Saudi Arabian security officials said on Monday that the country had been targeted as part of a wide-ranging cyber espionage campaign observed since February against five Middle East nations as well as several countries outside the region . The Saudi government ’ s National Cyber Security Center ( NCSC ) said in a statement the kingdom had been hit by a hacking campaign bearing the technical hallmarks of an attack group dubbed “ MuddyWater ” by U.S. cyber firm Palo Alto Networks . Palo Alto ’ s Unit 42 threat research unit published a report last Friday showing how a string of connected attacks Attack.Phishing this year used decoy documents with official-looking government logos to lure Attack.Phishing unsuspecting users from targeted organizations to download infected documents and compromise their computer networks . Documents pretending to be Attack.Phishing from the U.S.National Security Agency , Iraqi intelligence , Russian security firm Kaspersky and the Kurdistan regional government were among those used to trick Attack.Phishing victims , Unit 42 said in a blog post ( goo.gl/SvwrXv ) . The Unit 42 researchers said the attacks Attack.Phishing had targeted organizations in Saudi Arabia , Iraq , the United Arab Emirates , Turkey and Israel , as well as entities outside the Middle East in Georgia , India , Pakistan and the United States . The Saudi security agency said in its own statement that the attacks Attack.Databreach sought to steal Attack.Databreach data from computers using email phishing techniques targeting the credentials of specific users . The NCSC said they also comprised so-called “ watering hole ” attacks , which seek to trick Attack.Phishing users to click on infected web links to seize control of their machines . The technical indicators supplied by Unit 42 are the same as those described by the NCSC as being involved in attacks against Saudi Arabia . The NCSC said the attacks appeared to be by an “ advanced persistent threat ” ( APT ) group - cyber jargon typically used to describe state-backed espionage . Saudi Arabia has been the target of frequent cyber attacks , including the “ Shamoon ” virus , which cripples computers by wiping their disks and has hit both government ministries and petrochemical firms . Saudi Aramco , the world ’ s largest oil company , was hit by an early version of the “ Shamoon ” virus in 2012 , in the country ’ s worst cyber attack to date . The NCSC declined further comment on the source of the attack or on which organizations or agencies were targeted . Unit 42 said it was unable to identify the attack group or its aims and did not have enough data to conclude that the MuddyWater group was behind the Saudi attacks as outlined by NCSC . “ We can not confirm that the NCSC posting and our MuddyWater research are in fact related , ” Christopher Budd , a Unit 42 manager told Reuters . “ There ’ s just not enough information to make that connection with an appropriate level of certainty. ” Palo Alto Networks said the files it had uncovered were almost identical to information-stealing documents disguised as Attack.Phishing Microsoft Word files and found to be targeting the Saudi government by security firm MalwareBytes in a September report .

Banks in Russia today were the target of a massive phishing campaign Attack.Phishing that aimed to deliver a tool used by the Silence group of hackers . The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector . The fraudulent emails purported to come Attack.Phishing from the Central Bank of Russia ( CBR ) and contained a malicious attachment . The message body lured Attack.Phishing the recipients to open the attachment in order to check the latest details on the `` standardization of the format of CBR 's electronic communications . '' Email authentication mechanism saves the day International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence . This supports the theory that the attackers had access Attack.Databreach to legitimate emails from CBR . If Silence hackers have any ties with the legal side of reverse engineering and penetration testing , it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work . In a report published today , Group-IB says that the attackers spoofed Attack.Phishing the sender 's email address but the messages did not pass the DKIM ( DomainKeys Identified Mail ) validation . DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity . Banks see more spear-phishing Attack.Phishing from a different group The Silence hackers are not the only ones trying their spear-phishing Attack.Phishing game on Russian banks . On October 23 , another notorious group , MoneyTaker , ran a similar campaign against the same type of targets . Their message spoofed Attack.Phishing an email address from the Financial Sector Computer Emergency Response Team ( FinCERT ) and contained five attachments disguised as Attack.Phishing documents from CBR . `` Three out of five files were empty decoy documents , but two contained a download for the Meterpreter Stager . To carry out the attack , hackers used self-signed SSL certificates , '' says Rustam Mirkasymov , Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert . These clues , along with server infrastructure associated with the MoneyTaker group , allowed the security experts to identify the perpetrator . As in the case of Silence , this attacker is also thought to have had access Attack.Databreach to CBR documents , most likely from compromised inboxes of Russian banks employees . This allowed them to craft Attack.Phishing messages that would pass even eyes trained in spotting fraudulent emails . Silence and MoneyTaker are the most dangerous threats to banks According to Group-IB , multiple groups use the Central Bank of Russia in spear-phishing Attack.Phishing operations , and for good reason , since the organization dictates regulations to financial institutions in the country and maintains a constant communication flow with them . Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organizations . Referring to the latter , the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities . The goal is to access the internal nodes that enable them to withdraw money from ATMs , process cards or interbank transfers . Although Silence uses mainly phishing Attack.Phishing , they are more careful about crafting Attack.Phishing the message , paying attention to both content and design , adds Group-IB 's threat intelligence expert .

