In September 2018, the Nebraska Department of Health and Human Services issued a cease-and-desist letter to Wipro, ordering it to stop work on the upgrade to the state’s Medicaid enrollment system, and to vacate its state offices. Wipro is now suing Nebraska, saying its project was on schedule and on budget.

In August 2018, Wipro paid $75 million to settle a lawsuit over a botched SAP implementation that reportedly cost the National Grid US hundreds of millions of dollars to fix.

Another curious, if only coincidental, development: On April 4, 2019, the government of India sold “enemy” shares in Wipro worth approximately $166 million. According to this article in The Business Standard, enemy shares are so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.

“A total of 44.4 million shares, which were held by the Custodian of Enemy Property for India, were sold at Rs 259 apiece on the Bombay Stock Exchange,” The Business Standard reported. “The buyers were state-owned Life Insurance Corporation of India (LIC), New India Assurance and General Insurance Corporation. LIC”

Wipro is expected to announce its fourth-quarter earnings report on Tuesday, April 16 (PDF).

Update, April 16, 9:11 a.m. ET: Not sure why it did not share this statement with me, but Wipro just confirmed to the India Times that it discovered an intrusion and has hired an outside security firm to investigate.

Update, April 17, 2:33 p.m. ET: Check out my latest story on the Wipro breach, the latter half of which includes important new updates about the breach investigation.

Experts: Breach at IT Outsourcing Giant Wipro 8

Tags: Wipro data breach

You can skip to the end and leave a comment. Pinging is currently not allowed.

How Not to Acknowledge a Data Breach


I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.

How Not to Acknowledge a Data Breach 9And yet, here I am again writing the second story this week about a possibly serious security breach at an Indian company that provides IT support and outsourcing for a ridiculous number of major U.S. corporations (spoiler alert: the second half of this story actually contains quite a bit of news about the breach investigation).

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, the third-largest IT services provider in India and a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

Wipro asked me to give them several days to investigate the request and formulate a public comment. Three days after I reached out, the quote I ultimately got from them didn’t acknowledge any of the concerns raised by my sources. Nor did the statement even acknowledge a security incident.

Six hours after my story ran saying Wipro was in the throes of responding to a breach, the company was quoted in an Indian daily newspaper acknowledging a phishing incident. The company’s statement claimed its sophisticated systems detected the breach internally and identified the affected employees, and that it had hired an outside digital forensics firm to investigate further.

Less than 24 hours after my story ran, Wipro executives were asked on a quarterly investor conference call to respond to my reporting. Wipro Chief Operating Officer Bhanu Ballapuram told investors that many of the details in my story were in error, and implied that the breach was limited to a few employees who got phished. The matter was characterized as handled, and other journalists on the call moved on to different topics.

At this point, I added a question to the queue on the earnings conference call and was afforded the opportunity to ask Wipro’s executives what portion(s) of my story was inaccurate. A Wipro executive then proceeded to read bits of a written statement about their response to the incident, and the company’s chief operating officer agreed to have a one-on-one call with KrebsOnSecurity to address the stated grievances about my story. Security reporter Graham Cluley was kind enough to record that bit of the call and post it on Twitter.

In the follow-up call with Wipro, Ballapuram took issue with my characterization that the breach had lasted “months,” saying it had only been a matter of weeks since employees at the company had been successfully phished by the attackers. I then asked when the company believed the phishing attacks began, and Ballapuram said he could not confirm the approximate start date of the attacks beyond “weeks.”

Ballapuram also claimed that his corporation was hit by a “zero-day” attack. Actual zero-day vulnerabilities involve somewhat infrequent and quite dangerous weaknesses in software and/or hardware that not even the maker of the product in question understands before the vulnerability is discovered and exploited by attackers for private gain.

Because zero-day flaws usually refer to software that is widely in use, it’s generally considered good form if one experiences such an attack to share any available details with the rest of the world about how the attack appears to work — in much the same way you might hope a sick patient suffering from some unknown, highly infectious disease might nonetheless choose to help doctors diagnose how the infection could have been caught and spread.

