CHARLOTTE, N.C. — The tech skills gap is creating a cybersecurity gap.

  • Nearly half a million cybersecurity workers are needed in North America, and nearly 3 million worldwide.
  • Almost a quarter of companies surveyed say they have a “significant shortage” of cybersecurity staff.
  • According to Norton Security, it takes a U.S. company nearly 200 days on average to identify a data breach.

According to a recent cybersecurity workforce study, nearly half a million cybersecurity workers are needed in North America, and nearly 3 million worldwide.

In the report, almost a quarter of companies surveyed say they have a “significant shortage” of cybersecurity staff. About 60 percent believe they’re at some risk for an attack because of a lack of staffing.

“The reason we have so many security problems is because we’re not teaching all the other tech people enough about security,” professor at UNCC’s College of Computing and Informatics Bill Chu said. “The problem would be much better if the people who build those technology build them securely.”

According to Norton Security, it takes a U.S. company nearly 200 days on average to identify a data breach, and a breach on average costs a company almost $8 million.

Secure the most sensitive workloads. Shape the future of computing.

If you’re a developer, security researcher, or otherwise interested in developing apps that use confidential computing, this is your chance to make an impact in this growing field. Google Cloud, in collaboration with Intel, is hosting the Confidential Computing Challenge to generate new ideas in the future of computing.

Your ideas could help shape the way the industry thinks about confidential computing and its potential to protect the most sensitive workloads in the public cloud. Confidential computing aims to encrypt data and code while in use, and we want to see how you think confidential computing can be used in real world applications. Your input could help influence improvements or features to Google products and services in the future.

See the full contest details here:

Any team of students can benefit from a little support and recognition — whether it’s football players on the field, runners rounding the home stretch of the track, or cyber competitors working on protecting an organization from a cyber attack.

The California Mayors Cyber Cup, coordinated by California Cyberhub and hosted at various regional venues, allows students from 12 regions throughout California to complete simultaneously on behalf of their home city for regional perpetual trophies that will be displayed in the winning team’s city hall for the coming year. In the process, they are learning skills that are essential to obtaining high-paying careers and filling the growing need for a future ethical cybersecurity workforce.

The student cyber athletes receive tremendous amounts of support from their coaches, mentors, teachers, and community members who create a positive, celebratory atmosphere at each event to recognize the hard work that goes into training to become future cyber heroes.

Kevin Spease, President and CEO cybersecurity consulting company ISSE Services, attended the CMCC last year to cheer on the team from Toby Johnson Middle School in Elk Grove. He said the right combination of competition and support creates both short-term success and long-term change.

“The California Mayors Cyber Cup is a fantastic event, and it’s great to be able to connect students with other areas or other schools in California,” Spease said. “We become our best selves when we learn how to complete, and this event allows students to display their talents and have fun while learning.”

The CMCC also allows businesses to demonstrate how cyber education can lead to jobs that are both in-demand and intellectually engaging. Claire Jefferson-Gilpa, IT account education manager at ConvergeOne, also attended last year’s event and is looking forward to seeing it grow even more this year.

“Cyber education is an essential building block to create the pipeline of talent needed to drive industry, innovate to solve solutions and protect our communities,” Jefferson-Gilpa said. “ConvergeOne is proud to invest in the youth within our community.”

The California Mayors Cyber Cup will be held February 23 in 12 regions across California. For more information, visit

About California Cyberhub

The California Cyberhub is an initiative hosted at SynED, a 501(c)(3) non-profit organization focused on bringing innovation to education and workforce development. The California Cyberhub initiative is made possible by a collaborative effort of volunteers and funding from California public education, government and business. Supporters include the California Community Colleges Chancellor’s office, Community College Regional Consortiums, the California Governor’s Office of Business and Economic Development, the California Department of Education and countless volunteers and champions across the state.