On Tuesday 2017-01-03 , BleepingComputer published an article about `` Merry X-Mas Ransomware '' . This ransomware was first seen by people like @ PolarToffee , @ dvk01uk , and @ Techhelplistcom . Merry X-Mas Ransomware was first reported as distributed through malicious spam ( malspam ) disguised as Attack.Phishing FTC consumer complaints . By Sunday 2017-01-08 , I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as Attack.Phishing court attendance notifications . It seemed odd to find Christmas-themed ransomware two weeks after Christmas ; however , Orthodox Christian communities celebrate Christmas on January 7th . Ultimately , such Christmas-themed ransomware is n't odd if it 's from a Russian actor . With that in mind , let 's review the characteristics of Sunday 's Merry X-Mas ransomware . Show above : Comparison of Merry X-mas ransomware notifications from 2017-01-03 and 2017-01-08 . The malspam was a fake notification to appear in court . Email headers indicate the sender 's address was spoofed Attack.Phishing , and the email came from a cloudapp.net domain associated with Microsoft . The zip archive contained a Microsoft Word document with a malicious macro . If macros were enabled on the Word document , it downloaded and executed the ransomware .

On Tuesday 2017-01-03 , BleepingComputer published an article about `` Merry X-Mas Ransomware '' . This ransomware was first seen by people like @ PolarToffee , @ dvk01uk , and @ Techhelplistcom . Merry X-Mas Ransomware was first reported as distributed through malicious spam ( malspam ) disguised as Attack.Phishing FTC consumer complaints . By Sunday 2017-01-08 , I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as Attack.Phishing court attendance notifications . It seemed odd to find Christmas-themed ransomware two weeks after Christmas ; however , Orthodox Christian communities celebrate Christmas on January 7th . Ultimately , such Christmas-themed ransomware is n't odd if it 's from a Russian actor . With that in mind , let 's review the characteristics of Sunday 's Merry X-Mas ransomware . Show above : Comparison of Merry X-mas ransomware notifications from 2017-01-03 and 2017-01-08 . The malspam was a fake notification to appear in court . Email headers indicate the sender 's address was spoofed Attack.Phishing , and the email came from a cloudapp.net domain associated with Microsoft . The zip archive contained a Microsoft Word document with a malicious macro . If macros were enabled on the Word document , it downloaded and executed the ransomware .

Super Mario Run is projected to launch in the Google Play Store in the coming weeks , after previously going live on iOS on December 15 , and cybercriminals are trying to benefit from the excitement generated by Nintendo ’ s new title using a new wave of malware . Security company zscaler warns that malware disguised as Attack.Phishing Super Mario Run for Android is now spreading across the Internet , with users encouraged to download APKs that eventually infect devices and attempt to steal financial information . Specifically , the malicious Super Mario Run for Android package is infected with the Android Marcher Trojan , which now comes disguised as Attack.Phishing Nintendo ’ s game , but features a similar behavior to what we ’ ve seen in the past . Once it infects an Android device , it opens an overlay that requires Attack.Phishing users to enter their financial details whenever mobile banking apps are launched , and collected data is then saved and submitted Attack.Databreach to a command and control center owned by the attacker . In most of the cases , the Google Play Store can no longer launch as users are provided with the same overlay asking for financial details . “ In previous variants of Marcher , we observed this malware family targeting well-known Australian , UK , and French banks . The current version is targeting account management apps as well as well-known banks , ” zscaler says .

