Evaldas Rimasauskas , 49 who allegedly conned Attack.Phishing two of the world 's biggest companies was arrested on fraud charges GOOGLE and Facebook have admitted they were conned out Attack.Phishing of an alleged $ 100million ( £77million ) in a phishing scam Attack.Phishing . The two world 's biggest companies fell victim after a Lithuanian man allegedly tricked Attack.Phishing employees into wiring over the money to bank accounts that he controlled , Fortune reported on Thursday . Evaldas Rimasauskas , 48 , is accused of posing as Attack.Phishing an Asia-based manufacturer and deceived Attack.Phishing the internet giants from around 2013 until 2015 . He was arrested earlier this month in Lithuania at the request of US authorities The conman is said to have forged Attack.Phishing email addresses , invoices and corporate stamps to impersonate Attack.Phishing Quanta and trick Attack.Phishing them into paying for computer supplies . Rimasauskas , who is awaiting extradition proceedings , has denied the allegations . The US Department of Justice ( DOJ ) said last month : `` Fraudulent phishing emails were sent Attack.Phishing to employees and agents of the victim companies , which regularly conducted multi-million-dollar transactions with [ the Asian ] company . '' Both Facebook and Google have confirmed the fraud and said that they had been able to recoup funds . But they did n't reveal how much money it had transferred and recouped . A Google spokeswoman said : `` We detected this fraud against our vendor management team and promptly alerted the authorities . '' `` We recouped the funds and we ’ re pleased this matter is resolved . '' A spokeswoman for Facebook added : `` Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation . '' Security experts said the recent cyber attack highlighted how sophisticated phishing scams Attack.Phishing are being used to fool Attack.Phishing even two of the biggest tech companies .

Last week , we reported about these alarming cryptocurrency scams spreading via Twitter . These were n't your garden-variety spam posts either , but rather , fraudsters were hacking into the verified accounts of celebrities and brands in an attempt to lure Attack.Phishing unsuspecting victims . But it looks like these crypto-scammers are moving on and are now targeting other social media platforms , as well . This time , they 're gaming Facebook 's official sponsored ad system to fool Attack.Phishing eager people who are looking to make a quick profit . Read on and see what this new scheme is all about . Cybercriminals are relentlessly coming up with new tactics all the time , and it 's always good to be aware of their latest schemes . This new ploy is a classic phishing scam Attack.Phishing that 's meant to steal your personal information like your name , email and credit card numbers . And similar to other elaborate phishing scams Attack.Phishing , these cybercriminals created Attack.Phishing a bunch of fake websites , news articles and ads for that purpose . The whole ploy starts with a fake Facebook sponsored ad promoting an easy `` wealth building '' scheme . Accompanying the post is an embedded report that appears to originate from the news site CNBC . If you take the bait Attack.Phishing and click through the ad , the ruse gets more obvious . First , the link 's web address does n't belong to any CNBC domain . However , the fraudsters mimicked Attack.Phishing the look and feel of the real CNBC site so there 's a chance an unsuspecting eye might get duped Attack.Phishing . But yes sir , the entire news article is completely fraudulent , the fakest of fake news . Basically , it states that Singapore has officially adopted a certain cryptocurrency and has anointed a firm , dubbed the CashlessPay Group , to market and purchase it . Nevermind that CashlessPay sounds just like another third-rate pyramid scheme , but let 's go along for the ride , shall we ? You probably know by now that there are tons of bogus information going on in Facebook at any given time . The social media giant is trying to clean up its act , though . If you can recall , Facebook banned blockchain and cryptocurrency ads earlier this year but softened its stance by allowing pre-approved cryptocurrency advertisers to post sponsored ads . ( Ca n't resist the revenue , eh ? ) But as always , scammers have found a way to exploit this loophole to spread their scams .

Staff are still falling for phishing scams Attack.Phishing , with social media friend requests and emails pretending to come from Attack.Phishing the HR department among the ones most likely to fool Attack.Phishing workers into handing over usernames and passwords . Phishing scams Attack.Phishing aim to trick Attack.Phishing staff into handing over data -- normally usernames and passwords -- by posing as Attack.Phishing legitimate email . It 's a technique used by the lowliest criminals as part of ransomware campaigns , right up to state-backed hackers because it continues to be such an effective method . In a review of 100 simulated attack campaigns for 48 of its clients , accounting for almost a million individual users , security company MWR Infosecurity found that sending Attack.Phishing a bogus friend request was the best way to get someone to click on a link -- even when the email was being sent Attack.Phishing to a work email address . Almost a quarter of users clicked the link to be taken through to a fake login screen , with more than half going on to provide a username and password , and four out of five then going on to download a file . A spoof email claiming to be Attack.Phishing from the HR department referring to the appraisal system was also very effective : nearly one in five clicked the link , and three-quarters provided more credentials , with a similar percentage going on to download a file . Some might argue that gaining access Attack.Databreach to a staff email account is of limited use , but the security company argues that this is a handy for an assault . A hacker could dump Attack.Databreach entire mailboxes , access Attack.Databreach file shares , run programs on the compromised user 's device , and access multiple systems , warned MWR InfoSecurity . Even basic security controls , such as two-factor authentication or disabling file and SharePoint remote access , could reduce the risk . The company also reported bad news about the passwords that users handed over : while over 60 percent of passwords were found to have a length of 8 to 10 characters -- the mandatory minimum for many organizations -- the company argued that this illustrates how users stick to minimum security requirements . A third of the passwords consisted of an upper-case first letter , a series of lower-case letters , and then numbers with no symbols . It also found that 13.6 percent of passwords ended with four numbers in the range of 1940 to 2040 . Of those , nearly half ended in 2016 , which means one-in-twenty of all passwords end with the year in which they were created .

