‘There are minimal overheads and profits can be limitless’

Cybercriminals are increasingly targeting UK workers files and data, and the Metropolitan Police have warned that “no one is safe”.

The FBI, Metropolitan Police, and security experts all agree that cyber ransoming has fast become one of UK’s biggest economic crimes.

Unpredictable, unstoppable and potentially fatal to a business, the rapid emergence of ransomware has become a threat to people across the nation.

August Graham, the editor of the Sentinel, arrived at work one morning last summer to find a note pop up on one of the computer screens. It informed him that all the files on the firm’s server had been encrypted and were being held ransom.

He was told he had to pay £500 to get them back, or they’d be destroyed.

Last year, 54 per cent of businesses in the UK were hit by ransomware attacks, according to a survey by Osterman Research on behalf of Malwarebytes. In 20 per cent of the cases, it stopped business operations immediately.

Gadgets and tech news in pictures


The average ransom demanded is £520, but some can be enormous. Three per cent of UK companies that have been hit by ransomware reported a charge of over £50,000 to recover their data.

Gary Miles, the detective chief inspector of FALCON (Metropolitan Fraud and Linked Crime Online) described cyber ransoming as “the crime of choice” right now.

“For a criminal, the cyber ransoming business model is very attractive,” he said. “There are minimal overheads and profits can be limitless.”

If you measure risk against reward, it’s no wonder ransoming has doubled each year since its 2012 emergence. Robbing one computer at a time violently using a knife or gun doesn’t scale well.

However, one hacker can rob thousands with the click of a button.

What is ransomware?

In the first stage of a ransomware attack, a target will receive an email appearing to contain a legitimate attachment, such as an invoice or link to a website. Most people will have come across one of these infected messages.

In the past, they’ve tended to be written in broken English and easy to spot, but hackers have skilfully refined their techniques.

If the victim takes the bait and engages with the content, the second phase begins. The malicious code in the attachment will then be released onto the victim’s machine and spread fast.

It will encrypt all files and folders in local drives, attached drives, backup drives and other computers on the same server. In no time, all files will become corrupt and inaccessible.

The ransom note will then appear on the computer screen. Demands can range from a couple of hundred to several million, depending on how much the hacker thinks the organization will pay.

What to do if you’re targeted

Ransomware attacks are not just proliferating, but becoming increasingly targeted too. Blocking one is extremely difficult. Defenders are like the batters in a cricket game, who need to deflect every ball thrown at the wicket. Hackers just need to knock the bails once to win.

A survey by Trend Micro found that 65 per cent of UK businesses hit by ransomware last year paid the ransom, despite all security agencies and police forces advising against complying with attackers’ demands.

Explaining why victims should not pay up, Pascal Geenens, Radware’s security evangelist for the EMEA region said, “Firstly, there is no guarantee that you will recover your data and secondly, even if you do recover your data, hackers may come back at a later date demanding an even larger ransom.”

Geenen says companies must place an emphasis on prevention by educating employees and putting protective technologies like firewalls, antivirus software and intrusion detection systems into place.

On top of that, companies are encouraged to establish a disaster recovery plan. So if a breach happens, there is a plan to minimize the damage. A company must concentrate on strengthening those things in order to make themselves less susceptible to ransomware. Once it happens, it’s too late.

Cybersecurity firms also encourage companies to back up their systems frequently.

“It should be done at least every hour,” said Mr Geenens. “That way, if an attack happens a company need only reboot their systems to the last point of backup.”


Cyber security: Fraud rises as cybercriminals flock to online lenders

Cybercrime is becoming more automated, organized and networked than ever before, according to the ThreatMetrix Cybercrime Report: Q4 2016.


Cybercriminals are increasingly targeting online lenders and emerging financial services, says Vanita Pandey, vice president of strategy and product marketing, ThreatMetrix.


[ Related: 8 tips to defend against online financial fraud threats ]


ThreatMetrix’s report is based on data drawn from its ThreatMetrix Digital Identity Network, which analyzes about 2 billion transactions per month for insight into traffic patterns and emerging threats. The network uses a real-time policy engine to analyze transactions — about 44 percent of which originate from mobile devices — for legitimacy based on hundreds of attributes, including device identification, geolocation, previous history and behavioral analytics.