Super Mario Run is projected to launch in the Google Play Store in the coming weeks , after previously going live on iOS on December 15 , and cybercriminals are trying to benefit from the excitement generated by Nintendo ’ s new title using a new wave of malware . Security company zscaler warns that malware disguised as Attack.Phishing Super Mario Run for Android is now spreading across the Internet , with users encouraged to download APKs that eventually infect devices and attempt to steal financial information . Specifically , the malicious Super Mario Run for Android package is infected with the Android Marcher Trojan , which now comes disguised as Attack.Phishing Nintendo ’ s game , but features a similar behavior to what we ’ ve seen in the past . Once it infects an Android device , it opens an overlay that requires Attack.Phishing users to enter their financial details whenever mobile banking apps are launched , and collected data is then saved and submitted Attack.Databreach to a command and control center owned by the attacker . In most of the cases , the Google Play Store can no longer launch as users are provided with the same overlay asking for financial details . “ In previous variants of Marcher , we observed this malware family targeting well-known Australian , UK , and French banks . The current version is targeting account management apps as well as well-known banks , ” zscaler says .

Research conducted by both cyber security firm shows that the attacks first appeared in July 2015 and since then , cybercriminals behind these attacks have targeted hundreds of organizations within the region . According to the research , hackers were using KasperAgent and Micropsia malware to target Windows operating system while SecureUpdate and Vamp malware were being used to target Android OS . The cybercriminals behind these attacks used two different techniques to achieve their goal . One technique involved using an URL shortener service Bit.ly to disguise Attack.Phishing the original malicious links . The motive behind these attacks Attack.Databreach was to steal Attack.Databreach credentials and spy Attack.Databreach on the victims . As per the research , hackers were targeting Educational institutes , Military organization and media companies from Palestine , Israel , Egypt , and the US . SecureUpdate , a malware disguised as Attack.Phishing an Android update was designed to download malicious payloads into the victim ’ s device while the Vamp was focused on stealing Attack.Databreach data from victims ’ smartphones including call recordings , contact information , and stealing Attack.Databreach other important documents . The malware designed to target Windows operating systemsKasperAgent and Micropsia were capable of downloading other payloads , executing arbitrary commands , stealing Attack.Databreach files , capturing Attack.Databreach a screenshot , logging Attack.Databreach keystrokes and much more . Essentially the hackers were interested in stealing Attack.Databreach credentials of the infected devices . At first , no connection was established between the attacks since all the malware were different from each other . On close inspection , however , the security firms found a link . The Same email address was used to register infectious domains which eventually revealed that the attacks were linked after all . Researchers revealed that more than 200 samples of the Windows malware and at least 17 samples of Android malware were discovered which means that potential victims of this malware could be numerous . The researchers at Palo Alto firm stated “ Through this campaign , there is little doubt that the attackers have been able to gain Attack.Databreach a great deal of information from their targets , ” The campaign also illustrates that for some targets old tricks remain sufficient to run a successful espionage campaign , including the use of URL shortening services , classic phishing techniques as well as using archive files to bypass some simple file checks . This is not the first time when a sophisticated malware attack was aimed at the Middle Eastern countries . Just last month StoneDrill malware was discovered targeting not only the Middle East but also Europe . Also , Shamoon malware from Iran is currently targeting Saudi Arabian cyber infrastructure

Microsoft is aware of the zero-day , but it 's highly unlikely it will be able to deliver Vulnerability-related.PatchVulnerability a patch until its next Patch Tuesday , which is scheduled in three days . McAfee researchers , who disclosed Vulnerability-related.DiscoverVulnerability the zero-day 's presence , say Vulnerability-related.DiscoverVulnerability they 've detected Vulnerability-related.DiscoverVulnerability attacks leveraging this unpatched vulnerability going back to January this year . Attacks with this zero-day follow a simple scenario , and start with an adversary emailing a victim a Microsoft Word document . The Word document contains a booby-trapped OLE2link object . If the victim uses Office Protected View when opening files , the exploit is disabled and wo n't execute . If the user has disabled Protected View , the exploit executes automatically , making an HTTP request to the attacker 's server , from where it downloads an HTA ( HTML application ) file , disguised as Attack.Phishing an RTF . The HTA file is executed automatically , launching exploit code to take over the user 's machine , closing the weaponized Word file , and displaying a decoy document instead . According to FireEye , `` the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link . '' While the attack uses Word documents , OLE2link objects can also be embedded in other Office suite applications , such as Excel and PowerPoint . McAfee experts say Vulnerability-related.DiscoverVulnerability the vulnerability affects Vulnerability-related.DiscoverVulnerability all current Office versions on all Windows operating systems . The attack routine does not rely on enabling macros , so if you do n't see a warning for macro-laced documents , that does n't mean the document is safe .

