this year used decoy documents with official-looking government logos to lureAttack.Phishingunsuspecting users from targeted organizations to download infected documents and compromise their computer networks . Documents pretending to beAttack.Phishingfrom the U.S.National Security Agency , Iraqi intelligence , Russian security firm Kaspersky and the Kurdistan regional government were among those used to trickAttack.Phishingvictims , Unit 42 said in a blog post ( goo.gl/SvwrXv ) . The Unit 42 researchers said the attacksAttack.Phishinghad targeted organizations in Saudi Arabia , Iraq , the United Arab Emirates , Turkey and Israel , as well as entities outside the Middle East in Georgia , India , Pakistan and the United States . The Saudi security agency said in its own statement that the attacksAttack.Databreachsought to stealAttack.Databreachdata from computers using email phishing techniques targeting the credentials of specific users . The NCSC said they also comprised so-called “ watering hole ” attacks , which seek to trickAttack.Phishingusers to click on infected web links to seize control of their machines . The technical indicators supplied by Unit 42 are the same as those described by the NCSC as being involved in attacks against Saudi Arabia . The NCSC said the attacks appeared to be by an “ advanced persistent threat ” ( APT ) group - cyber jargon typically used to describe state-backed espionage . Saudi Arabia has been the target of frequent cyber attacks , including the “ Shamoon ” virus , which cripples computers by wiping their disks and has hit both government ministries and petrochemical firms . Saudi Aramco , the world ’ s largest oil company , was hit by an early version of the “ Shamoon ” virus in 2012 , in the country ’ s worst cyber attack to date . The NCSC declined further comment on the source of the attack or on which organizations or agencies were targeted . Unit 42 said it was unable to identify the attack group or its aims and did not have enough data to conclude that the MuddyWater group was behind the Saudi attacks as outlined by NCSC . “ We can not confirm that the NCSC posting and our MuddyWater research are in fact related , ” Christopher Budd , a Unit 42 manager told Reuters . “ There ’ s just not enough information to make that connection with an appropriate level of certainty. ” Palo Alto Networks said the files it had uncovered were almost identical to information-stealing documents disguised asAttack.PhishingMicrosoft Word files and found to be targeting the Saudi government by security firm MalwareBytes in a September report .
Facebook users have noticed and reported a new scam making rounds on the popular network . [ 1 ] This time , it is the same old Facebook Messenger virus that compromises user accounts and acts on behalf of the victim to distribute the malicious link further . The scam uses a basic social engineering technique that luresAttack.Phishingthe potential target into clicking on the provided URL . In addition , the victim feels safe since the link comes fromAttack.Phishingone of his Facebook friends . The message usually includes a short line that looks similar to “ its you ? [ name ] : |. ” The emoji at the end of the message differs , and the provided link is shortened ; therefore the user can not figure out where it leads . However , the shortcut indicates that the link leads to a mysterious video and triggers victim ’ s curiosity to check it out . Typical strategy : Install something to watch the video Cybersecurity experts are already familiar with the technique used to trickAttack.Phishingquestioning users into installing the Facebook Message Video virus . As soon as the victim clicks the compromised link and enters the phishing website ( which apparently is designed to look likeAttack.PhishingYouTube or another popular video sharing platform ) , a misleading pop-up appearsAttack.Phishing, asking the victim to install an update or an application ( it could be a fake Adobe Flash Player or a plug-in ) . The file suggested to the user contains no software related to video streaming and simply carries the malicious payload that later compromisesAttack.Databreachvictim ’ s account and sends outAttack.Phishingthe deceptive messages to all victim ’ s contacts . Speaking of fake Adobe Flash Players , we want to inform you that these are one of the most dangerous threats to your security . One of the latest cyber attacksAttack.Phishingwas based on fake pop-ups appearing on compromised sites , urgingAttack.Phishingpeople to install an updated Flash Player . Unfortunately , launching the install_flash_player.exe file only infected the computer with Bad Rabbit ransomware .