Wipro has so far ignored specific questions about the supposed zero-day, other than to say “based on our interim investigation, we have shared the relevant information of the zero-day with our AV [antivirus] provider and they have released the necessary signatures for us.”

My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

Ballapuram added that Wipro has gathered and disseminated to affected clients a set of “indicators of compromise,” telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

Hours after that call with Ballapuram, I heard from a major U.S. company that is partnering with Wipro (at least for now). The source said his employer opted to sever all online access to Wipro employees within days of discovering that these Wipro accounts were being used to target his company’s operations.

The source said the indicators of compromise that Wipro shared with its customers came from a Wipro customer who was targeted by the attackers, but that Wipro was sending those indicators to customers as if they were something Wipro’s security team had put together on its own.

So let’s recap Wipro’s public response so far:

-Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
-Question the stated timing of breach, but refuse to provide an alternative timeline.
-Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
-Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
-Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.


The criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. A source I spoke with at a large retailer and Wipro customer said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

I suppose that’s something of a silver lining for Wipro at least, if not also its customers: An intruder that was more focused on extracting intellectual property or other more strategic assets from Wipro’s customers probably could have gone undetected for a much longer period.

A source close to the investigation who asked not to be identified because he was not authorized to speak to the news media said the company hired by Wipro to investigate the breach dated the first phishing attacks back to March 11, when a single employee was phished.

The source said a subsequent phishing campaign between March 16 and 19 netted 22 additional Wipro employees, and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.

The source also said the vendor is still discovering newly-hacked systems, suggesting that Wipro’s systems are still compromised, and that additional hacked endpoints may still be undiscovered within Wipro.

Wipro has not yet responded to follow-up requests for comment.

I’m sure there are smart, well-meaning and capable people who care about security and happen to work at Wipro, but I’m not convinced any of those individuals are employed in leadership roles at the company. Perhaps Wipro’s actions in the wake of this incident merely reflect the reality that India currently has no laws requiring data owners or processors to notify individuals in the event of a breach.

Overall, I’m willing to chalk this entire episode up to a complete lack of training in how to deal with the news media, but if I were a customer of Wipro I’d be more than a little concerned about the tone-deaf nature of the company’s response thus far.

As one follower on Twitter remarked, “openness and transparency speaks of integrity and a willingness to learn from mistakes. Doing the exact opposite smacks of something else entirely.”

In the interests of openness, here are some indicators of compromise that Wipro customers are distributing about this incident (I had to get these from one of Wipro’s partners as the company declined to share the IoCs directly with KrebsOnSecurity).

How Not to Acknowledge a Data Breach 10

Tags: Bhanu Ballapuram, Wipro data breach

You can skip to the end and leave a comment. Pinging is currently not allowed.

Wipro Intruders Targeted Other Major IT Firms


The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

Wipro Intruders Targeted Other Major IT Firms 11

A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io

In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.

According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:


The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.


It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.

Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems  and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards.

That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.”

According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.”

Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using.

It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant.

What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com.

Update, April 19, 11:25 a.m. ET: I heard back from some of the other targets. Avanade shared the following statement:

“Avanade was a target of the multi-company security incident, involving 34 of our people in February. Through our cyber incident response efforts and technologies, we swiftly contained and remediated the situation. As a result, there was no impact to our client portfolio or sensitive company data. Our review has concluded this was isolated incident. Our security defenses have continued to protect against any potential threat related to this matter. And, we continue take our responsibility to safeguard our clients’ data with the utmost seriousness.”

Cognizant replied:

“We are aware of reports that our company was among many other service providers and businesses whose email systems were targeted in an apparent criminal hacking scheme related to gift card fraud. Since the criminal activity first surfaced earlier this week and following reports that another service provider’s email system was allegedly compromised, Cognizant’s security experts took immediate and appropriate actions including initiating a review.”

“While our review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients’ systems is of paramount importance to Cognizant. We continuously monitor, update and strengthen our systems against unauthorized access and have put additional protocols in place related to this specific industry-wide incident.”

Infosys said it has not observed any breach of its network based on its monitoring and threat intelligence. “This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners,” the company said in a statement.