ThreatMetrix’s data shows 1 million cyberattacks targeted online lending transactions throughout 2016, Pandey says . It estimates the total value of these transactions at about $10 billion. It expects the number of attacks to continue to grow in 2017. Indeed, the number of attacks specifically targeting alternative lending increased by 150 percent quarter-over-quarter in the fourth quarter of 2016. That doesn’t mean criminals have stopped targeting banks: ThreatMetrix says it detected 80 million attacks using fake or stolen credentials during 2016 in the finance sector alone.


It should be noted that attacks are increasing both in number (ThreatMetrix says it detected and stopped nearly 122 million attacks in real-time in the fourth quarter, an increase of more than 35 percent over the previous year) and in proportion: growth in attacks outpaced overall transaction growth, and the overall rejected transaction rate grew by 15 percent.


[ Related: Online card fraud up as thieves avoid more secure chip cards for in-store payments ]


“Fraud has evolved from being like robbing a house to being a big heist on a bank or institution,” Pandey says.


Increasingly, she explains, cybercriminals are stealing identities and using them to create accounts that they allow to sit and mature, sometimes for years, before leveraging them for crime.


First, she says, criminals buy, trade and augment stolen identity credentials from any of the numerous data breaches that occur with increasing frequency.


“Most of us have been breached, whether you’ve stayed at an InterContinental Hotel, or you had a Yahoo account or you have a LinkedIn password you haven’t changed in four years,” she says.


Those credentials are then used to create new accounts with retailers, banks and e-lenders. E-lenders are frequently targeted, perhaps because the criminals see them as softer targets than more established banks, according to ThreatMetrix.


“They will then use automated bot attacks on a new site to create an account for you,” Pandey says. “If it doesn’t exist, they’ll create an account. If it does, they’ll bring in sophisticated tools to crack your password. They’ll let an account sit and mature for a while. Once your identity has been verified, a lot of times you won’t be stepped up or challenged. Imagine if I have a stable account, I’ve been transacting for two years nicely and then I use my account to buy a big item and change my address, they may not flag that.”


Pandey says ThreatMetrix sees a lot of fraud being committed with accounts that have five or even six years of credit history and a big credit file. Even victims who regularly check their credit reports may not pick up on the fraud, as the criminals take care not to damage their victims’ credit ratings until the accounts mature.


“Due to its surge in popularity, and fast transaction cycles, online lending has become a prime target for cybercriminals,” she says. “Online lenders are under increasing pressure to adopt smarter authentication methods that leverage real-time, behavior-based intelligence to accelerate genuine loans and prevent fraud. This is the only way to thrive in an increasingly competitive market.”


Developing countries becoming bigger players in online fraud game


This type of fraud isn’t limited to the U.S. and other developed nations. ThreatMetrix says it has seen this type of fraud originating in developing countries including Brazil, Egypt, Ghana, Jordan, Nigeria and Macedonia. ThreatMetrix also reports a significant increase in attacks, particularly identity spoofing attacks, from emerging economies including Tunisia, Ukraine, Malaysia, Bangladesh, Pakistan, Serbia, Morocco, Guadeloupe, Qatar and Cuba.


“The fact that developing nations are becoming bigger players in the online fraud game demonstrates the spread of breached identity data to countries across the globe,” Pandey says. “One in four transactions on our network is now cross-border, illustrating a global village economy that’s continuing to take root. Global data breaches are making stolen identity data globally available via the dark web, and this information is traded by organized and networked crime rings.”


How to keep the online digital world safe


With cybercriminals becoming more ambitious and more sophisticated, Pandey says it’s becoming clear that text-based authentication needs to be deprecated. In fact, she says, any static information used for authentication that must be stored by a company is susceptible to a data breach and therefore an outdated way of thinking about secure authentication, identity verification and fraud prevention.


“It is becoming increasingly clear that the only true way to keep the online digital world safe and secure, (and processing transactions in the manner that technology-savvy consumers expect), is by analyzing the digital identity of every online user, an identity that is built on dynamic, shared intelligence harnessed from sources far wider than the individual companies a user transacts with,” the ThreatMetrix report says.