For more information about the California Cyberhub, visit

About ISSE Services

ISSE Services enhances the security and resilience of its customers enterprises by defending, mitigating and securing their systems, networks and infrastructure against cyberattacks. The company is committed to providing dependable and reliable cybersecurity services. For more information, visit

For more information about ISSE Services, visit

About ConvergeOne

Founded in 1993, ConvergeOne is a leading global IT services provider of collaboration and technology solutions for large and medium enterprises with decades of experience assisting customers to transform their digital infrastructure and realize a return on investment. Over 11,000 enterprise and mid-market customers trust ConvergeOne with collaboration, enterprise networking, data center, cloud and cybersecurity solutions to achieve business outcomes. For more information, visit,

For more information about ConvergeOne, visit

California Cyberhub Collaboration Model

The best work happens when people come together to build things that are greater than the sum of their parts. For the past two years, educators, business leaders, local and state governments and elected officials in California have been doing just that to transform cybersecurity education and create a future ethical workforce through the California Cyberhub.

The California Cyberhub is a virtual, neutral, nimble online organization that is a collaboration of public higher education, K-12, government, business and military. Its mission is to expand cyber training in California by identifying and promoting best practices and encouraging participation in cyber competition.

As a result, the California Cyberhub developed the California Mayors Cyber Cup (CMCC)program. CMCC is an annual cycle of community-based cybersecurity awareness, cyber career promotion and cyber team development. That work culminates in 12 simultaneous regional competitions held as one event each February to celebrate the shared participation in this effort.

CyberSecurity Team

Student teams from cities in each region compete for a perpetual trophy that is displayed at the winning team’s City Hall in the coming year. The events provide an opportunity for elected officials and community members to witness the energy and enthusiasm that comes with cybersecurity education.

CMCC competitions also bring in the business community and allow business leaders to meet the students who are embarking on a career path that will provide high-paying jobs and meet the increasing demand for skilled cyber professionals to protect the infrastructure of our communities and country.

Beyond the CMCC, the California Cyberhub encourages regional communities to sponsor summer cyber camps, while providing resources for certification testing, such as CompTIA’s IT Fundamentals. The California Cyberhub also hosts the California Cyber Competition Teams Guild, a community of California cyber teams and their coaches.

Darlene Tarin, a senior at Canyon Springs High School in Moreno Valley, California, said participating in her schools cyber competitions and classes helped her become more focused at school, improve her grades and meet new friends from across the state.

“As an active member of the California Cyberhub, I have made friends in other high schools on cyber teams, and had the opportunity to learn from people all over California,” Tarin said. “My GPA went from a dismal 1.72, to consistently maintaining a 3.5. I am so grateful for this program and excited to graduate this year, and continue my cyber academic and career journey in college.”

Silas Shen caught the cyber competition bug at Troy High School and now studies Computer Information Systems at Cal Poly Pomona. He’s poised to land a stable, well-paying job after graduation and complete the pathway that started in high school and continued through college.

“I owe a majority of my technical and interpersonal skills to the opportunities that these cyber competitions have opened up for me,” Shen said. “I hope to one day give back to the community as it has graciously done for me.”

The California Cyberhub’s goal is to give cybersecurity competitions the same recognition as any other school team sport, with parents and peers cheering in the stands and the recognition that comes from winning the big game. This will help encourage more students to become involved and enter pathways to help fill the thousands of cybersecurity job openings across the country.

Scott Young, director of the California Cyberhub, said the collaborative approach is essential to driving the change needed to address large-scale problems like cybersecurity education.

“Success does not belong to an individual or an organization but to a collaboration of creative, passionate and driven partners working to the same end,” Young said.

This model of collaboration began in California but is scalable to any state or any country that wants to improve its cybersecurity education to meet workforce demand and give its young people skills that will set them up for a lifetime of professional success and personal growth.


About California Cyberhub

The California Cyberhub is an initiative hosted at SynED, a 501(c)(3) non-profit organization focused on bringing innovation to education and workforce development. The California Cyberhub initiative is made possible by a collaborative effort of volunteers and funding fromCalifornia public education, government and business. Supporters include the California Community Colleges Chancellor’s office, Community College Regional Consortiums, the California Governor’s Office of Business and Economic Development, the California Department of Education and countless volunteers and champions across the state.

