Connect with us

Biz & IT

Europe agrees platform rules to tackle unfair business practices

Published

on

The European Union’s political institutions have reached agreement over new rules designed to boost transparency around online platform businesses and curb unfair practices to support traders and other businesses that rely on digital intermediaries for discovery and sales.

The European Commission proposed a regulation for fairness and transparency in online platform trading last April. And late yesterday the European Parliament, Council of the EU and Commission reached a political deal on regulating the business environment of platforms, announcing the accord in a press release today.

The political agreement paves the way for adoption and publication of the regulation, likely later this year. The rules will apply 12 months after that point.

Online platform intermediaries such as ecommerce marketplaces and search engines are covered by the new rules if they provide services to businesses established in the EU and which offer goods or services to consumers located in the EU.

The Commission estimates there are some 7,000 such platforms and marketplaces which will be covered by the regulation, noting this includes “world giants as well as very small start-ups”.

Under the new rules, sudden and unexpected account suspensions will be banned — with the Commission saying platforms will have to provide “clear reasons” for any termination and also possibilities for appeal.

Terms and conditions must also be “easily available and provided in plain and intelligible language”.

There must also be advance notice of changes — of at least 15 days, with longer notice periods applying for more complex changes.

For search engines the focus is on ranking transparency. And on that front dominant search engine Google has attracted more than its fair share of criticism in Europe from a range of rivals (not all of whom are European).

In 2017, the search giant was also slapped with a $2.7BN antitrust fine related to its price comparison service, Google Shopping. The EC found Google had systematically given prominent placement to its own search comparison service while also demoting rival services in search results. (Google rejects the findings and is appealing.)

Given the history of criticism of Google’s platform business practices, and the multi-year regulatory tug of war over anti-competitive impacts, the new transparency provisions look intended to make it harder for a dominant search player to use its market power against rivals.

Changing the online marketplace

The importance of legislating for platform fairness was flagged by the Commission’s antitrust chief, Margrethe Vestager, last summer — when she handed Google another very large fine ($5BN) for anti-competitive behavior related to its mobile platform Android.

Vestager said then she wasn’t sure breaking Google up would be an effective competition fix, preferring to push for remedies to support “more players to have a real go”, as her Android decision attempts to do. But she also stressed the importance of “legislation that will ensure that you have transparency and fairness in the business to platform relationship”.

If businesses have legal means to find out why, for example, their traffic has stopped and what they can do to get it back that will “change the marketplace, and it will change the way we are protected as consumers but also as businesses”, she argued.

Just such a change is now in sight thanks to EU political accord on the issue.

The regulation represents the first such rules for online platforms in Europe and — commissioners’ contend — anywhere in the world.

“Our target is to outlaw some of the most unfair practices and create a benchmark for transparency, at the same time safeguarding the great advantages of online platforms both for consumers and for businesses,” said Andrus Ansip, VP for the EU’s Digital Single Market initiative in a statement.

Elżbieta Bieńkowska, commissioner for internal market, industry, entrepreneurship, and SMEs, added that the rules are “especially designed with the millions of SMEs in mind”.

“Many of them do not have the bargaining muscle to enter into a dispute with a big platform, but with these new rules they have a new safety net and will no longer worry about being randomly kicked off a platform, or intransparent ranking in search results,” she said in another supporting statement.

In a factsheet about the new rules, the Commission specifies they cover third-party ecommerce market places (e.g. Amazon Marketplace, eBay, Fnac Marketplace, etc.); app stores (e.g. Google Play, Apple App Store, Microsoft Store etc.); social media for business (e.g. Facebook pages, Instagram used by makers/artists etc.); and price comparison tools (e.g. Skyscanner, Google Shopping etc.).

The regulation does not target every online platform. For example, it does not cover online advertising (or b2b ad exchanges), payment services, SEO services or services that do not intermediate direct transactions between businesses and consumers.

The Commission also notes that online retailers that sell their own brand products and/or don’t rely on third party sellers on their own platform are also excluded from the regulation, such as retailers of brands or supermarkets.

Where transparency is concerned, the rules require that regulated marketplaces and search engines disclose the main parameters they use to rank goods and services on their site “to help sellers understand how to optimise their presence” — with the Commission saying the aim is to support sellers without allowing gaming of the ranking system.

Some platform business practices will also require mandatory disclosure — such as for platforms that not only provide a marketplace for sellers but sell on their platform themselves, as does Amazon for example.