There ’ s a new LinkedIn scam Attack.Phishing doing the rounds , involving phishing emails and a fake website designed Attack.Phishing to harvest the information you have in your CV . In the first stage of the scam , you receive Attack.Phishing a phishing email disguised as Attack.Phishing a LinkedIn email . Here are just a few of the giveaways that this is a phishing email : Clicking either of the two links in the spam email will send you to https : //linkedinjobs ( dot ) jimdo ( dot ) com . We scanned the link with VirusTotal , and most of the security solutions found it to be clean , with the exception of a less well known scanner , AutoShun . Clicking on the website itself will take you to a simple page , where the main focus falls on a form for uploading your CV . Your CV contains a wealth of personal data which a cybercriminal uses to make a profit at your expense . Phone numbers can be sold for companies doing promotional cold calling . Or , the cybercriminal might call you himself in a vishing attack Attack.Phishing . Sometimes however , the attacker targets a company you worked at ( or a future company you want to work for ) . Using the information found within your CV , the attacker might impersonate Attack.Phishing you in order to launch spear phishing emails against people in those companies , such as the CEO or the accounting department , in order to illegally obtain funds or money transfers . In 2016 for instance , the CEO of an Austrian airplane component manufacturer was fired after he got tricked Attack.Phishing by a spear phishing attack Attack.Phishing that led him to transfer around 40 million euros to the scammer ’ s account . This isn ’ t the first time LinkedIn has been used a cover for a phishing campaign Attack.Phishing . Another similar situation was encountered in 2016 , which we also covered . It ’ s difficult ( if not impossible ) for companies alone to prevent these scams from taking place . In these cases , users too should contribute to keeping the Internet safe . In cases involving LinkedIn , the best course of action is to report these to the company : LinkedIn itself also offers a thorough set of tips and advice on how to recognize various scams over the network , such as inheritance or dating scams . When you ’ re actively searching for a job , being offered one in such a compelling tone might seem appealing . Because you expect to receive such messages ( indeed , you welcome them ) you ’ re tempted to let your guard down , and that ’ s exactly when a scammer strikes .

Cyber crooks have come up with a new way to infect your computer with financial and banking malware . The process starts by randomly sending Attack.Phishing users spam emails disguised as Attack.Phishing a payment confirmation email from Delta Air . The choice to mask the email as coming from Attack.Phishing an airline wasn ’ t random , since many this time of year is when many consumers purchase flight tickets at discounted rates for the summer . However , no transaction actually took place ! The email is designed to scare Attack.Phishing you into thinking someone bought an airplane ticket using your identity . You then panic and click on one of the links in the email in order to figure out how someone could do an unauthorized purchase with your credentials . The links then redirect you to several compromised websites , which host Word documents infected with the Hancitor malware . Hancitor is a versatile malware frequently used in phishing attacks Attack.Phishing that specializes initially infecting a PC , and then acting as a bridge for further malware downloads . If you download the malicious Word document and open it , then Hancitor will activate and infect legitimate system processes in your PC using a PowerShell code . Afterwards , your PC will connect to one or more malicious Command and Control ( C & C ) servers . These C & C servers will then download additional malware on your PC , which belong to the Pony family . Pony malware is specifically designed to steal Attack.Databreach sensitive information such as passwords and usernames from VPNs , web browsers , FTP , messaging apps and many more . On top of that , the C & C servers also download and spread another Pony-based malware called Zloader . Unlike Pony , Zloader is a banking malware designed to clean up Attack.Databreach your bank account and steal Attack.Databreach financial information . Once the information harvesting Attack.Databreach is complete , the malware connects to another set of C & C servers and sends them all of your credentials and financial information .