For more information about the California Cyberhub, visit

Originally Posted On:

  • Twitter allowed a scammer to post a PayPal phishing scam as a promoted tweet on its social networking site.
  • The phishing page asked visitors to login to their accounts and verify their details to win new year gifts.

On 1, January 2018, a PayPal phishing scam was posted in Twitter as a promoted tweet targeting users’ financial data through a lucky draw scam. The scam said, to be in with a chance of winning, you must log in to your accounts and verify your details.

The phishing scam from @PayPalChristm promoted a new year sweepstake event. While it didn’t explicitly say what the prizes were, the poster holds images of a new car and an iPhone.

Clues hinting a scam

The phishing scam left behind few minor clues that confirmed it to be a fake scam.

  • The URL misspelled ‘PayPal’ as ‘PayPall’
  • The Twitter account that posted the phishing scam had less than 100 followers.
  • The image on the promoted tweet wasn’t coinciding and consistent with PayPal’s distinctive branding.
  • Upon clicking the phishing link, users will be redirected to a page which did not have HTTPS and URL. However, the page appeared to look like a legitimate PayPal site.

Mathew Hughes, a journalist from Liverpool, England logged in with fake login credentials. Upon login, the page redirected to another legitimate looking page which asked to confirm payment card details such as debit/credit card holder name, card number, card expiry date, CSC number, and billing address.

This confirms that the PayPal phishing scam is not just keen on accessing PayPal accounts but also aims in targeting victims’ financial details and sensitive information. This kind of scams are becoming popular and are using promoted tweets as a part of their campaigns.

Originally Posted On:

Learn why it’s critical to resolve trust issues and promote collaboration between your cybersecurity and network teams.

One might expect people on different teams of a company’s IT department to be on the same page and have a certain amount of work-related trust for each other. It seems that neither “being on the same page” nor “interdepartmental trust” are always the case.

That conclusion was part of the data culled from a BlueCat Networks sponsored International Data Group (IDG) survey. Here are some additional results:

  • Over 65% of those responding to the survey indicated their company has experienced two or more cybersecurity events; and
  • Only 38% of the survey participants believe their organization is capable of defending against a cybersecurity event.

The survey’s report does not mince words as to why. “Business investments in network operations and cybersecurity may be shortchanged if the teams responsible for those areas aren’t collaborating,” mentions the report A House Divided: The Cost of Dysfunction between Network and Cybersecurity Teams. “The study shows eighty-six percent of organizations surveyed have suffered repercussions, including increased security breaches and data loss, due to lack of collaboration between these teams.”

As to the lack of collaboration, BlueCat Network’s Mathew Chase adds:

“Network and cybersecurity teams are often battling the wrong adversary: each other. Their strained relationship results in additional challenges and angst when they should be defending the organization as a cohesive team.”

The report’s authors suggest that lack of collaboration was responsible for the following:

  • Slow response to security events (34%)
  • Finger-pointing (33%)
  • Increase in security breaches/data loss (32%)
  • Loss of productivity (28%)
  • Service downtime (27%)
  • Inability to determine the root cause of security events (26%)
  • Increased costs (26%)

Interdepartmental dysfunction

The IDG/BlueCat report next dives into what’s working and what’s dysfunctional. The report’s authors surmise that network policy and threat analysis are typically the cybersecurity team’s responsibility, while ownership of other aspects, such as threat detection, are less concrete.

“Fifty percent of those surveyed by IDG indicated that conflicting objectives are the greatest obstacle to making that trust between teams happen,” explains the report. “Only a small percentage of survey respondents say the two teams share primary responsibility in the areas of policy enforcement, event prevention, threat detection, and event mitigation.”

The report indicates that not understanding who is responsible for what leads to the following:

  • 55% of the survey respondents believe there is a high level of mistrust between cybersecurity and network teams; and
  • 43% of network and 58% of cybersecurity professionals feel their counterparts do not understand their role.