The ecommerce giant’s use of merchant data remains under scrutiny in the EU. Vestager revealed a preliminary antitrust probe of Amazon last fall — when she said her department was gathering information to “try to get a full picture”. She said her concern is dual platforms could gain an unfair advantage as a consequence of access to merchants’ data.

And, again, the incoming transparency rules look intended to shrink that risk — requiring what the Commission couches as exhaustive disclosure of “any advantage” a platform may give to their own products over others.

“They must also disclose what data they collect, and how they use it — and in particular how such data is shared with other business partners they have,” it continues, noting also that: “Where personal data is concerned, the rules of the GDPR [General Data Protection Regulation] apply.”

(GDPR of course places further transparency requirements on platforms by, for example, empowering individuals to request any personal data held on them, as well as the reasons why their information is being processed.)

The platform regulation also includes new avenues for dispute resolution by requiring platforms set up an internal complaint-handling system to assist business users.

“Only the smallest platforms in terms of head count or turnover will be exempt from this obligation,” the Commission notes. (The exemption limit is set at fewer than 50 staff and less than €10M revenue.)

It also says: “Platforms will have to provide businesses with more options to resolve a potential problem through mediators. This will help resolve more issues out of court, saving businesses time and money.”

But, at the same time, the new rules allow business associations to take platforms to court to stop any non-compliance — mirroring a provision in the GDPR which also allows for collective enforcement and redress of individual privacy rights (where Member States adopt it).

“This will help overcome fear of retaliation, and lower the cost of court cases for individual businesses, when the new rules are not followed,” the Commission argues.

“In addition, Member States can appoint public authorities with enforcement powers, if they wish, and businesses can turn to those authorities.”

One component of the regulation that appears to be being left up to EU Member States to tackle is penalties for non-compliance — with no clear regime of fines set out (as there is in GDPR). So it’s not clear whether the platform regulation might not have rather more bark than bite, at least initially.

“Member States shall need to take measures that are sufficiently dissuasive to ensure that the online intermediation platforms and search engines comply with the requirements in the Regulation,” the Commission writes in a section of its factsheet dealing with how to make sure platforms respect the new rules.

It also points again to the provision allowing business associations or organisations to take action in national courts on behalf of members — saying this offers a legal route to “stop or prohibit non-compliance with one or more of the requirements of the Regulation”. So, er, expect lawsuits.

The Commission says the rules will be subject to review within 18 months after they come into force — in a bid to ensure the regulation keeps pace with fast-paced tech developments.

A dedicated Online Platform Observatory has been established in the EU for the purpose of “monitoring the evolution of the market and the effective implementation of the rules”, it adds.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Billing fraud apps can disable Android Wi-Fi and intercept text messages

Published

on

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such “toll fraud” malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:

Microsoft

The goal of the malicious apps is to subscribe infected phones to these WAP services automatically, without the notice or consent of the owner. Microsoft said that malicious Android apps its researchers have analyzed achieve this goal by following these steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

Malware developers have various ways to force a phone to use a cellular connection even when it’s connected to Wi-Fi. On devices running Android 9 or earlier, the developers can invoke the setWifiEnabled method of the WifiManager class. For versions 10 and above, developers can use the requestNetwork function of the ConnectivityManager class. Eventually, phones will load data exclusively over the cellular network, as demonstrated in this image:

Microsoft

Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscribe button. Confirming the subscription can be tricky because confirmation prompts can come by SMS, HTTP, or USSD protocols. Microsoft lays out specific methods that malware developers can use to bypass each type of confirmation. The Microsoft post then goes on to explain how the malware suppresses periodic messages that the subscription service may send the user to remind them of their subscription.

“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges,” Microsoft researchers wrote. “Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.”

Google actively bars apps from its Play market when it detects signs of fraud or malice, or when it receives reports of malicious apps from third parties. While Google often doesn’t remove malicious apps until after they have infected millions of users, apps downloaded from Play are generally regarded as more trustworthy than apps from third-party markets.

Continue Reading

Biz & IT

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Published

on

Getty Images

Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.

Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, Kaspersky said, 20 organizations remained infected.

Stealth, persistence, power

Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.

“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher wrote. “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”

Kaspersky

Once SessionManager is deployed, operators use it to profile the infected environment further, gather passwords stored in memory, and install additional tools, including a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool. Kaspersky obtained multiple SessionManager variants that date back to at least March 2021. The samples show a steady evolution that has added more features with each new version. The most recent version of the malicious module includes the following:

Command name
(SM_SESSION cookie value)
Command parameters
(additional cookies)
Associated capability
GETFILE FILEPATH: path of file to be read. FILEPOS1: offset at which to start reading, from file start.