Ransomware , a special version of trojan that encrypts files , has become a new and tremendously growing type of cybercrime . The 2016 Ransomware Report released by 360 Security Center lately presents that : – 4.9 million computers were attacked in China – 56,000 ransomware infections worldwide only in March 2016 – $ 1 billion dollar source of income for cyber criminals estimated by FBI – Almost half of organizations have been hit with ransomware In January 2016 , three Indian banks ’ and a pharmaceutical company ’ s computer systems were infected Attack.Ransom by ransomware . The attacker asked for Attack.Ransom 1 bitcoin ( about $ 905 ) for each infected computer , and then used unprotected desktop interface to infect other connected computers from remote . These corps lost several million dollars due to the huge number of infected computers . February 5th 2016 , Hollywood Presbyterian Medical Center paid Attack.Ransom a $ 17,000 ransom Attack.Ransom in bitcoin to a hacker who seized control of the hospital ’ s computer systems and would give back access only when the money was paid Attack.Ransom . Two hospitals in Ottawa and in Ontario were attacked by ransomware later on . In February 2016 , several schools ’ computer systems were attacked by ransomware . The hacker took control of the intranet and servers , and asked for Attack.Ransom 20 bitcoin . These school ended up paying Attack.Ransom the anonymous hacker $ 8,500 to get their IT systems back . In the mid-February , a new ransomware “ Locky ” started to spread out via email . 7 out of 10 malicious email attachments delivered Locky in Q2 2016 . Once users activated the file attached in the email , their files were encrypted and had to pay Attack.Ransom the distributor a certain ransom Attack.Ransom to decrypt these files . May 2016 , a series of ransomware attacks on the House of Representatives have led US congress to ban using Yahoo Mail and Google hosted-apps , and warned their members about being caution of Internet security . In October , 2016 , 277 ransomware attacks Attack.Ransom were reported to Government Computer Emergency Response Team in Hong Kong , China . Most of the malware were hidden in email attachments and disguised as Attack.Phishing bills or receipts to trick Attack.Phishing users to click . The victims included the Marine Department of Hong Kong and Deloitte , one of the biggest accounting firms in the world . In November 2016 , other than emails , Locky began to transmit through social networks such as Facebook , LinkedIn with images contained malicious application . The file could be automatically downloaded while users were browsing , and installed once users clicked to check . November 2016 , San Francisco public transportation system Muni was hacked and requested for Attack.Ransom a $ 73,000 ransom Attack.Ransom in bitcoin to get back encrypted data . SFMTA ( The San Francisco Municipal Transportation Authority ) refused to pay Attack.Ransom the ransom Attack.Ransom and shut down the fair system . We can see that ransomeware is terrifying and collecting money illegally around the world . However , it ’ s almost impossible to decrypt the infected files by yourself , even for people with high information technology skills .

Researchers say a piece of ransomware disguised as Attack.Phishing a battery app made its way into the Play store . Check Point says one of its customers contracted the malware app , dubbed `` Charger , '' after installing what they thought was a battery monitoring tool called EnergyRescue . Researchers with Check Point Mobile Threat Prevention say the malware activates when EnergyRescue runs , and requires admin access to the device . Once that permission is granted , the malware checks for location ( it does not attack phones in the Ukraine , Belarus , or Russia ) , then swipes Attack.Databreach all user contacts and SMS messages and locks down the device . From there , the user is told that they must pay to deactivate Attack.Ransom the ransomware or they will have their full details spaffed out for various nefarious activities , including bank fraud and spam . `` You need to pay Attack.Ransom for us , otherwise we will sell portion of your personal information on black market every 30 minutes , '' the ransomware tells users . Not ones to be unprofessional , the Charger operators attempt to reassure their victims by offering a `` 100 % guarantee '' that once the 0.2 Bitcoin ransom Attack.Ransom ( currently around $ 183 ) is paid Attack.Ransom , all the collected information will be deleted and the device unlocked. `` The ransom demand Attack.Ransom for 0.2 Bitcoins is a much higher ransom demand Attack.Ransom than has been seen in mobile ransomware so far , '' note Check Point mobile security analysts Oren Koriat and Andrey Polkovnichenko . `` By comparison , the DataLust ransomware demanded Attack.Ransom merely $ 15 . '' Check Point says that thus far it has not spotted any payments being registered to the Bitcoin address used for the ransom collection Attack.Ransom , so it is unclear how much , if anything , has been made from this operation .