Behavioral analytics and machine learning are the keys to making this work.


“It is only by using this holistic, crowdsourced approach to digital identities that companies can be more confident of accurately differentiating fraudsters from genuine customers,” the report concludes. “In the case of Yahoo, the cookies might have been forged, but the online footprint of those fraudsters would have been markedly different to the genuine users, and it is up to Yahoo to be able to detect that in order to protect sensitive customer data.”

Online security review: Hacking Is About to Get a Lot Harder With Card less ATMs

A few years back, a friend of mine was traveling from New York City to Paris. After landing at Charles de Gaulle Airport, he reached for his wallet, but realized it was no longer in the back of his trouser pocket. He had been pick-pocketed during his metro ride. All of his cash, credit cards, and debit cards were gone.


Were something like this to happen in the near future, my friend would’ve had a much easier time making it through the next 48 hours, so long as he had his smartphone. In just the last few weeks, a number of banks have announced plans for cardless ATMs. Wells Fargo (WFC, +0.26%), J.P. Morgan Chase (JPM, -0.32%), and Bank of America (BAC, -0.16%) are all piloting their own initiatives. The basic idea is that a code will be generated on the banks’ mobile apps that consumers can use to unlock their bank accounts, enabling them to withdraw money from an ATM simply by tapping their device when they’re in front of the ATM.


The smartphone has already established itself as an indispensable device for nearly everyone on the planet, even in some of the most remote and seemingly underdeveloped regions. But with respect to innovations, we are still only scratching the tip of the iceberg. Despite claims that innovation in smartphones may be dying and that the market is becoming flat, there is still plenty of room for innovative, non-trivial design changes and introduction of new features. In the next few versions of our smartphones, there will be integration with augmented reality, flexible and bendable screens, and even wireless audio and wireless battery charging.


Of course, connectivity of this magnitude has already taken shape, from smart cars to smart homes to targeted advertising. Paying for purchases, therefore, needs to be just as seamless as the rest of our lives are becoming. Thanks to the likes of Apple (AAPL, +0.33%) Pay, Android Pay, and Square (SQ, -0.94%), mobile-payments systems are now poised to cause massive disruption. The significant majority, nearly 80%, of Apple Watch users use Apple Pay to pay for both online and in-person purchases. Android has followed suit with its Android Pay system, allowing customers to walk through a physical store and select an item, tap their phone to scan a barcode, and make a purchase without even thinking of waiting in line.


As with any new form of payment technology, though, there’s typically a catch. In mobile banking, the catch is significant when considering the level of security breaches and fraud. Fraud in 2014 caused approximately $32 billion in losses in the U.S. retail industry in 2014. To mitigate this across in-store, online, and mobile payments, payment companies and card issuers started the move from magnetic stripes to chip-based cards. While that did stymie the losses, still, in 2016, it was predicted that there would be about $4 billion in retail fraud in the U.S. And, in the U.K. for example, where chip-based credit cards were introduced a decade ago, online fraud rose 79% in the first three years of introduction of chips-based cards. Similar stories abound in Australia and Canada. So the threat from moving to new payment systems is non-trivial and real, and often inadvertent.


For many banks, though, it turns out that mobile-phone-enabled, cardless ATM transactions have the potential to actually reduce the threat of fraud and security breaches. This is especially true of threats from skimmers, or fraudsters who copy card and ID numbers from the magnetic stripes of the widely used plastic cards in ATM machines.


In ATM skimming, scammers use various kinds of electronics to steal the personal information stored on your card, record your PIN number to access your account, and withdraw your cash. First, a fake card reader (known as a skimmer) is placed over the ATM’s real card slot. As an unsuspecting user slides their card into the ATM, they basically end up inadvertently sliding it through the scammer’s counterfeit reader, which then stores your card’s info. To gain access to the bank account on an ATM, the skimmers use tiny cameras hidden on or near the ATMs to get a clear view of the keypad, record the tapping activity on the ATM’s screen, and get the PIN number.


That being said, phishers—malicious hackers interested in identity theft or stealing credit card information—in the past have hacked into unsuspecting smartphone users, often web browsing using a public Wifi, to retrieve sensitive financial or personal information. So the only way a phisher could steal a user’s banking info is if he or she was on a public WiFi when doing cardless ATM banking.