FILEPOS2: maximum number of bytes to read.

Read the content of a file on the compromised server and send it to the operator as an HTTP binary file named cool.rar.
PUTFILE FILEPATH: path of file to be written.

FILEPOS1: offset at which to start writing.

FILEPOS2: offset reference.

FILEMODE: requested file access type.

Write arbitrary content to a file on the compromised server. The data to be written in the specified file is passed within the HTTP request body.
DELETEFILE FILEPATH: path of file to be deleted. Delete a file on the compromised server.
FILESIZE FILEPATH: path of file to be measured. Get the size (in bytes) of the specified file.
CMD None. Run an arbitrary process on the compromised server. The process to run and its arguments are specified in the HTTP request body using the format: <executable path>t<arguments>. The standard output and error data from process execution are sent back as plain text to the operator in the HTTP response body.
PING None. Check for SessionManager deployment. The “Wokring OK” (sic.) message will be sent to the operator in the HTTP response body.
S5CONNECT S5HOST: hostname to connect to (exclusive with S5IP).

S5PORT: offset at which to start writing.

S5IP: IP address to connect to if no hostname is given (exclusive with S5HOST).

S5TIMEOUT: maximum delay in seconds to allow for connection.

Connect from compromised host to a specified network endpoint, using a created TCP socket. The integer identifier of the created and connected socket will be returned as the value of the S5ID cookie variable in the HTTP response, and the status of the connection will be reported in the HTTP response body.
S5WRITE S5ID: identifier of the socket to write to, as returned by S5CONNECT. Write data to the specified connected socket. The data to be written in the specified socket is passed within the HTTP request body.
S5READ S5ID: identifier of the socket to read from, as returned by S5CONNECT. Read data from the specified connected socket. The read data is sent back within the HTTP response body.
S5CLOSE S5ID: identifier of the socket to close, as returned by S5CONNECT. Terminate an existing socket connection. The status of the operation is returned as a message within the HTTP response body.

Remember ProxyLogon?

SessionManager gets installed after threat actors have exploited vulnerabilities known as ProxyLogon within Microsoft Exchange servers. Kaspersky has found it infecting NGOs, governments, militaries, and industrial organizations in Africa, South America, Asia, and Europe.

Kaspersky

Kaspersky said it has medium-to-high confidence that a previously identified threat actor that researchers call Gelsemium has been deploying SessionManager. Security firm ESET published a deep dive on the group (PDF) last year. Kaspersky’s attribution is based on the overlap of code used by the two groups and victims targeted.

Disinfecting servers that have been hit by SessionManager or similar malicious IIS modules is a complicated process. Kaspersky’s post contains indicators that organizations can use to determine if they’ve been infected and steps they should take in the event they’ve been infected.

Continue Reading

Biz & IT

China lured graduate jobseekers into digital espionage

Published

on

Chinese university students have been lured to work at a secretive technology company that masked the true nature of their jobs: researching western targets for spying and translating hacked documents as part of Beijing’s industrial-scale intelligence regime.

The Financial Times has identified and contacted 140 potential translators, mostly recent graduates who have studied English at public universities in Hainan, Sichuan and Xi’an. They had responded to job adverts at Hainan Xiandun, a company that was located in the tropical southern island of Hainan.

The application process included translation tests on sensitive documents obtained from US government agencies and instructions to research individuals at Johns Hopkins University, a key intelligence target.

Hainan Xiandun is alleged by a 2021 US federal indictment to have been a cover for the Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities across the US, Canada, Europe and the Middle East, under the orders of China’s Ministry of State Security (MSS).

The FBI sought to disrupt the activities of Hainan Xiandun last July by indicting three state security officials in Hainan province—Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin—for their alleged role in establishing the company as a front for state-backed espionage. Another man mentioned in the indictment, Wu Shurong, is believed to be a hacker who helped supervise employees at Hainan Xiandun.

Western intelligence services also seek out prospective spies from universities, with applicants undergoing rigorous vetting and training before joining the likes of the CIA in the US or the UK’s GCHQ signals intelligence agency.

But Chinese graduates targeted by Hainan Xiandun appear to have been unwittingly drawn into a life of espionage. Job adverts from the company were posted on university websites for translators without further explanation of the nature of the work.

This could have life-long consequences, as individuals identified as having co-operated with the MSS through their work for Hainan Xiandun are likely to face difficulty in living and working in western countries, a key motivation for many students who study foreign languages.

