ESET Ireland warns of an authentic looking phishing scam email , pretending to come Attack.Phishing from Vodafone . The cybercriminals are up to their old tricks even in the new year . An email , pretending to be Attack.Phishing from Vodafone has been spamming Irish mailboxes with a phishing attempt Attack.Phishing . The email reads : Dear Valued Customer , Just a quick reminder that you need to pay for your Vodafone service . Pay now to avoid service restriction or suspension . Your monthly bill for NETVIGATOR service has been issued . We have proceeded autopay payment according to your credit card information . However , such autopay payment is not successful . Your account is now overdue , so unless you ’ ve already paid in the last few days here ’ s what you need to do next . To check the total amount owing , please visit MyAccount To avoid suspension of service , please settle the above amount before 04 Jan 2017 . Log In To MyAccount https : //www.vodafone.ie/myv/services/Process For details regarding the payment rejection , please contact your bank directly . It ’ s important that you make full payment of the outstanding amount to avoid restriction or suspension of your service . Please remember that if we suspend your service you ’ ll need to pay a reconnection fee . We ’ ll also apply all regular service charges until your service is cancelled . To help you manage your services , a number of online tools are available . You can pay your bill and track your usage through MyAccount and our 24×7 App . While the email is made to look very convincing Attack.Phishing , with all the Vodafone logos and overall appearance , all the links in the email lead to a fake website , registered in Mexico , which tries to trick Attack.Phishing the user into submitting their account info and payment details . If you have received such an email , flag it as spam and delete it . Do not click any of the links in it .

Do you trust your tax preparer not to fall for this simple phishing scam Attack.Phishing ? The Internal Revenue Service is warning tax preparers about a new scam designed to steal Attack.Databreach their usernames and passwords . The hacker ’ s goal is to break in to the preparer ’ s computer system and steal Attack.Databreach client information . The IRS advises the bogus email appears to come from Attack.Phishing the recipient ’ s software provider and typically has a subject line that reads something like : “ Software Support Update ” or “ Important Software System Upgrade. ” The message tells the preparer they need to revalidate their login credentials and it provides a link to a “ fictitious website that mirrors the software provider ’ s actual login page , ” according to an IRS bulletin issued last month . “ Instead of upgrading software , the tax professionals are providing their information to cybercriminals who use the stolen credentials to access the preparers ' accounts and to steal client information . '' This phishing attack Attack.Phishing was cleverly designed to launch at the time of year when many software providers release upgrades to professional preparers . It ’ s also a busy time for preparers who are working to meet the Oct. 15 deadline for clients who filed for extensions . “ This sophisticated scam yet again displays cybercriminals ’ tax savvy and underscores the need for tax professionals to take strong security measures to protect their clients and protect their business , ” the IRS alert said . Mike Wyatt , a threat researcher with RiskIQ , a digital threat management firm , told NBC News he ’ s not surprised to see this current attack . Getting people to click on malicious links requires social engineering — and launching a phishing campaign related to calendar events can be a successful tactic . “ Cybercriminals very often leverage holidays , events and other important dates in their threat campaigns , so it makes perfect sense that a group is capitalizing on the extended tax deadlines coming up , ” he said . The IRS said it had received reports of “ multiple takeover incidents ” in the past year in which the criminals accessed client tax returns , completed those returns , e-filed them and secretly directed refunds to their own accounts . The phishing emails that made these takeovers possible “ can look convincing Attack.Phishing , appearing Attack.Phishing to originate from IRS e-Services ” the IRS warned . They have subject lines designed to get a quick response , such as : “ Account Closure Now , ” “ Avoid Account Shutdown , ” or “ Unlock Your Account Now. ” IRS screen captures show that the fake login pages created Attack.Phishing by the crooks look just like Attack.Phishing those on the real IRS site . “ We urge tax professionals to be on the lookout for the warning signs of these schemes and many others that can contribute to data loss and identity theft , ” IRS Commissioner John Koskinen said in a statement . “ A few simple steps can protect tax professionals as well as their clients . ”

As many attest , they just won ’ t leave TalkTalk customers alone , cold-calling them on a scale the BBC recently described as “ industrial ” . The caller claims to be a TalkTalk engineer and to have detected a router or malware issue on the user ’ s computer that requires immediate intervention . The customer is persuaded Attack.Phishing to turn on their computer and run the Windows Event Viewer to perform bogus diagnostics Attack.Phishing before being asked to install one of a range of remote desktop support tools . This type of application gives the scammers complete remote control over the victim ’ s PC , at which point they are free to steal data , install malware and , in some cases , engineer the user into logging into online banking or transferring money . A popular choice with the fraudsters since at least 2015 has been TeamViewer , so much so that on March 8 , TalkTalk abruptly started blocking the application from functioning on its network in a desperate effort to stem a tide of abuse customers had started complaining about . TeamViewer ’ s block was removed on Thursday after complaints by the company , but that didn ’ t stop TalkTalk from quietly blocking equivalents such as AnyDesk , whose users started noticing unexpected connection issues around the same time . Tech support fraud , or “ vishing ” , has been around for years , so is there much new to be worried about here ? The unsettling aspect of the TalkTalk attacks is that the fraudsters allegedly accessed stolen data , which means they immediately sounded more convincing Attack.Phishing to their victims . If confirmed , this means that fraudsters have been able to synthesise old-fashioned tech support social engineering with data breach cybercrime Attack.Databreach to create something novel and perhaps unstoppable . It also seems to be easy to abuse remote support applications , which have flourished on the back of untraceable freemium accounts . It ’ s not clear how these companies detect misuse but clearly more needs to be done .