On the whole, cardless ATM banking provides immediacy, security, and accessibility. Next time a family member desperately needs cash in a foreign land or my child has lost her wallet, I know I can bail them out simply by passing on the code from my phone app to them. All they need to do is to find the nearest ATM.

Online security review: Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks

Argentinian security expert Manuel Caballero has published new research that shows how a website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute his very own persistent JavaScript code while the user is on other domains.


There are multiple issues and attack scenarios that Caballero discovered, but fortunately, they only affect Internet Explorer 11, but not Edge, or browsers from other vendors.


The bad news is that, according to Net Market Share, IE11 is the second ranked browser version, with a market share of 10.46%, right behind Chrome 55, with 37.27%, meaning it still accounts for a large portion of the online user base, despite its advanced age.


The undying IE popups


In a blog post published yesterday, the Caballero demonstrated how a developer could create popups that persist in the browser, even after the user has left the page where the popup’s code was loaded, either by clicking a link or entering a new URL in the browser’s address bar.


According to the veteran security researcher, there’s no limit on how many popups a malicious website owner could show users after they left his site.


The only way users can stop the popups is to close the tab and open a new one. Navigating away from the malicious page in a new tab also prevents the popups from showing up.


Never-ending popups could be used in tech support scams


In a real-world scenario, this Internet Explorer issue could be a handy tool in the arsenal of tech support scammers, shady advertisers, or other scare ware operators.


A user leaving a shady page could still receive popups peddling all sorts of products and links, even after he clearly left the previous domain.


Similarly, users that land on tech support scam websites and find a way to leave the site will still receive popups afterward.


If the victim navigates to reputable or neutral sites, such as Google, Wikipedia, Bing, or others, the constant stream of subsequent popups could convince almost any non-technical users into thinking their computers have a real problem indeed, and dial the tech support number to get help cleaning their computer.


An IE user reading a Forbes article would receive a malicious ad, and start seeing popups about being infected with a virus. Navigating to one or more new sites in the same tab will still show the same popups, leading inexperienced users on the same path to believe their PC might have real issues.


Despite IE security measure, users can’t block popups


Besides discovering a way to perpetuate popups across different domains, Caballero says another issue could be used to disable the checkbox at the bottom of the repeating popups, which normally IE11 allows users to block.



This second issue can be integrated into the first, allowing malicious website owners to create popups that span across multiple domains that are impossible to kill using IE’s built-in popup-limiting system.


Popups are simple attacks. Issue can do even more harm


But popups are only scratching the attack surface. The real problem here is that Internet Explorer executes persistent JavaScript code even after users leave a site. The attacker can replace the popup code with everything he wants.


“Let’s say there’s a new zero day and the attacker needs to download 5 megs into the user [‘s browser],” Caballero told Bleeping Computer in a conversation. “How can he make sure he has time to download the bits? With a persistent script, the attacker has time for everything.”


“With a persistent script [like this] you can create a network of bots without installing anything to anyone,” the researcher also added.



IE11 issue is a malvertiser’s lottery ticket


“For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads,” Caballero noted, explaining that a website owner could use past site visitors for ad fraud.


“[Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user […] closes the tab.”


Even worse, the persistent script issue can be used as a supplement to already existing exploits, improving their success rate.


No patch available


At the heart of the persistent script problem is a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in IE’s htmlFile/ActiveXObject component, which Caballero described in depth two weeks ago, but only recently realized he could use to do more damage.


There’s no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they’ve ignored many of his previous reports.


Caballero has put together a demo page that shows all his findings. Make sure you access the page through Internet Explorer 11.


Last December, Caballero found a way to abuse Edge’s Smart Screen security feature to show warnings on legitimate domains. This issue too, could be abused by tech support operators, and this too, Caballero didn’t report to Microsoft.

Security and risk complaints online: Prevent identity theft

Just like burglars and thieves, cyber criminals have many different ways to steal personal information and money. Just as you wouldn’t give a burglar the key to your house, make sure that you protect yourself from fraud and online identity theft. Know the common tricks that criminals employ to help you protect yourself from online fraud and identity theft. Here are a few simple tips.


Don’t reply if you see a suspicious email, instant message or webpage asking for your personal or financial information


Always be wary of any messages or sites that ask for your personal information, or messages that refer you to an unfamiliar web page asking for any of the following details:




Medicare numbers

Bank account numbers

PINs (Personal Identification Numbers)

Full credit card numbers

Your mother’s maiden name

Your birthday

Don’t fill out any forms or sign-in screens that might be linked to from those messages. If someone suspicious asks you to fill out a form with your personal information don’t be tempted to start filling it out. Even if you don’t hit the “submit” button, you might still be sending your information to identity thieves if you start putting your data into their forms.


If you see a message from someone you know that doesn’t seem like them, their account may have been compromised by a cybercriminal who is trying to get money or information from you – so be careful how you respond. Common tactics include asking you to urgently send them money, claiming to be stranded in another country or saying that their phone has been stolen so they cannot be called. The message may also tell you to click on a link to see a picture, article or video, which actually leads you to a site that might steal your information – so think before you click!


Never enter your password if you’ve arrived at a site by following a link in an email or chat that you don’t trust


Even if you think it’s a site that you trust, like your bank, it’s better to go directly to the site by using a bookmark or typing in the site’s address directly into the browser.


Don’t send your password via email and don’t share it with others


Your passwords are the key to your accounts and services online, and just like in your offline life, you should be careful who you give your keys to. Legitimate sites and services won’t ask you to send them your passwords via email, so don’t respond if you get requests for your passwords to online sites.


Because your passwords are so important, you should think carefully before deciding to share them with others – even friends and family. When you share your passwords, there is a greater risk that someone may misuse your accounts by accessing information that you don’t want them to or using the account in ways that you don’t approve of. For example, if you share your email password with someone, that person might read your personal emails, try to use your email account to access other online services that you might use, like banking or social sites, or use your account to impersonate you. Finally, when you share your password with someone, you will have to rely on them to keep it secure; they may share it with others on purpose or by accident.


Pay close attention when asked to sign in online


Check for signals about your connection with the website.


First, look at the address bar in your browser to see if the URL looks real. You should also check to see if the web address begins with which signals that your connection to the website is encrypted and more resistant to snooping or tampering. Some browsers also include a padlock icon in the address bar beside to indicate more clearly that your connection is encrypted and that you are more securely connected.


Report suspicious emails and scams


Most email providers, including Gmail, allow you to do this. Reporting a suspicious message in Gmail will help block that user from sending you more emails and help our abuse team stop similar attacks.

Cyber security: Researchers trick ‘CEO’ email scammer into giving up identity

Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.


Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts.


Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting [the scammers] give us all the information about themselves,” he said.


The email scheme involved a fraudster impersonating a CEO in what’s called a business email spoofing attack. The goal is often to trick a victim into wiring funds to the scammer’s bank account.


Although a business can train its employees to learn how to spot these suspicious emails, that won’t necessarily stop the attack, especially since it’s easy for anyone to continually bombard a victim with emails, SecureWork said.


Instead, a business’ IT security staff can fight back and disrupt the scammer’s operations. They can do this, by first replying to an email scam and pretending to act like a gullible victim.


This was how SecureWorks managed to eventually identify an email scammer from Nigeria that targeted a U.S. technology company in November. SecureWorks was brought in to investigate and decided to fool the fraudster into thinking his scheme had worked.


The scammer had tried to trick the technology firm into wiring funds to a bank account by impersonating its CEO. SecureWorks pretended to comply, which caused the scammer to turn greedy.


“He started asking for $18,000,” said James Bettke, a SecureWorks researcher. “And then after that, he said, ‘Oh that’s a typo. It’s a $118,000.’”



To try and identify the scammer, SecureWorks decided to email back a PDF-based receipt, indicating the wire transfer had been complete. In reality, the receipt was a decoy that when clicked on, sent off the recipient’s IP address and other web browser information.


The researchers found that their scammer was using an internet service provider in Lagos, Nigeria, and was viewing the receipt on an iPhone.


SecureWorks continued to play a gullible victim, by claiming the wire transfer had failed. That forced the scammer to hand over details to other bank accounts. The researchers then took that information and notified the responsible bank that these accounts were being used for fraud, shutting them down.


To find out more about the scammer, the researchers sent another decoy receipt of a wire transfer that forced the recipient to enter a legitimate mobile phone number to view the form.


The scammer fell for the ruse. Using Facebook, the researchers found that the entered phone number was tied to a user named “Seun,” which the researchers believe is a real account.


“We know who he is,” Stewart said. “We could report him to the EFCC (The Economic and Financial Crimes Commission in Nigeria). But he didn’t get away with any money.”


So instead, SecureWorks is publicizing information about the fraudster’s scams, including the email addresses he used.

Online fraud detection: PayThink Contextual commerce sputters without deep consumer ties


Every business that uses apps or online platforms to connect with customers knows there’s a major transformation underway in how you do business.


Customer convenience is top priority, while the mechanics of sales and payment transactions are moving out of sight where they are less likely to cause friction that costs sales.


To take advantage of this confluence of technology known as “contextual commerce,” you need to know what it is and what it requires. If your business development plans don’t include reimagining how you will sell to your customers, you risk losing out to competitors that are thinking beyond the traditional e-commerce experience.


The defining idea behind contextual commerce is giving your customers the ability to buy something within the flow of another activity that they’re engaged in. It’s presenting a product or service right at the moment when the buyer might naturally want it, without making them go through a separate commerce or payment experience.


Easy payments are critical: The transaction must occur in the background, relying on stored payment methods rather than making a buyer key in card details. But there’s more to it than that.


Uber — which won its massive user base partly by making payments invisible and freeing riders from worrying about fares and tips — is building out its contextual commerce vision by striking partnerships. For instance, its deal with Hilton to link the Uber app with the hotel chain’s loyalty app makes it easy for travelers to arrange their rides when they are reviewing hotel reservations.


The WeChat messaging platform, which is hugely popular in China, is another example of how users can engage in all kinds of transactions without ever leaving their preferred environment. WeChat users can shop, buy movie tickets, and even pay bills from within the app.


Looking beyond these examples, we can expect opportunities for new contextual commerce business models to arise as stored payment technology finds its way into other environments. Given how much time many Americans spend on the road, one particularly promising new area is the connected car. GM’s OnStar Go platform, which will roll out in automobiles starting in 2017, will feature integration with Mastercard’s Masterpass digital wallet, allowing drivers to buy goods and services from behind the wheel.


Customer trust in the security and privacy of stored payments is essential for contextual commerce to succeed. The growing use of various kinds of e-wallets and mobile payment systems is also helping to put consumers at ease.


The back-end infrastructure to support a contextual commerce ecosystem is taking shape. Tools and interfaces will be needed to easily connect a variety of components, including: The merchant’s payment and order management systems (including inventory, logistics and returns); the “context” in which the customer is found; merchants will strike partnerships with complementary businesses, content providers and others; and the customer’s stored payment and shipping information, such as e-wallets


All of these pieces will need to connect seamlessly so that the customer receives the service they expect, while the payment transaction takes place out of sight.


Coming up with compelling ways to engage your customers through contextual commerce will require you to do three things well:


Gain a deeper understanding of your customers. How, when and why do they buy? Now is the time to make investments in ramping up your data and analysis game. Understand their behavior and what else is going on around their transaction with you, and you may see opportunities for partnerships.


Respect customer preferences. Not everyone wants to be presented with buying opportunities everywhere they turn. Businesses will need to be thoughtful to avoid alienating customers with overly intrusive offers, especially as predictive analytics seek to anticipate consumers’ needs. Remember that what’s convenient to one person may be creepy or annoying to another.


Be alert to all contexts – virtual and real-world. Right now, a lot of focus is on connecting on the virtual plane: Businesses are looking for opportunities to sell within online content such as information, entertainment or gaming, as well as within social experiences such as messaging and social networks. Location-aware and augmented reality technologies will open more opportunities for reaching customers in their real-world contexts as well.


It’s an exciting time to be engaging in tech-fueled commerce. As the contextual commerce revolution begins to get into full swing, make a plan to put your business in the game.