Cybercriminals are finding it more difficult to maintain the malicious URLs and deceptive domains used for phishing attacksAttack.Phishingfor more than a few hours because action is being taken to remove them from the internet much more quickly . That does n't mean that phishingAttack.Phishing-- one of the most common means of performing cyber-attacks -- is any less dangerous , but a faster approach to dealing with the issue is starting to hinder attacks . Deceptive domain names look likeAttack.Phishingthose of authentic services , so that somebody who clicks on a malicious link may not realise they are n't visiting the real website of the organisation being spoofedAttack.Phishing. One of the most common agencies to be imitatedAttack.Phishingby cyber-attackers around the world is that of government tax collectors . The idea behind such attacksAttack.Phishingis that people will be trickedAttack.Phishinginto believing they are owed money by emails claiming to beAttack.Phishingfrom the taxman . However , no payment ever comes , and if a victim falls for such an attack , they 're only going to lose money when their bank details are stolenAttack.Databreach, and they can even have their personal information compromisedAttack.Databreach. In order to combat phishingAttack.Phishingand other forms of cyber-attack , the UK 's National Cyber Crime Centre -- the internet security arm of GCHQ -- launched what it called the Active Cyber Defence programme a year ago . It appears to have some success in its first 12 months because , despite a rise in registered fraudulent domains , the lifespan of a phishing URL has been reduced and the number of global phishing attacksAttack.Phishingbeing carried out by UK-hosted sites has declined from five percent to three percent . The figures are laid out in a new NCSC report : Active Cyber Defence - One Year On . During that time , 121,479 phishing sites hosted in the UK , and 18,067 worldwide spoofingAttack.PhishingUK government , were taken down , with many of them purporting to beAttack.PhishingHMRC and linked to phishing emails in the form of tax refund scams . An active approach to dealing with phishing domains has also led to a reduction in the amount of time these sites are active , potentially limiting cybercriminal campaigns before they can gain any real traction . Prior to the launch of the program , the average time a phishing website spoofingAttack.Phishinga UK government website remained active was for 42 hours -- or almost two days . Now , with an approach designed around looking for domains and taking them down , that 's dropped to ten hours , leaving a much smaller window for attacks to be effective . However , while this does mean there 's less time for the attackers to stealAttack.Databreachinformation or finances , it does n't mean that they 're not successful in carrying out attacks . The increased number of registered domains for carrying out phishing attacksAttack.Phishingshows that crooks are happy to work a little bit harder in order to reap the rewards of campaigns -- and the NCSC is n't under any illusion that the job of protecting internet users is anywhere near complete . `` The ACD programme intends to increase our cyber adversaries ' risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks , '' said Dr Ian Levy , technical director of the NCSC . `` The results we have published today are positive , but there is a lot more work to be done . The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt . '' A focus on taking down HMRC and other government-related domains has helped UK internet users , but cyber-attacks are n't limited by borders , with many malicious IPs hosted in practically every country used to carry out cyber-attacks around the world -- meaning every country should be playing a part . `` Obviously , phishingAttack.Phishingand web-inject attacks are not connected to the UK 's IP space and most campaigns of these types are hosted elsewhere . There needs to be concerted international effort to have a real effect on the security of users , '' says the report .
Since last year ’ s revelation that attackers have compromised SWIFT software of Bangladesh ’ s central bank and usedAttack.Phishingit to perform fraudulent transfers worth tens of millions , news about similar attacks – both successful and not – have become a regular occurrence . Attackers usually use banks ’ compromised SWIFT system to sendAttack.Phishinginformation about fraudulent financial transactions , but in attacksAttack.Phishingaimed at three government-owned banks in India , they chose to create fake trade documents such as letters of credit and guarantees . A letter of credit allows the sellers to be sure that they will get paid once they prove that the sold goods have been provided , as the buyer ’ s bank – the institution that issued the letter of credit – is obliged to release the money , even if the buyer is unable to make payment . Bank guarantees are documents that guarantee that the bank will release an agreed-upon sum either to the seller or the buyer in case the other party ultimately can ’ t provide the goods or the cash . A source close to the investigation told Economic Times that there have been no monetary losses or ransom demands as of yet . He or she posits that the hackers were planningAttack.Phishingto use the forged documents to get cash from offshore banks or carry out trade of prohibited or illegal commodities . It ’ s still unknown how the compromises were effected , and it ’ s possible that other Indian banks have been hit as well . The Reserve Bank of India has been notified of the breaches , and it has directed several banks to check whether the trade documents they sent via SWIFT have a match in their core banking system
For all the sophisticated tactics , techniques , and procedures employed by threat actors these days , phishingAttack.Phishingcontinued to be the top attack vector in 2016 , as it has been for some time . The big difference was that instead of targeting financial services companies , phishers increasingly targeted cloud storage service providers like Google and DropBox , security vendor PhishLabs said in a voluminous report on phishing trends released this week . Compared to 2013 , when barely 10 % of phishing attacksAttack.Phishingtargeted cloud storage services , about 22.5 % of phishing attacksAttack.Phishinglast year involved such companies . That was just barely below the 23 % of phishing scamsAttack.Phishinginvolving financial brands , the company noted . What that means is that users are likely going to get more phishing emails this year trying to get them to part with credentials to their cloud storage credentials . `` Over the last four years , the number of phishing attacksAttack.Phishingtargeting cloud storage services has skyrocketed , '' says Crane Hassold , senior security threat researcher at PhishLabs . `` Based on recent trends , it is likely that phishing attacksAttack.Phishingtargeting cloud storage services will overtake financial institutions as the top target for phishers in 2017 . '' So far at least , almost all phishing attacksAttack.Phishingimpacting this industry have involved only Google and DropBox . Many of the phishing campaignsAttack.Phishingtargeting cloud storage providers contain luresAttack.Phishingsaying that a document or picture has been shared with the victim and encourage them to sign in to their account in order to view it . A majority of the phishing pages involved in such campaignsAttack.Phishinghave really been poor duplicates of the pages used by Google , DropBox , and other legitimate sites . Even so , `` based on the growing popularity of these types of attacksAttack.Phishing, phishers must still be having success compromising victim even with this lack of authenticity , '' Hassold says . The PhishLabs report is based on an analysis of some one million confirmed phishing sites spread across more than 170,000 unique domains , and also from the company ’ s handling of more than 7,800 phishing attacksAttack.Phishingper month in 2016 . The analysis showed an alarming increase across the board in phishing-related activitiesAttack.Phishing. The number of phishing sites in 2016 , for instance , was 23 % higher than the year before , while the volume of phishing emails grew by an average of 33 % across financial services , cloud storage/file hosting , webmail/online , payment services , and ecommerce sites . PhishLabs identified a total of 976 brands belonging to 568 organizations that cybercriminal used in phishing campaignsAttack.Phishinglast year . The kind of data that phishers went after also broadened considerably last year . In addition to account credentials and personal data , phishers also used their phishing luresAttack.Phishingto try and snag financial , employment , and account security data like answers to challenge/response questions and mother ’ s maiden name . Ransomware 's Best Friend In 2016 , phishingAttack.Phishingalso continued to be by far the most prevalent method for delivering ransomware on everything from end user systems to systems belonging to businesses , government agencies , schools , and critical infrastructure targets . The use of email as an authentication measure made it easier for phishers to mass harvestAttack.Databreachcredentials for all email services on a single phishing site , instead of having to target email providers individually , Hassold says . `` Additionally , because a growing number of Web services are using email as a primary credential , phishers are able to multiply their profits by conducting password reuse attacks against these unsuspecting targets , '' he says . The easy availability of phish kits , or ready-to-use templates for creating working phishing sites , contributed to the problem . Many of these kits included sophisticated anti-detection mechanisms . Mechanisms included access control measures based on IP address , HTTP referrer , and hostname , whitelists , and blocklists . `` The big takeaway is that we ’ ve created ideal conditions for the mass harvestingAttack.Databreachof credentials via phishing attacksAttack.Phishing, '' Hassold notes . Unlike in the past where phishers were focused on immediate gains—by going after and selling access to financial accounts for instance—they are now trying to maximize the information they can compromise with the least effort .
Qatar is set to host the 2022 FIFA Soccer World Cup , and to do so , the country must build a number of stadiums . Additionally , Qatar 's economy is also in full bloom , and many companies taking advantage of local tax-free zones are also driving a real-estate boom , with tens of buildings being built every year . At the heart of Qatar 's roaring constructions sector are migrant workers , usually from East-Asian countries , such as India , Bangladesh , and most often Nepal . Loopholes in local legislation allow employers to withhold passports and force employees to work under appalling conditions , facing steep penalties , and even jail time if they try to leave the country before their contract expires . These conditions have attracted the attention of many activists , organizations , and journalists , that have published damning reports , even going as far as asking FIFA to revoke the rights to hold the 2022 World Cup until Qatar revises its labour laws . Claudio Guarnieri , a security researcher working for Amnesty International , has published a report today that reveals how an unknown person or group has createdAttack.Phishinga fake persona named Saleena Malik , which they used to get close to journalists and activists . The primary goal was to become friends with potential victims , and after months of having private conversations , lureAttack.Phishingthe target into accessing a phishing page disguised asAttack.Phishinga Google login , and collect their credentials . Malik 's phishing attacksAttack.Phishingdid n't happen right away , but always after the victim had time to get acquainted with her fake persona . In most cases , Malik posed asAttack.Phishinga person with similar interests in activism and Qatar 's migrant labor laws . After months of private conversations via email , LinkedIn and/or Facebook , Malik would eventually inviteAttack.Phishinga target to access a document or connect via Google Hangouts . In all cases , before accessing Malik 's documents or Google Hangouts , the victim would first be promptedAttack.Phishingby a fake login page that collected their credentials . Guarnieri , who was alerted to Malik 's actions by one of the targeted journalists , was able to identify where these phishing pages were hosted and where they sent data for storage . This is how the researcher tracked down at least 30 other victims of Malik 's expert phishing attacksAttack.Phishing. Additionally , with collaboration from victims , Guarneri was also able to discover that the people behind the Malik persona had also accessed some of the phished Gmail accounts . The intruder 's IP address belonged to a local Qatar Internet service provider . What the researchers was n't able to find was who was behind the attacks . His guesses include the government of Qatar , another government wanting to make Qatar look bad , or a contractor hired by one of the construction firms or a government agency . In a statement for Amnesty International , a spokesperson for the government of Qatar denied any involvement . These particular set of attacksAttack.Phishingshow a deep knowledge of social engineering , and especially phishing tactics . Whoever was behind this campaign had both the knowledge , skills and patience to wait for the seeds he planted to bear fruits many months later
Researchers identified over 70 organizations targeted in these attacks , with most located in Ukraine , and especially in the self-declared separatist states of Donetsk and Luhansk , near the Russian border . The target list includes editors of Ukrainian newspapers , a scientific research institute ; a company that designs remote monitoring systems for oil & gas pipeline infrastructures ; an international organization that monitors human rights , counter-terrorism and cyberattacks on critical infrastructure in Ukraine ; and an engineering company that designs electrical substations , gas distribution pipelines , and water supply plants ; among many others . According to CyberX security experts , attacksAttack.Phishingare mostly driven by spear-phishing emails that spread Word documents that contain malicious macros . AttacksAttack.PhishinglureAttack.Phishingvictims into allowing the macros in these documents to execute by telling them the document was created in a newer version of Word , and enabling macros allows them to view their content . Enabling macros downloads several malware families in multiple stages . The downloaded malware does n't include destructive features and uses several mechanisms to remain hidden , an important clue pointing to the fact its authors are using it for reconnaissance only . Using Dropbox instead of a custom web server for collecting dataAttack.Databreachis yet another sign that hackers are trying to stay hidden as long as possible . This is because it would be much easier to detect malicious traffic sent to a remote web server compared to Dropbox , an application whitelisted by firewalls and other security products . CyberX researchers named this particular campaign BugDrop because crooks used the PC 's microphone 's to bug victims , and Dropbox to exfiltrateAttack.Databreachdata . After they analyzed the malware deployed in this campaign , CyberX security experts claim the malware and techniques used in the BugDrop operation are similar to Groundbait , another cyber-espionage campaign discovered in May 2016 by ESET researchers .
In this campaignAttack.Phishing, hackers are distributing the malware through 2 files namely “ NDA-ranked-8th-toughest-College-in-the-world-to-get-into.xls ” and “ NIA-selection-order-.xls ” respectively . These files are being circulatedAttack.Phishingvia WhatsApp in the form of authentic word files obtainingAttack.Databreachsensitive information from users which include online banking credentials , PIN codes and similar details . According to IBTimes , Android users in India are the key targets of this new WhatsApp scamAttack.Phishing. However , there isn ’ t any particular operating system that is being cited as the most affected one . It is worth noting that these sorts of malware campaigns are usually designed to work on Google ’ s operating system instead of the iOS . The reason why Indian android OS users are frequently being targeted by hackers in such campaigns is that Indian market is very popular for low-cost , cheap Android smartphones that run on older versions of the android OS . Hackers are attackingAttack.Phishingtwo key organizations in India to compel users to click on the word documents attached in the malicious WhatsApp message . This message has names of two major organizations of India namely National Defense Academy/NDA and National Investigation Academy/NIA . These files are in Excel format mainly but versions of these files in Word and PDF formats have also been identified . Authorities in India have already issued security alerts to the concerned authorities since it is being speculated that this new campaignAttack.PhishingattacksAttack.Phishinglaw enforcement authorities and military personnel in the majority . “ It has been analyzed that the men and women in defense , paramilitary and police forces could be the target groups , ” believe security officials in India . Israeli Tech firm claims its new CatchApp can hack any WhatsApp account According to the Economic Times , the NIA and NDA are very popular organizations in India as well as abroad ; there is a high level of curiosity about the way these organizations function among masses , which is why people are so interested in opening the infected attachments on WhatsApp . At the moment it isn ’ t clear what else this malware performs when the files are opened and if WhatsApp has taken any action in this regard to prevent users from getting affected .