SEE: A winning strategy for cybersecurity (ZDNet special report) |Download the report as a PDF (TechRepublic)

Network visibility

The answer appears to be allowing the cybersecurity team complete access to the network. “The percentage of survey participants reporting a high level of trust between teams more than doubles at organizations providing complete visibility to cybersecurity staff,” the report mentions. “Similarly, when the cybersecurity team has complete visibility, organizations have a higher level of confidence that they are well equipped to protect the network from future cybersecurity attacks.”

Besides resolving trust issues and promoting collaboration, there are the following additional benefits:

  • Both teams have greater confidence that team members understand what’s happening on the network;
  • Each team’s activity will complement, not overlap or interfere, with the other team’s efforts; and
  • Respondents (55%) believe integrating the teams will allow a faster, more-efficient response to security events.

“There is a lot of eye-opening on both sides of the fence,” says Michael Harris, CEO of BlueCat. “Organizations need both visibility into critical network infrastructure and a controlled, real-time view for cybersecurity.”

DNS is also common ground

The research team from IDG and BlueCat stressed the importance of DNS as a way to improve collaboration. “When set up in a unified way, DNS represents a data source that provides shared visibility; it is also pervasive across the network, which allows it to exact control over activity,” explains the report’s authors.

Survey respondents felt improving their organization’s DNS infrastructure will help:

  • Improve network management and controls;
  • Allow DNS data-mining for threats; and
  • Increase agility as well as automation.

“DNS has always been in the hacker’s toolbox for mapping and disrupting organizations,” notes BlueCat Network’s Mathew Chase. “Organizations need to make the shift towards using DNS as skillfully as their adversaries in order to protect against and respond to threats across the enterprise.”

Note: A total of 200 qualified North-American respondents participated in the survey. Respondents were required to be employed in a network (data wired, wireless, voice, etc.) or a cybersecurity (IT/network security/cybersecurity) role at a company with 5,000 or more employees. Senior management, mid-management, and analyst level roles are equally represented. All qualified respondents are involved in the purchase and integration of cybersecurity technology.

Originally Posted On:

Hack attacks are evolving all the time, but 2019 will be a breakout year for a number of new and emerging attacks.

While many businesses today still struggle with run-of-the-mill threats like phishing and un-patched software, they need to brace themselves for a wave of sophisticated hacks which will rely on new techniques to steal money and information and damage reputations.

Some of these threats, like “credential stuffing,” are already under way, as was witnessed in the recent attack on Dunkin’ Donuts’ DD Perks rewards program. Others, like “soundloggers,” are still in the early stages but will become more widespread in the coming months and years.

Here are six new cyber threats businesses need to watch out for.

1) Digital card skimmers

Alternately known as “formgrabbing,” or “formjacking,” this is a scripting attack that targets online transactions. The digital card skimmer steals the customer’s payment and personal information right out of the online shopping cart (or checkout form) before the order has even been submitted.

Small-business and retailer websites may be compromised directly or through a third-party service or plug-in, as was the case with Shopper Approved, a widely-used rating service.

These attacks are highly profitable and will increase significantly next year.

2) Brand extortion

Cyber extortion has been gaining ground for years, first with DDoS (distributed denial-of-service) attacks, then with ransomware, and more recently with elaborate sextortion scams. But the newest version of extortion-based attacks uses fake online accounts, from Yelp to Twitter, to threaten the reputation of a company or brand.

Imagine hundreds of negative online reviews, tweets and Facebook posts rolling out continually for days, weeks or months, and all of them aimed at your company. Hackers are able to mass-produce this type of “review bombing,” or negative campaign, with the use of bots and other automated tools. This is what recently happened to CheapAir, when a group called STD Company threatened to destroy its reputation unless they were paid off.

Businesses’ online reputations are vulnerable to these attacks, and more companies will find themselves targeted next year.