Researchers said good social engineering and users ’ trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday ’ s Google Docs phishing attacks Attack.Phishing would spread quickly . Google said that up to 1 million Gmail users were victimized by yesterday ’ s Google Docs phishing scam Attack.Phishing that spread quickly for a short period of time . In a statement , Google said that fewer than 0.1 percent of Gmail users were affected ; as of last February , Google said it had one billion active Gmail users . Google took measures to protect its users by disabling offending accounts , and removing phony pages and malicious applications involved in the attacks . Other security measures were pushed out in updates to Gmail , Safe Browsing and other in-house systems . “ We were able to stop the campaign within approximately one hour , ” a Google spokesperson said in a statement . “ While contact information was accessed Attack.Databreach and used by the campaign , our investigations show that no other data was exposed Attack.Databreach . There ’ s no further action users need to take regarding this event. ” The messages were a convincing Attack.Phishing mix of social engineering and abuse of users ’ trust in the convenience of mechanisms that share account access with third parties . Many of the phishing messages came from Attack.Phishing contacts known to victims since part of the attack includes gaining access to contact lists . The messages claimed Attack.Phishing that someone wanted to share a Google Doc with the victim , and once the “ Open in Docs ” button in the email is clicked , the victim is redirected Attack.Phishing to a legitimate Google OAUTH consent screen where the attacker ’ s application , called “ Google Docs ” asks for access to victim ’ s Gmail and contacts through Google ’ s OAUTH2 service implementation . While the ruse was convincing Attack.Phishing in its simplicity , there were a number of red flags , including the fact that a Google service was asking for access to Gmail , and that the “ To ” address field was to an odd Mailinator account . Google also quickly updated Safe Browsing and Gmail with warnings about the phishing emails and attempts to steal Attack.Databreach personal information . The phishing emails spread Attack.Phishing quickly on Wednesday and likely started with journalists and public relations professionals , each of whom are likely to have lengthy contact lists ensuring the messages would continue to spread Attack.Phishing in an old-school worm-like fashion . OAUTH ’ s open nature allows anyone to develop similar apps . The nature of the standard and interaction involved makes it difficult to safely ask for permission without giving the users a lot of information to validate whether an app is malicious , said Duo ’ s Sokley . “ There are many pitfalls in implementing OAUTH 2.0 , for example cross site request forgery protection ( XSRF ) . Imagine if the user doesn ’ t have to click on the approve button , but if the exploit would have done this for you , ” said SANS ’ Ullrich . “ OAUTH 2.0 also inherits all the security issues that come with running anything in a web browser . A user may have multiple windows open at a time , the URL bar isn ’ t always very visible and browser give applications a lot of leeway in styling the user interface to confuse the user . ”

The Google Doc phishing scam Attack.Phishing that conned over a million users this week illustrates how attackers cleverly respond to wider spread Attack.Phishing end-user awareness about how phishing attacks Attack.Phishing work . The attack did n't ask users to enter credentials . Instead , it exhibited very few traditional phishing scam Attack.Phishing behaviors and could n't have been detected by endpoint protections . Some researchers are calling this attack a `` game changer '' that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy . The attack tricked Attack.Phishing victims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications . The attackers did so by sending Attack.Phishing victims lure messages claiming Attack.Phishing to contain links to a shared Google Doc . Instead of a legit document , the link actually initiates a process to give a phony app masquerading as Attack.Phishing `` Google Docs '' access to the user 's Google account . If the user is already logged into Google , the connection routes that app into an OAuth permissions page asking the user to `` Allow '' access to the user 's legitimate Google Drive . `` You are n't giving your Google credentials directly to the attacker . Rather , OAuth gives the attacker permissions to act on behalf of your account . You 're on the real Google permissions page . OAuth is a legitimate way to give third-party applications access to your account . The application name is 'Google Docs , ' which is fake but convincing Attack.Phishing , '' says Jordan Wright , R & D engineer for Duo Security . `` So unless you know that Google Docs wo n't ask for your permissions , there is little you could use to determine that this was fake . '' The lure emails appear to come from Attack.Phishing Google Drive from a previous victim , making it difficult to detect as a fakeout , says Travis Smith , senior security researcher at Tripwire . `` Not only does this have a casual appearance of being legitimate , by being part of the official marketplace the link in the email went back directly to legitimate Google servers , '' says Smith . `` For those that are trained to validate the link before clicking on it , this passes two of the common techniques the majority of internet users are trained to not click on every link they come Attack.Phishing across : 'Does it come from Attack.Phishing someone you trust and validate the link is going to a trusted source ? ' '' The only big tip-off is that many of the messages seem to have an suspicious account , hhhhhhhhhhhhhhhh @ mailinator.com , cc 'd on the message , says John Bambenek , threat research manager at Fidelis Cybersecurity . He says the attack shows the glaring problem with OAuth , namely that it allows passive authentication . Netskope 's analysis found that a number of enterprise users across various industries ended up falling prey to this attack . Google worked to quickly block the attack , but there was a window of opportunity in that time between compromise and mitigation where emails , contacts , attachments and whatever else on a Google account could have been purloined , he warns . `` If an enterprise has identified that their users have granted access to the app in this attack , we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app , '' Balupari writes .