The FT contacted all 140 individuals on a leaked list of candidates compiled by security officials in the region to corroborate the authenticity of the applications. Several of those contacted initially confirmed their identities, but ended phone calls after being asked about their links to Hainan Xiandun. A few discussed their experience of the hiring process.

Their applications provide insight into the tactics of APT40, known for targeting biomedical, robotics and maritime research institutions as part of wider efforts to gain knowledge of western industrial strategy and steal sensitive data.

Hacking on that scale requires a huge workforce of English speakers who can help identify hacking targets, cyber technicians who can access adversaries’ systems and intelligence officers to analyze the stolen material.

Zhang, an English language graduate who applied to Hainan Xiandun, told the FT that a recruiter had asked him to go beyond conventional translation duties by researching the Johns Hopkins Applied Physics Laboratory, with instructions to find out information on the institution, including the CVs of the directors on its board, the building’s architecture and details of research contracts it had struck with clients.

The APL, a big recipient of US Department of Defense research funds, is likely to be of significant intelligence interest to Beijing and the individuals who work there prime hacking targets.

The instruction document asked the job candidates to download “software to get behind the Great Firewall.” It warns that the research will involve consulting websites such as Facebook, which is banned in China and so requires a VPN, software that masks the location of the user in order to gain access.

“It was very clear that this was not a translation company,” said Zhang, who decided against continuing with his application.

Dakota Cary, an expert in Chinese cyber espionage and former security analyst at Georgetown University, said the student translators were likely to be helping with researching organizations or individuals who might prove to be fruitful sources of sensitive information.

“The fact that you’re going to have to use a VPN, that you will need to be doing your own research and you need good language skills, all says to me that these students will be identifying hacking targets,” he said.

Cary, who testified earlier this year to the US-China economic and security review commission on Beijing’s cyber capabilities, said the instruction to investigate Johns Hopkins was an indicator of the level of initiative and ability to acquire specialist knowledge that the translators were expected to demonstrate.

One security official in the region said the revelations were evidence that the MSS was using university students as a “recruitment pipeline” for its spying activities.

Antony Blinken, US secretary of state, has previously condemned the MSS for building an “ecosystem of criminal contract hackers” who engage in both state-sponsored activities and financially motivated cyber crime. Blinken added that these hackers cost governments and businesses “billions of dollars” in stolen intellectual property, ransom payments and cyber defenses.

Hainan Xiandun asked the applicants to translate a document from the US Office of Infrastructure Research and Development containing technical explanations on preventing corrosion on transport networks and infrastructure. This appeared to test prospective employees’ abilities to interpret complex scientific concepts and terminology.

“It was a very weird process,” said Cindy, an English language student from a respected Chinese university. “I applied online and then the HR person sent me a highly technical test translation.” She decided against continuing with the application.

Adam Kozy, a former FBI official who worked most recently at cyber security company CrowdStrike, said he had not heard of western intelligence enlisting university students without them being given security clearance to collect intelligence.

“The MSS do everything very informally and they like the gray areas,” he said. “It’s interesting to see that they’re relying on a young student workforce to do a lot of the dirty work that may have those knock-on consequences later in life and most likely are not fully explaining those potential risks.”

The MSS did not respond to requests for comment.

Hainan Xiandun solicited applications on university recruitment sites and appears to have a close relationship with Hainan University. The company was registered on the first floor of the university library, home to the student computer room.

One job advert posted on the university’s foreign languages department website called for applications from English-speaking female students and Communist party members. The advert has been deleted since the FT’s queries regarding this story.

Several student applicants to Hainan Xiandun had won school prizes for their language skills and others held the added distinction of holding party membership.

According to the FBI’s indictment, MSS officers “co-ordinated with staff and professors at universities in Hainan and elsewhere in China” to further their intelligence goals. Personnel at one Hainan-based university also helped support and manage Hainan Xiandun as a front company, “including through payroll, benefits and a mailing address,” the indictment reads.

While the FBI accused the university of assisting the MSS in identifying and recruiting hackers and linguists to “penetrate and steal” from computer networks, it does not mention the university’s role in commandeering students to help the cause.

In response to the FT’s findings, Michael Misumi, chief information officer at Johns Hopkins APL, said that “like many technical organizations” the APL “must respond to many cyber threats and takes appropriate measures to continuously defend itself and its systems.”

Hainan University did not respond to requests for comment.

Applicants’ names have been changed to protect their identities

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending