A new attack campaign Attack.Phishing has been flinging Attack.Phishing phishing messages as well as ransomware-laced spam emails at potential victims in massive quantities . The attack campaign involves crypto-locking Locky ransomware . `` Beware . Do n't fall for this . Locky is horrid , '' says Alan Woodward , a computer science professor at the University of Surrey . The campaign began Monday , according to cloud-based cybersecurity provider AppRiver , which counted more than 23 million related spam emails having been sent Attack.Phishing in less than 24 hours . That makes it `` one of the largest malware campaigns that we have seen in the latter half of 2017 , '' says Troy Gill , manager of security research for AppRiver , in a blog post . Finnish security firm F-Secure says that the majority of the spam messages that its systems are currently blocking relate to Locky . It notes that some spam contains links to infected sites , while other messages carry malicious attachments . If a system becomes infected with this strain of Locky , crypto-locked files will have the extension `` .lukitus '' added , which is a Finnish word variously translated by native speakers as `` locking '' or `` locked , '' according to F-Secure . The Lukitus variant of Locky was first spotted last month . Rommel Joven , a malware researcher with security firm Fortinet , warned that it was being distributed via email attachments as part of a massive spam campaign being run by the one of the world 's biggest botnets , Necurs , which has historically been the principle outlet for Locky attacks . Spam Can Carry Locky Attachments AppRiver says emails related to the new Locky campaign have featured a variety of subject lines , including these words : documents , images , photo , pictures , please print , scans . `` Each message comes with a zip attachment that contains a Visual Basic Script ( VBS ) file that is nested inside a secondary zip file , '' Gill says . `` Once clicked , [ the ] VBS file initiates a downloader that reaches out to greatesthits [ dot ] mygoldmusic [ dotcom ] to pull down the latest Locky ransomware . Locky goes to work encrypting all the files on the target system and appending [ . ] lukitus to the users now-encrypted files . '' The ransomware then drops Attack.Ransom a ransom note on the victim 's desktop . `` The victim is instructed to install the Tor browser and is provided an .onion ( aka Darkweb ) site to process payment Attack.Ransom of 0.5 bitcoins '' - currently worth $ 2,400 - Gill says . `` Once the ransom payment Attack.Ransom is made the attackers promise a redirect to the decryption service . '' As of Friday , meanwhile , Xavier Mertens , a freelance security consultant and SANS Institute Internet Storm Center contributor based in Belgium , says he 's seeing a new wave of malicious spam that uses emails that pretend to carry voice messages . Internet Storm Center reports that some malicious messages tied to Locky are showing fake alerts Attack.Phishing stating that the HoeflerText font needs to be installed . Not all of the Locky spam emails arrive with malicious attachments ; some are designed as phishing attacks Attack.Phishing that redirect users to real-looking but malicious sites . Peter Kruse , an e-crime specialist at CSIS Security Group in Denmark , says some emails related to this ransomware campaign are skinned to look like Attack.Phishing they 've come from Attack.Phishing Dropbox . Some will attempt to trick Attack.Phishing recipients into clicking on a `` verify your email '' link . Kruse says the attacks are being launched by the group tied to the Affid=3 [ aka affiliate ID=3 ] version of Locky . If victims click on the link , they 're redirected to one of a number of websites . Clicking on a link can result in a zipped attack file being downloaded , per the VBS attack detailed above , according to security researcher JamesWT , a former member of the anti-malware research group called Malware Hunter Team . Alternately , clicking on the link may result in the site attempting to execute a malicious JavaScript file that functions as a dropper , meaning it then attempts to download a payload file . In some attacks , this payload file is Locky . But JamesWT tells ISMG that malware from the campaign that he uploaded to malware-checking service VirusTotal was identified as being Shade ransomware .

Criminals are attempting to trick Attack.Phishing consumers into handing over passwords and credit card details by taking advantage of the flood of emails being sent out Attack.Phishing ahead of new European privacy legislation . The European Union 's new General Data Protection Regulation ( GDPR ) come into force on 25 May and the policy is designed to give consumers more control over their online data . As a result , in the run-up to it , organisations are sending out Attack.Phishing messages to customers to gain their consent for remaining on their mailing lists . With so many of these messages being sent out Attack.Phishing , it was perhaps only a matter of time before opportunistic cybercriminals looked to take advantage of the deluge of messages about GDPR and privacy policies arriving in people 's inboxes . A GDPR-related phishing scam Attack.Phishing uncovered by researchers at cyber security firm Redscan is doing just this in an effort to steal data with emails claiming to be Attack.Phishing from Airbnb . The attackers appear to be Attack.Phishing targeting business email addresses , which suggests the messages are sent Attack.Phishing to emails scraped from the web . The phishing message addresses the user as an Airbnb host and claims Attack.Phishing they 're not able to accept new bookings or send Attack.Phishing messages to prospective guests until a new privacy policy is accepted . `` This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies , like Airbnb in order to protect European citizens and companies , '' the message says , and the recipient is urged Attack.Phishing to click a link to accept the new privacy policy . Those who click the link are asked to enter their personal information , including account credentials and payment card information . If the user enters these , they 're handing the data straight into the hands of criminals who can use it for theft , identity fraud , selling on the dark web and more . `` The irony wo n't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal Attack.Databreach people 's data , '' said Mark Nicholls , Director of Cyber Security at Redscan . `` Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action , whether that 's clicking a link or divulging personal data . It 's a textbook phishing campaign Attack.Phishing in terms of opportunistic timing and having a believable call to action '' . Airbnb is sending messages to users about GDPR , but the messages contain far more detail and do n't ask the users to enter any credentials , merely agree to the new Terms of Service . While the phishing messages might look legitimate at first glance , it 's worth noting they do n't use the right domain - the fake messages come from Attack.Phishing ' @ mail.airbnb.work ' as opposed to ' @ airbnb.com ' . Redscan has warned that attackers are likely to use GDPR as bait Attack.Phishing for other phishing scams Attack.Phishing , with messages claiming to be Attack.Phishing from other well-known companies . `` As we get closer to the GDPR implementation deadline , I think we can expect to see a lot a lot more of these types of phishing scams Attack.Phishing over the next few weeks , that 's for sure , '' said Nicholls , who warned attackers could attempt to use the ploy to deliver malware in future . `` In the case of the Airbnb scam email , hackers were attempting to harvest Attack.Databreach credentials . Attack vectors do vary however and it 's possible that other attacks may attempt to infect hosts with keyloggers or ransomware , for example . '' he said . Airbnb said those behind the attacks have n't accessed Attack.Databreach user details in order to send Attack.Phishing emails and that users who receive Attack.Phishing a suspicious message claiming to be Attack.Phishing from Airbnb should send it to their safety team . `` These emails are a brazen attempt at using our trusted brand to try and steal Attack.Databreach user 's details , and have nothing to do with Airbnb . We 'd encourage anyone who has received Attack.Phishing a suspicious looking email to report it to our Trust and Safety team on report.phishing @ airbnb.com , who will fully investigate , '' an Airbnb spokesperson told ZDNet . Airbnb also provided information on how to spot a fake email to help users to determine if a message is genuine or not .

The Foreign Office has faced a sustained onslaught by cyberattackers believed to be linked to Russia . It was among a string of military and government targets in Europe which were hit Attack.Phishing last year by a campaign of “ spear-phishing Attack.Phishing ” . The hackers ’ method , in which messages appear to come from Attack.Phishing a trusted source but are infected with malware , were relatively sophisticated . Sources said that the people behind the attack , Callisto Group , were probably linked to Russia although that could not be proved . The BBC reported that the Foreign Office was among the targets and the attack began in April last year . It is understood that it was not considered a high-level attack and that sensitive information was not kept on the systems that were targeted .

The Google Doc phishing scam Attack.Phishing that conned over a million users this week illustrates how attackers cleverly respond to wider spread Attack.Phishing end-user awareness about how phishing attacks Attack.Phishing work . The attack did n't ask users to enter credentials . Instead , it exhibited very few traditional phishing scam Attack.Phishing behaviors and could n't have been detected by endpoint protections . Some researchers are calling this attack a `` game changer '' that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy . The attack tricked Attack.Phishing victims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications . The attackers did so by sending Attack.Phishing victims lure messages claiming Attack.Phishing to contain links to a shared Google Doc . Instead of a legit document , the link actually initiates a process to give a phony app masquerading as Attack.Phishing `` Google Docs '' access to the user 's Google account . If the user is already logged into Google , the connection routes that app into an OAuth permissions page asking the user to `` Allow '' access to the user 's legitimate Google Drive . `` You are n't giving your Google credentials directly to the attacker . Rather , OAuth gives the attacker permissions to act on behalf of your account . You 're on the real Google permissions page . OAuth is a legitimate way to give third-party applications access to your account . The application name is 'Google Docs , ' which is fake but convincing Attack.Phishing , '' says Jordan Wright , R & D engineer for Duo Security . `` So unless you know that Google Docs wo n't ask for your permissions , there is little you could use to determine that this was fake . '' The lure emails appear to come from Attack.Phishing Google Drive from a previous victim , making it difficult to detect as a fakeout , says Travis Smith , senior security researcher at Tripwire . `` Not only does this have a casual appearance of being legitimate , by being part of the official marketplace the link in the email went back directly to legitimate Google servers , '' says Smith . `` For those that are trained to validate the link before clicking on it , this passes two of the common techniques the majority of internet users are trained to not click on every link they come Attack.Phishing across : 'Does it come from Attack.Phishing someone you trust and validate the link is going to a trusted source ? ' '' The only big tip-off is that many of the messages seem to have an suspicious account , hhhhhhhhhhhhhhhh @ mailinator.com , cc 'd on the message , says John Bambenek , threat research manager at Fidelis Cybersecurity . He says the attack shows the glaring problem with OAuth , namely that it allows passive authentication . Netskope 's analysis found that a number of enterprise users across various industries ended up falling prey to this attack . Google worked to quickly block the attack , but there was a window of opportunity in that time between compromise and mitigation where emails , contacts , attachments and whatever else on a Google account could have been purloined , he warns . `` If an enterprise has identified that their users have granted access to the app in this attack , we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app , '' Balupari writes .

In a new blog post researchers from Proofpoint have tracked a phishing campaign Attack.Phishing leveraging the concept of “ Twitter Brand Verification ” . Because the actors in this case are relying on paid , targeted ads on Twitter , users don ’ t need to do anything to see the phishing link . Attackers are increasing the sophistication of social engineering approaches and extending them across social channels . Users and brands need to be increasingly savvy to avoid getting snared by ads , accounts , and messages that initially look legitimate . While this attack was observed on Twitter , such a scam could be implemented on any social media platform that implements some form of account verification . The full blog post can be found here , however key takeouts include : “ Verified accounts ” are a powerful tool on Twitter to help brands differentiate themselves from fraudulent , impersonation , and parody accounts on the social media site . When an account is officially verified , it displays a special badge intended to reassure Twitter users that they are interacting with a genuine brand and not an impostor . Recently , however , threat actors are using the promise of verified accounts to lure Attack.Phishing users into a credit card phishing scheme Attack.Phishing . Account verification is a process that Twitter manages for “ accounts of public interest ” and requires brands to go through multiple verification steps . The promise , then , of a quick verification process is attractive , especially to smaller businesses that potentially lack the resources to meet Twitter ’ s requirements for account verification . In this phishing attack Attack.Phishing , discovered by Proofpoint researchers in December , attackers place legitimate ads targeting brand managers and influencers with a link to a phishing site purporting Attack.Phishing to offer account verification . The ads themselves come from Attack.Phishing an account that mimics Attack.Phishing the official Twitter support account , @ support . The fraudulent account , @ SupportForAll6 , uses Twitter branding , logos , colors , etc. , to increase the sense of authenticity , despite a very low number of followers and a suspect name