Rackspace said it has no evidence to indicate that there has been impact to the Rackspace environment: “Rackspace Security Operations continuously monitors our environment for threats and takes appropriate action should an issue be identified.”

Capgemini said its internal Security Operation Center (SOC) detected and monitored suspicious activity that showed similar patterns to the attack faced by WIPRO. “This occurred between March 4 and March 19. The activity concentrated on a very limited number of laptops and servers. Immediate remedial action took place. There has been no impact on us, nor on our clients to date.”

Slalom, another company listed above, said it can “confirm that phishing attack activity was detected and prevented between March 4 and March 19, which correlates to the information that you have published on the Wipro event.  A combination of 24×7 Security Operations Center advanced security monitoring, security awareness training and threat intelligence automation enabled us to detect, alert, and prevent an event, sourcing from the phishing attacks.  We have verified this through internal forensics and with the support of our threat intelligence partners.”

Wipro Intruders Targeted Other Major IT Firms 12

Tags: Avanade, Capgemini, Elavon, Green Dot, King Servers, Maritz Holdings Inc., PCM, Rackspace, ScreenConnect, Sears, Virustotal.com, Wipro data breach

You can skip to the end and leave a comment. Pinging is currently not allowed.

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware


Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware 13

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.

“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware 14

Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware 15

Tags: Kronos banking malware, Malwaretech, Marcus Hutchins

You can skip to the end and leave a comment. Pinging is currently not allowed.

Who’s Behind the RevCode WebMonitor RAT?


The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

Who’s Behind the RevCode WebMonitor RAT? 16

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

Who’s Behind the RevCode WebMonitor RAT? 17

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.

Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.

Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.

Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”

The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.

According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.

Who’s Behind the RevCode WebMonitor RAT? 18

A letter from Alex Yücel’s parents to the court in June 2016.

Who’s Behind the RevCode WebMonitor RAT? 19

Tags: Alex Yücel, Blackshades RAT, Krabsonsecurity, Ratsit AB, RevCode, WebMonitor, WebMonitor RAT

You can skip to the end and leave a comment. Pinging is currently not allowed.

3 Ways the Pixel 3a Can Change Midrange Phones Forever


The Pixel family is about to grow. Rumors and images of Google’s foray into the midrange smartphone market have been trickling out for months, but now a release looks to be just around the corner. According to a very telling teaser, we’re all but certain to learn everything about the Pixel 3a and 3a XL at the Google I/O conference on May 7.

3 Ways the Pixel 3a Can Change Midrange Phones Forever 20Based on what we’ve seen to date, Google will be looking to offer an experience nearly on par with that of its flagship Pixel 3 handsets, for several hundreds less. The company reportedly will turn to a lower-end Qualcomm chipset — believed to be the Snapdragon 670 — along with less onboard storage, a plastic body, and one front-facing camera, as opposed to the dual lenses in existing models.

It’s not all bad, though: The Pixel 3a might retain the same great camera and OLED display technology found in Google’s flagships, and may even bring back the headphone jack, which has been MIA since 2017’s Pixel 2.

The proposition of a low-cost Pixel appears to be at odds with Google’s current mobile strategy. Then again, there is precedent for this sort of thing in Mountain View. The Nexus line often played home to high-end hardware at bargain prices during its run — particularly with the Nexus 4, Nexus 5 and Nexus 7 tablet, which undercut their category rivals, sometimes by as much as half the price.

In other words, Google knows a thing or two about building compelling tech on a budget. But the tech giant will have to do a lot more than repeat the past if it wants to deliver an alternative to midrange mainstays like the $249 Moto G7 Power and $349 Nokia 7.1. Both of those devices are almost assuredly a good sight cheaper and less powerful than the Pixel 3a will be, but still show how to execute cheap phones properly. Here’s what Google needs to do to win the hearts and wallets of budget-conscious phone buyers.

Be smart about pricing

Just as flagship smartphones are getting pricier and pricier — hitting $1,000 regularly and even stretching well past the $2,000 mark, if you consider the Samsung Galaxy Fold and Huawei Mate X — the definition of what constitutes a midrange phone is changing, too.

The aforementioned options from Nokia and Motorola pair middle-of-the-road specs with average battery life, serviceable displays, and cameras that typically underwhelm. However, they’re very reasonably priced — within the $200 to $400 range — and guarantee just enough muscle to handle everything short of polygon-pushing games.

Spend a little more and you can get something like the $579 OnePlus 6T, which is capable of performance that’s on par with last year’s Galaxy S9 or the Pixel 3, but still comes in at hundreds less than those devices typically cost. You do have to concede some comforts in the process of course — the 6T, for example, isn’t water resistant or capable of wireless charging, plus its camera generally doesn’t match what more expensive phones produce — though the value proposition is still unsurpassed.

3 Ways the Pixel 3a Can Change Midrange Phones Forever 21The Pixel 3a will probably slot in somewhere between these two extremes. Current rumors point to a starting price between $400 and $500 for the smaller, 5.6-inch model, with the larger 6-inch 3a XL likely commanding an extra $50 to $100.

“When companies go mid-range, they run the risk of offering a little bit of the high end and a little bit of the low end, but it ends up being not enough of either,” said Ramon Llamas, research director at market intelligence firm IDC.

The challenge for Google will be to carefully tread that thin line in terms of pricing and make the Pixel 3a a viable option for consumers. If these phones don’t offer a sizable performance benefit over cheaper alternatives for the added cost, they’ll be hard to justify against the Nokias and Motorolas of the world. And if they strike too close to OnePlus’ devices in price, they’ll be squeezed by more powerful handsets at the top of the food chain.

However, Llamas sees an opportunity for Google to find favor with that untapped middle ground.

“Things are starting to change though, Llamas said. Flagship smartphones commanding a four-digit price point are becoming a hard sell, especially since the changes from previous models are sometimes perceived as incremental. It’s easier for consumers to reach for older models at lower prices, or even new ones at lower prices. Think of the iPhone XR.”

Contrary to the pessimistic rumblings from suppliers, the iPhone XR has actually proven to be Apple’s top seller among its latest batch of handsets. And although the Pixel 3a won’t necessarily be to the Pixel 3 what the iPhone XR is to the iPhone XS, Apple’s success in chipping away at the barrier of entry to its devices reveals a path for Google to make its vision of Android available to more buyers. Which brings us to…

Be where people are

Today, if you want to walk into your network’s store and walk out with a Pixel 3 in hand, that network is going to have to be Verizon. Big Red has lorded over exclusive carrier rights to the Pixel line since its inception. And as it turns out, offering a great smartphone doesn’t mean much if people don’t know how to buy it.

Of course, that’s not to say you can’t use Google’s handsets with other service providers’ towers — you’ll just have a few more headaches doing so. To use the Pixel 3 on T-Mobile, AT&T, Google Fi or any of the myriad no-contract, prepaid carriers out there, you’ll have to make sure you buy an unlocked model and then get a SIM from your carrier of choice.

“A challenge for Google in the U.S. has been its exclusivity agreement at Verizon,” Avi Greengart, lead analyst at Techspotential, told Tom’s Guide. “Google needs to get in front of more consumers.”

3 Ways the Pixel 3a Can Change Midrange Phones Forever 22

Fortunately, it seems Google hasn’t only realized this, but is finally prepared to do something about it. The latest batch of rumors surrounding the Pixel 3a suggest that Google’s midrange offerings will once and for all usher the brand into a partnership with T-Mobile. The flagship Pixel 3 duo could also land at the Uncarrier, putting four of Google’s handsets in front of a wealth of potential users previously unaware of the brand.

MORE: Best Cheap Phones: Top Android Picks Under $300

Recent data tell us that low-cost, prepaid carriers and unlocked phone sales are slowly chipping away at the major carriers’ iron grip on the U.S. wireless market. According to analytics firm Market Force, the percentage of users subscribed to prepaid carriers doubled in 2017, from 5% to 10% in 2016. Market Force also found that 56% of users reported having a contract-based plan, down from 62% the previous year.