Islamic State supporters are warning one another of malware targeting the militant group through the chat app Telegram . One member on a popular ISIS forum alerted users to plus_gram.apk , a trojanized RAT ( a remote access tool disguised as Attack.Phishing harmless software ) that allows an attacker to spy on and take full control of the target ’ s Android device . The ISIS supporter used malware analysis at NVISIO , a popular free platform to test Android software for malicious code . The warning was first spotted and described by @ switch_d , a veteran ISIS watcher . This attack Attack.Phishing arrives as a phishing link disguised as Attack.Phishing an invitation to a video chat , according to the warning , a tactic ISIS supporters have fallen victim to in the past . The responses to the warning include a thanks and common sense guidance to “ only accept files from brothers you know ” . This malware runs in multiple stages , Khalil Sehnaoui , a Middle East-based cybersecurity specialist and founder of Krypton Security , told CyberScoop . “ The exploit code is usually small and after successful exploitation it runs a dropper code which will in turn download new applications/malware in order to get more control of the system by escalating privileges ” .

Islamic State supporters are warning one another of malware targeting the militant group through the chat app Telegram . One member on a popular ISIS forum alerted users to plus_gram.apk , a trojanized RAT ( a remote access tool disguised as Attack.Phishing harmless software ) that allows an attacker to spy on and take full control of the target ’ s Android device . The ISIS supporter used malware analysis at NVISIO , a popular free platform to test Android software for malicious code . The warning was first spotted and described by @ switch_d , a veteran ISIS watcher . This attack Attack.Phishing arrives as a phishing link disguised as Attack.Phishing an invitation to a video chat , according to the warning , a tactic ISIS supporters have fallen victim to in the past . The responses to the warning include a thanks and common sense guidance to “ only accept files from brothers you know ” . This malware runs in multiple stages , Khalil Sehnaoui , a Middle East-based cybersecurity specialist and founder of Krypton Security , told CyberScoop . “ The exploit code is usually small and after successful exploitation it runs a dropper code which will in turn download new applications/malware in order to get more control of the system by escalating privileges ” .

Qatar is set to host the 2022 FIFA Soccer World Cup , and to do so , the country must build a number of stadiums . Additionally , Qatar 's economy is also in full bloom , and many companies taking advantage of local tax-free zones are also driving a real-estate boom , with tens of buildings being built every year . At the heart of Qatar 's roaring constructions sector are migrant workers , usually from East-Asian countries , such as India , Bangladesh , and most often Nepal . Loopholes in local legislation allow employers to withhold passports and force employees to work under appalling conditions , facing steep penalties , and even jail time if they try to leave the country before their contract expires . These conditions have attracted the attention of many activists , organizations , and journalists , that have published damning reports , even going as far as asking FIFA to revoke the rights to hold the 2022 World Cup until Qatar revises its labour laws . Claudio Guarnieri , a security researcher working for Amnesty International , has published a report today that reveals how an unknown person or group has created Attack.Phishing a fake persona named Saleena Malik , which they used to get close to journalists and activists . The primary goal was to become friends with potential victims , and after months of having private conversations , lure Attack.Phishing the target into accessing a phishing page disguised as Attack.Phishing a Google login , and collect their credentials . Malik 's phishing attacks Attack.Phishing did n't happen right away , but always after the victim had time to get acquainted with her fake persona . In most cases , Malik posed as Attack.Phishing a person with similar interests in activism and Qatar 's migrant labor laws . After months of private conversations via email , LinkedIn and/or Facebook , Malik would eventually invite Attack.Phishing a target to access a document or connect via Google Hangouts . In all cases , before accessing Malik 's documents or Google Hangouts , the victim would first be prompted Attack.Phishing by a fake login page that collected their credentials . Guarnieri , who was alerted to Malik 's actions by one of the targeted journalists , was able to identify where these phishing pages were hosted and where they sent data for storage . This is how the researcher tracked down at least 30 other victims of Malik 's expert phishing attacks Attack.Phishing . Additionally , with collaboration from victims , Guarneri was also able to discover that the people behind the Malik persona had also accessed some of the phished Gmail accounts . The intruder 's IP address belonged to a local Qatar Internet service provider . What the researchers was n't able to find was who was behind the attacks . His guesses include the government of Qatar , another government wanting to make Qatar look bad , or a contractor hired by one of the construction firms or a government agency . In a statement for Amnesty International , a spokesperson for the government of Qatar denied any involvement . These particular set of attacks Attack.Phishing show a deep knowledge of social engineering , and especially phishing tactics . Whoever was behind this campaign had both the knowledge , skills and patience to wait for the seeds he planted to bear fruits many months later

One tried-and-true technique continues to be hiding malware inside fake versions of popular files , then distributing Attack.Phishing those fake versions via app stores . Doing the same via peer-to-peer BitTorrent networks has also long been popular . But as with so many supposedly free versions of paid-for applications , users may get more than they bargained for . To wit , last week researchers at the security firm ESET spotted new ransomware - Filecoder.E - circulating via BitTorrent , disguised as Attack.Phishing a `` patcher '' that purports to allow Mac users to crack such applications as Adobe Premiere Pro CC and Microsoft Office 2016 . As Toronto-based security researcher Cheryl Biswas notes in a blog post : `` For those who torrent , be careful . ESET says the ransomware can also encrypt any Time Machine backups on network-connected volumes that are mounted at the time of the attack Attack.Ransom . If the ransomware infects a system , it demands Attack.Ransom 0.25 bitcoins - currently worth about $ 300 - for a decryption key . But ESET security researcher Marc-Etienne M.L Éveillé , in a blog post , says the application is so poorly coded that there 's no way that a victim could ever obtain a decryption key . So far , ESET reports that the single bitcoin wallet tied to the ransomware has received no payments . `` There is one big problem with this ransomware : It does n't have any code to communicate with any C & C ; server , '' says Éveillé , referring to a command-and-control server that might have been used to remotely control the infected endpoint . `` This means that there is no way the key that was used to encrypt the files can be sent to the malware operators . This also means that there is no way for them to provide a way to decrypt a victim 's files . '' The longstanding ransomware-defense advice , of course , is to never pay ransoms Attack.Ransom , because this directly funds cybercrime groups ' ongoing research and development . Instead , stay prepared : Keep complete , disconnected backups of all systems , and periodically test that they can be restored , and thus never have to consider paying a ransom Attack.Ransom . `` We advise that victims never pay the ransom Attack.Ransom when hit by ransomware , '' Éveillé says . In other ransomware news , new ransomware known as Trump Locker - not to be confused with Trumpcryption - turns out to be a lightly repackaged version of VenusLocker ransomware , according to Lawrence Abrams of the security analysis site Bleeping Computer , as well as the researchers known as MalwareHunter Team . `` Unfortunately , you are hacked , '' the start of the malware's ransom demand Attack.Ransom reportedly reads . VenusLocker first appeared in October 2016 ; it got a refresh two months later . The researchers do n't know if the group distributing Trump Locker is the same group that distributed VenusLocker , or if another group of attackers reverse-engineered the code . But they say that functionally , the two pieces of malware appear to be virtually identical , Bleeping Computer reports . For example , both Trump Locker and VenusLocker will encrypt some files types in full , while only encrypting the first 1024 bytes of other file types , including PDF , XLS , DOCX , and MP3 file formats . Fully encrypted files have `` .TheTrumpLockerf '' appended to their filename , while partially encrypted files get a `` .TheTrumpLockerp '' extension added , the researchers say . Finally , ransomware gangs ' use of customer service portals - to help and encourage victims to pay their ransoms Attack.Ransom - continues , says Mikko Hypponen , chief research officer of Finnish security firm F-Secure . One chief function of this support appears to be to help victims who do n't know their Windows from their ASP to find a way to remit bitcoins Attack.Ransom to attackers , according to research into crypto-ransomware called Spora and its related customer-support operation , conducted by F-Secure 's Sean Sullivan .