3) Credential stuffing

The past seven years have seen an unprecedented wave of large-scale corporate data breaches, from the 2013 Target hack to the recent Marriott disaster. These breaches have filled the dark web with an enormous cache of stolen usernames and passwords — and it is setting the stage for a new kind of password attack known as “credential stuffing.”

Instead of trying to “crack,” or guess, the password through brute-forcing, credential stuffing uses a database of real usernames and passwords (taken from prior data breaches) which are then tested en masse against many other websites and online services until they find a match.

Since most people reuse their logins and passwords across multiple accounts, including their work email, these attacks are extremely risky for businesses. Credential stuffing was recently used on Dunkin’ Donuts and HSBC, and it will become even more prevalent next year.

4) Sophisticated mobile attacks 

Smartphones are increasingly vital for hackers to gain access to as more people switch to mobile banking and mobile-based two-factor authentication and as mobile phones evolve into the remote controls of our daily connected lives.

SMS phishing attacks will grow more intense next year (like the new “cardless ATM” scam) since these are an easy way to steal credentials via phone. Hackers will combine other tricks, like combosquatting and typosquatting, to make it harder for users to spot malicious links sent via text. But other attacks, like fake apps, will continue to pick up as well, and of particular concern here is the “overlay attack,” which can be highly effective at stealing mobile banking credentials.

5) Sound-based attacks

The rise of virtual assistants and voice biometrics is creating new opportunities for hackers.

As the voice is increasingly used to authenticate financial accounts and other services, in addition to controlling devices like mobile phones and smart speakers, hackers will be more aggressive at trying to use sound-focused attacks to hit their targets.

These attacks will range from voiceprint identity theft to subliminal malware that commandeers virtual assistants and “soundloggers” which can figure out a password by the sounds a person makes when typing it on the keyboard.

6) Smart malware

It’s hard enough for the average small business to prevent an attack from off-the-shelf malware like Zeus and DarkComet, but just wait until malware starts to think for itself.

New technologies like machine learning and artificial intelligence are dramatically enhancing the range and destructive power of future malware attacks. Don’t expect to see Terminator-style killer viruses, but instead viruses that are able to mutate themselves to adapt to different environments, hunt down specific employees in a network and avoid detection by hiding in legitimate computer programs or tweaking their “signatures.”

Open source AI models already exist which hackers can use to do this. Attackers also have access to “malware-as-a-service” and malware “kit” offerings online which can aid in these attacks. To demonstrate just how real this risk is, IBM recently unveiled an AI-malware prototype called DeepLocker, which is based off of these publicly available tools.

Security advice

Since attackers will become more advanced in the coming year, it is critical for SMBs to focus just as much on post-breach damage control as they do on prevention.

To limit the damage of an eventual breach, SMBs need to practice employee “access control” religiously, segment the network, back up crucial data and have an emergency contact sheet ready so you know exactly who to call when the worst happens. For businesses with a lot of financial or customer data exposure, a cyber insurance policy is also a must.

Prevention should include robust anti-malware and firewalls, a strong password policy, two-factor authentication, “whitelisting” emails for key executives like the CFO and passing the buck for customer passwords and payment information to more secure third-party services.

Jason Glassberg is co-founder of Casaba Security (, a cybersecurity and ethical hacking firm that advises businesses ranging from startups to Fortune 100s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.

Originally Posted On:

How many times have you endured a dry-as-dust PowerPoint presentation or clicked through a tired e-learning course only to realize, despite hours of ‘teaching,’ you remember virtually nothing? It’s easy to blame yourself when this happens; you may feel guilty or even harbor doubts about your ability to retain knowledge. Don’t. There’s a good chance that the material simply wasn’t practical, engaging or relevant enough – flaws magnified when you are spoken at, instead of with, in a stale classroom environment.

I am not suggesting school-style learning should be outlawed, as it certainly has its merits. But some subjects, particularly those with a large technical element, demand a more innovative approach. Without doubt, cybersecurity falls into this category – something I first observed while delivering GCHQ’s Cyber Summer School. It was evident that people enjoyed completing practical exercises requiring analytical thinking and problem solving. It was also clear that when people had fun, they learned more.

And increased cyber learning is something every workforce can benefit from. Security is no longer handled by a select few while others do as they digitally please; it is the responsibility of everyone in an organization. In fact, every employee should have some degree of cyber training, and this is something that kept me thinking during those summer months with GCHQ. To transform a workforce, you first must engage it – and when it comes to cybersecurity, there’s no better way to do this than gamification.

Despite its name, gamification is not strictly about games. It is the act of taking something already in existence – a website or application, for instance – and increasing engagement using game mechanics, such as reward and competition. It works because those mechanics are addictive and yield excellent results in a learning environment. Typical gamified exercises such as capture-the-flags and hackathons also double up as great team-building activities owing to their social nature. A recent study by McAfee found 96% of organizations that hold such events report tangible benefits. They can even help in the search for hidden talent, with many self-taught or uncertified participants using such exercises to prove their worth.

Several elements make gamified solutions effective, not least social features that encourage competition in a lightweight manner, such as a leaderboard. Humans are also known to crave the simplicity exhibited in games like Bejeweled. As outlined by Erin Hoffman on Gamasutra, Bejeweled’s addictive elements are simple: the game is easy to understand and access, it presents a clear problem with a clear solution, and the results of actions create consequences with intermittent reward. Simple design techniques, including the use of specific shapes and colors, can also keep us coming back for more. (You like those little red badges on your iPhone, right?)

So, game mechanics obviously compel people to act. And when that action is improving the way we learn, such mechanics are a force for good. Learners who are satisfied by their education, who understand their work and gain a sense of accomplishment from it, will of course perform better.

Making experiences more engaging this way is not a new concept. In 2012, US pharmacy Omnicare introduced gamification to its IT service desk and achieved a 100% participation rate. That same year, American software corporation Autodesk used it to raise its trial usage by 40%. This year, TalentLMS’s Gamification at Work survey found 85% of employees would spend more time on software that was gamified, while 87% agreed gamification made them more productive. Clearly, it works.

Applying gamification to cyber training is a no-brainer – especially when considering it can be largely automated. Training in anything must occur often to be effective, and nowhere is this truer than in cyber, where learning must be consistent to combat constantly evolving threats. Using automated, gamified solutions, employees can upskill on their own terms, without need for disruption to company operations. This doesn’t only save time and money; it also allows for greater training frequency and, in turn, greater learning. And with 77% of senior security managers agreeing their organization would be safer if it used gamification more, it is surely time for more businesses to take heed.

I’m the CEO and founder of Immersive Labs. As an ex-GCHQ trainer, I’m on a mission to help global organisations address the shortage in cyber security skills from receptionist to CEO through enterprising solutions such as the Immersive Labs platform. Through my work…MORE

Kaspersky Lab’s found evidence that a small spyware government contractor sells iOS malware, showing it may not be as rare as some people think.

Originally Posted on:

Thanks to a combination of tight controls and innovative security features, Apple has made the iPhone perhaps the most secure consumer device in the world. But nothing is unhackable, and iOS malware isn’t as rare as many may think. 

Earlier this year, Russian cybersecurity firm Kaspersky Lab found evidence that a small government spyware maker called Negg developed a “custom iOS malware that allows GPS tracking and performs audio surveillance activity,” according to a private report the company sent to subscribers. The discovery of Negg’s iOS malware has never been reported outside of Kaspersky.

“We have uncovered an iOS implant,” Kaspersky Lab researcher Alexey Firsh told Motherboard in an email. “We assume that at the moment of discovery it was in a development stage and was not fully adapted to infect potential victims.”

“We have uncovered an iOS implant.”

Malware on iOS has always been rare, thanks to the increasing difficulty of jailbreaking iPhones and Apple’s continuous focus on locking down its devices. This has driven prices for iOS bugs and exploits through the roof. Nowadays, companies are willing to pay around $3 million for software that jailbreaks and hacks iPhones—and researchers are reluctant to report bugs to Apple simply because others pay better. 

Governments around the world have been willing to spend a fortune on iOS malware. Saudi Arabia paid $55 million to purchase iPhone malware made by NSO Group, according to a recent report by Israeli newspaper Haaretz. There’s several companies specializing in iOS malware, such as Azimuth, NSO Group, and some more. But despite the appearances, iOS malware isn’t only in the hands of big companies and their government customers. 

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at [email protected], or email [email protected]

Security researcher Zuk Avraham recently wrote on Twitter that iOS jailbreaks, the basis of any kind of malware for iOS, aren’t as rare as people think, and estimated that there are more than 50 groups who have iOS exploits. While most people believe that only powerful government adversaries have access to iPhone exploits, more discoveries are being made that suggest that lesser-known groups have exploits as well. 

Now, even relatively smaller companies have iOS malware. 

Earlier this year, Kaspersky Lab reported having found a sophisticated spyware for Android dubbed Skygofree. Sources told Forbes at the time that the spyware was made by Italian government surveillance contractor Negg, a small upstart that isn’t as well known as NSO or Azimuth. While investigating Negg’s Android malware, Kaspersky Lab found that one of its command and control servers pointed to a “rogue Apple [Mobile Device Management] server,” according to the company’s private report. 

A source who received the report shared details contained in it with Motherboard on condition of staying anonymous since they were not authorized to share the information. 

Mobile Device Management or MDM is a feature in iOS that allows companies to manage and monitor devices given to their employees. By installing an MDM profile or certificate on an iPhone, a user gives the MDM owner some control over the device. This mechanism can be used by malware creators. In July, security firm Talos found that a hacking group used MDM to target a few iPhones in India (Mobile Device Management can be turned on for every iPhone.)

Costin Raiu, the head of Kaspersky Lab’s research team, said that Negg’s MDM server is still active. In its private report, Kaspersky Lab researchers wrote that “the code contains many mentions that let us presume that the developer is a small Italian company named Negg.”

Negg did not respond to a message sent to its official information email address. When Motherboard called its office, an employee said she’d refer questions to the company owner, who was not available at the time. Apple did not respond to a request for comment.

It’s unclear how government hackers get the malware on target’s iPhones. Kaspersky Lab researchers speculated it may be via social engineering “using fake mobile operators sites.” In other words, this malware does not leverage any bugs or exploits in iOS, but instead takes advantage of MDM, which is a specific design feature in the operating system. In this way, it relies on a tried-and-tested social hacking technique—tricking users into installing something. For many years, the average user could essentially click on any link, download any app, and otherwise use their iPhone without worrying about targeted surveillance. That may soon no longer be the case.

“You’re basically turning over administrative control of your phone to the attacker.”

In May, Motherboard revealed that Italian cell phone providers were helping cops install malware on suspected criminals’ phones.

According to former Cyber Command hacker and now director of cyber solutions at Point3 Ryan Duff, this discovery should not be seen as too much of a worrisome sign. 

“As far as MDM as an injection method for malware, it’s pretty lame,” Duff told Motherboard in an online chat. “As far as risk goes, it’s pretty low. You can’t just force an iPhone to connect to an MDM server. You would have to get them to install a device profile onto their phone. You’d need to social engineer them in some way to installing the profile.”

Raiu said that Kaspersky is not sure how Negg—or its customers—get the malware on the target iPhones. It could either be social engineering, Raiu said, or “even physical access.” Kaspersky is unsure if Negg has any zero days or specific iOS exploits.

Even if MDM-based malware is not as sophisticated as malware that gets injected with expensive and unknown vulnerabilities—or zero-days—once it’s on the phone the result is the same: the hackers—be them criminals or government-sponsored—have access to everything on the phone. 

“You’re basically turning over administrative control of your phone to the attacker,” Duff told me. “So of course they can install malware from there.”