The landscape is indeed changing, but not quickly enough for Google to succeed without carriers’ help. Right now, the big four networks still rule the roost in the U.S. Handset sales are driven by network operators first, so Google needs to court them if it wants to have any shot at growing the brand and getting the Pixel 3a in customers’ hands.

Keep the crown jewel

The Pixel has been synonymous with photographic excellence since its inception. Six months since its release, the Pixel 3 is still one of our favorite mobile cameras on the market, even besting the iPhone XS and Samsung’s just-released Galaxy S10 Plus. Only Huawei’s P30 Pro rivals the Pixel 3, under the right conditions.

“If Google can deliver on its signature imaging and clean, rapid software updates at lower price points, it could significantly increase sales volumes — even if it is unlikely to actually dethrone the market leaders.”

— Avi Greengart, lead analyst, Techspotential

On the other hand, midrange phones have never, ever been associated with good photography. The Nokia 7.1 and OnePlus 6T have serviceable shooters for the price, but you wouldn’t choose the images they produce over a shot from a fully-priced flagship. It would seem a good camera is still the one thing you can’t get in all but the most expensive handsets.

However, it appears that Google is looking to dispel that notion. We’ve been hearing that the Pixel 3a would have a camera on par with its premium counterpart since news of the device first broke. And while budget phone makers historically haven’t shied away from talking up the quality of their cameras — even though they’re never actually any good — Google is in a unique position to capitalize here, precisely because of its computational photography advantage.

“If Google can deliver on its signature imaging and clean, rapid software updates at lower price points, it could significantly increase sales volumes, Greengart said, even if it is unlikely to actually dethrone the market leaders.”

3 Ways the Pixel 3a Can Change Midrange Phones Forever 23The Pixel 3 can do with its single lens what many of its competitors struggle to achieve with three lenses. Whether it’s the phone’s stellar Portrait mode, its borderline magical Night Sight feature, or even Super-Res Zoom, Google has taught the master class in how clever imaging software can make up for the hardware disadvantages that tiny smartphone sensors and lenses are typically saddled with. And rumor has it that Google will pack those very same smarts into the Pixel 3a.

There’s another reason that the Pixel 3a is poised to be the first truly-great midrange camera phone, and it pertains to the processor. Based on what we know so far, Google has selected Qualcomm’s Snapdragon 670 system-on-chip to power the device. That’s a critical detail; the 670 utilizes Qualcomm’s second-gen Spectra 250 image signal processor, which first debuted in the chipmaker’s Snapdragon 800-series silicon.

MORE: Google Pixel 3a Rumors: Release Date, Price and Specs

In other words, while the Pixel 3a might be middle-of-the-road in terms of performance, it could still have a flagship-quality image-processing chip. And if Google throws its Pixel Visual Core co-processor into the mix, we could be looking at a phenomenal mobile camera for the money.


Google can’t just stop at the camera. The Pixel brand is also known for bringing the very best of Android to the forefront, with regular software updates, a clean user experience, and nifty special features, like Call Screen, that leverage the power of artificial intelligence.

Can Google roll all those lovely benefits into a reasonably-priced handset that doesn’t cut too many corners elsewhere? That will be the ultimate question as the company seeks to redefine the midrange market.

People are holding onto their devices for longer than ever before, and increasingly rejecting the push toward $1,000-plus devices. Done right, the 3a might be exactly what fatigued phone buyers need, and nothing that they don’t want.

“If the rumors are true about the 3a, it could end up as a high-end phone masquerading with a midrange price, Llamas said. “Just be careful what that means for the flagship smartphone.”

Credit: Tom’s Guide

Canadian Police Raid ‘Orcus RAT’ Author


Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

Canadian Police Raid ‘Orcus RAT’ Author 24

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”

“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”

Canadian Police Raid ‘Orcus RAT’ Author 25

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

Earlier this year, Rezvesz posted on Twitter that he was making the source code for Orcus RAT publicly available, and focusing his attention on developing a new and improved RAT product.

Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.

“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”

Canadian Police Raid ‘Orcus RAT’ Author 26

Tags: John Rezvesz, Orcus RAT, RCMP

You can skip to the end and leave a comment. Pinging is currently not allowed.

It’s Time for LG to Stop Making Phones


LG’s G8 ThinQ went on sale April 11, and while it seems like a stellar smartphone on paper, its premium qualities are sabotaged by gimmicks like vein recognition and difficult-to-use hand-gesture controls.

LG G8 ThinQLG G8 ThinQ

That doesn’t mean people won’t buy the G8, especially because retailers such as Best Buy have slashed the list price of $820 by almost $200 at launch. But the G8’s middling reviews (and those launch-day discounts) should signal to LG that it’s time for the company to reevaluate its smartphone strategy — or maybe stop making Android flagships altogether.

It’s a tough time to make smartphones

LG’s smartphone woes go beyond the critical reception for the G8. Customers aren’t buying what the company’s selling, either, at least when it comes to phones. LG’s mobile division is weighing down the rest of its business. In the fourth quarter of 2018, the company reported a loss of $72.5 million (or 80.7 billion Korean won). LG’s smartphone business contributed mightily to the company’s plummeting revenue, losing more than $700 million in 2018. LG’s appliance and TV businesses are still strong, but its mobile division can’t lose money forever.

“I do think that the pressure to differentiate is pushing LG to add features more to be different than really to deliver value to the user — tech for tech’s sake.” — Carolina Milanesi, Creative Strategies

LG isn’t the only company struggling to sell phones these days. Overall sales slumped in 2018 for the first time, according to IDC. In January this year, Apple had to revise its Q1 guidance downward when it became clear that the company was selling fewer iPhones than expected. Samsung continues to dominate on smartphone sales but also reported a soft reception to 2018’s Galaxy S9.

LG V40 ThinQLG V40 ThinQ

But LG’s rivals have a clear strategy for making their phones more appealing. Apple is focused on services, announcing plans in March to create original content for its Apple TV Plus streaming service, make Apple Music more competitive with Spotify and curate an expanded News Plus app. Samsung is focused on building unique hardware, making hole-punch displays for the Galaxy S10 lineup and flexible screens for the bendy Galaxy Fold. (Although Samsung’s rush to revolutionize smartphone hardware might sink the Fold.)

LG is taking a different — and so far, less successful — approach to bolstering its smartphone sales.

Gimmicky features not good enough

LG’s mobile division is nothing if not creative. The company’s G5, out in 2016, was a modular smartphone with swappable parts. Last spring’s G7 ThinQ emphasized artificially intelligent photos and a superloud speaker. The V40 ThinQ launched last fall with a triple-lens camera array. The new G8 ThinQ uses a depth-sensing front-facing camera to scan the veins in your palms; this action unlocks the phone and can detect your hand gestures (and respond accordingly).


All of those features sound useful and amazing. In reality, they fall apart. Instead of working on useful services or innovative hardware, LG continues to fall back on gimmicky features that fail to delight in real life.

“I do think that the pressure to differentiate is pushing LG to add features more to be different than really to deliver value to the user — tech for tech’s sake,” said Carolina Milanesi, an analyst with Creative Strategies.

“The gimmicky strategy was one that was better-suited for a different era of smartphones.”
— Tuong Nguyen, Gartner

The G8 ThinQ offers Hand ID, which can be used instead of the device’s fingerprint sensor and facial recognition, to unlock your phone. Air Motion allows you to interact with the G8 without touching it. But neither of those features makes it easier to use the G8. Features that people actually want, like longer battery life and excellent portrait mode, elude the G8.

MORE: Best Smartphones – Here Are the 10 Best Phones Available

“The gimmicky strategy was one that was better-suited for a different era of smartphones,” said Gartner analyst Tuong Nguyen. “We’ve gotten to the point now [that] I would argue is more smartphone than we can handle. There are features and functionality that most of us will never touch upon.

LG G7 ThinQLG G7 ThinQ

“That’s why you either have to do it the best and show you’re the leader, or you have to create an ecosystem of value for your customers, similar to what Apple did with their services announcement,” Nguyen continued. “What [LG is] offering was nice at some point in time, but maybe not so competitive now.”

Prices are too high

Then, there’s the fact that LG sells its flagship G- and V-series smartphones at or near the same prices as Samsung and Apple products. LG offered the G8 for $820 at launch (though retailers quickly lowered that price), which is about what you’d pay for a Galaxy S10 ($899) and iPhone XS ($999).

“My recommendation [to LG] would be to change the value proposition from the outset and sell it as a discounted flagship and compete with OnePlus.”
— Avi Greengart, Techsponential

Even Apple and Samsung are struggling to sell smartphones that cost more than $900, as carrier subsidies have ended and people are hanging onto their old phones for longer than two years. LG’s phones don’t have the same cachet, so they can’t command the same high prices.

“LG does move sales volumes, particularly in the U.S., when these phones are discounted — either with buy-one-get-one [deals], which carriers frequently do, or when the price drops after a few months,” said Techsponential lead analyst Avi Greengart. “My recommendation [to LG] would be to change the value proposition from the outset and sell it as a discounted flagship and compete with OnePlus. Instead of launching at a flagship price and then dropping when it doesn’t sell, why not just plan to sell it at that price and market it that way and reap the benefits?”

MORE: 10 Best Android Phones

Other smartphone makers produce powerful flagship phones for less than $600. But LG’s discounts appeal to buyers who think they’re getting a deal on a name-brand phone, because they’re not familiar with brands like OnePlus, which makes the blazing-fast $549 OnePlus 6T.

And brands that are popular in Asia, including Oppo and Vivo, make innovative phones that just aren’t available in the States, though they’re cheaper than LG’s flagships.

“As a U.S. consumer, I don’t know some of these smaller brands or Asian brands,” Nguyen said. “If I told my parents about Xiaomi or Oppo, they wouldn’t know it. [They’d say], ‘I don’t really know anything about phones, and this LG is $200 off. I’ll go with that.’ [The LG] brand still resonates with consumers.”


LG isn’t going to stop making phones just because it can’t outsell Samsung or Apple. There are business implications to consider, namely, that LG makes smartphone components that will always have a built-in buyer: LG itself.

Perhaps LG will take the innovative ideas fueling other parts of its business, such as the rollable display that the company showed off at CES, and port them over to its mobile division. A flexible LG flagship could blow Samsung’s Galaxy Fold and Huawei’s Mate X out of the water.

LG V50 ThinQ 5GLG V50 ThinQ 5G

But in the meantime, LG is gearing up to expand its phone lineup with the V50 ThinQ 5G, pinning the company’s immediate future on being one of the first out of the gate with a smartphone that connects to 5G networks. Not the very first, though — that would be the Galaxy S10 5G — and possibly not the very best, based on our hands-on experience with both phones.

The V50 ThinQ 5G was scheduled to launch in South Korea in late April, but LG delayed the rollout just days beforehand to “concentrate on the completeness” of the phone. Whatever is causing the issue is apparently related to the V50’s 5G connectivity; LG said it would be working with Qualcomm and South Korea’s wireless carriers to improve the V50’s service. That doesn’t bode well for the device, which is expected to be ready by May to launch on Sprint’s 5G network in the U.S.

But 5G connectivity won’t differentiate the V50 ThinQ from other phones. 5G networks are rough around the edges in our testing and will be for some time. LG is also not competing on price; the V50 will start at 1.19 million won, or $1,060. To compare, the S10 5G is 1.39 million won, or $1,226. The V50 is slightly cheaper than the S10, but it’s not a budget device by any means.

But the phone could be a strong seller, especially if LG or its carrier partners slash the price before it goes on sale in U.S. And so the cycle continues.

Credit: Tom’s Guide

Annual Protest Raises $250K to Cure Krebs


For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Annual Protest Raises $250K to Cure Krebs 27

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.

Annual Protest Raises $250K to Cure Krebs 28

Tags: Coinhive, pr0gramm

You can skip to the end and leave a comment. Pinging is currently not allowed.

Follow threeblocksaway | styleandeasy