The UK 's Foreign Office was targeted by highly motivated and well-resourced hackers over several months in 2016 . The BBC understands the government has investigated the previously unreported attack that began in April last year . The UK 's National Cyber Security Centre would not say whether data was stolen Attack.Databreach . But a source told the BBC that the most sensitive Foreign Office information is not kept on the systems targeted by the hackers . Research published on Thursday by cybersecurity firm F-Secure suggested the attack Attack.Phishing was a "spear-phishing" campaign Attack.Phishing , in which people were sent Attack.Phishing targeted emails in attempts to fool Attack.Phishing them into clicking a rogue link or handing over their username and password . To do this , the attackers created a number of web addresses designed to resemble Attack.Phishing legitimate Foreign Office websites , including those used for accessing webmail . F-Secure does not know whether the attack was successful . The company says the domains were created by hackers that it calls the Callisto Group , which it says is still active . However the UK 's National Cyber Security Centre ( NCSC ) declined to say who was behind the attack on the Foreign Office . The targeted emails that were sent out Attack.Phishing tried to fool Attack.Phishing targets into downloading malware which was first developed for law enforcement by the Italian software company Hacking Team . Hacking Team 's surveillance tools were previously exposed in a cyberattack , first reported in 2015 . There is no suggestion that Hacking Team had any involvement in the attacks . F-Secure said that the use of the software should remind governments that they `` do n't have monopolies on these [ surveillance ] technologies '' , and that once created the software can fall into the hands of hackers . The BBC has not seen evidence conclusively identifying the origin of the attack . A cybersecurity expert at another company , who wished to remain anonymous , found a link to information uncovered in the investigation of Russian efforts to influence the US election . Two of the phishing domains used by the hackers were once linked to an IP address mentioned in a US government report into Grizzly Steppe . Grizzly Steppe is the name given by the US government to efforts by `` Russian civilian and military intelligence services to compromise and exploit networks and endpoints associated with the US election '' . However , the cybersecurity expert noted that this connection between the phishing domain and Grizzly Steppe may be a coincidence , as over 300 other domains - many of them not hacking-related - were linked to the same IP address . F-Secure told the BBC that it did notice some similarity between the Callisto Group 's hacking and previous attacks that have been linked to Russia . However , it said despite some similarities in the tactics , techniques , procedures and targets of the Callisto Group , and the Russia-linked group known as APT28 , it believed the two were `` operationally '' separate . It noted that the Callisto Group was also less `` technically capable '' than APT28 .

The UK 's Foreign Office was targeted by highly motivated and well-resourced hackers over several months in 2016 . The BBC understands the government has investigated the previously unreported attack that began in April last year . The UK 's National Cyber Security Centre would not say whether data was stolen Attack.Databreach . But a source told the BBC that the most sensitive Foreign Office information is not kept on the systems targeted by the hackers . Research published on Thursday by cybersecurity firm F-Secure suggested the attack Attack.Phishing was a "spear-phishing" campaign Attack.Phishing , in which people were sent Attack.Phishing targeted emails in attempts to fool Attack.Phishing them into clicking a rogue link or handing over their username and password . To do this , the attackers created a number of web addresses designed to resemble Attack.Phishing legitimate Foreign Office websites , including those used for accessing webmail . F-Secure does not know whether the attack was successful . The company says the domains were created by hackers that it calls the Callisto Group , which it says is still active . However the UK 's National Cyber Security Centre ( NCSC ) declined to say who was behind the attack on the Foreign Office . The targeted emails that were sent out Attack.Phishing tried to fool Attack.Phishing targets into downloading malware which was first developed for law enforcement by the Italian software company Hacking Team . Hacking Team 's surveillance tools were previously exposed in a cyberattack , first reported in 2015 . There is no suggestion that Hacking Team had any involvement in the attacks . F-Secure said that the use of the software should remind governments that they `` do n't have monopolies on these [ surveillance ] technologies '' , and that once created the software can fall into the hands of hackers . The BBC has not seen evidence conclusively identifying the origin of the attack . A cybersecurity expert at another company , who wished to remain anonymous , found a link to information uncovered in the investigation of Russian efforts to influence the US election . Two of the phishing domains used by the hackers were once linked to an IP address mentioned in a US government report into Grizzly Steppe . Grizzly Steppe is the name given by the US government to efforts by `` Russian civilian and military intelligence services to compromise and exploit networks and endpoints associated with the US election '' . However , the cybersecurity expert noted that this connection between the phishing domain and Grizzly Steppe may be a coincidence , as over 300 other domains - many of them not hacking-related - were linked to the same IP address . F-Secure told the BBC that it did notice some similarity between the Callisto Group 's hacking and previous attacks that have been linked to Russia . However , it said despite some similarities in the tactics , techniques , procedures and targets of the Callisto Group , and the Russia-linked group known as APT28 , it believed the two were `` operationally '' separate . It noted that the Callisto Group was also less `` technically capable '' than APT28 .

More cybercriminals used object linking and embedding , or OLE packages , to deliver malware content during the first quarter of 2017 , according to cybersecurity technology and services company PhishMe Intelligence . The cyberthreat trend first was observed in December 2016 , closely associated to the delivery of the Ursnif botnet malware , PhishMe said . The OLE technique abuses Attack.Phishing Microsoft Office documents by prompting Attack.Phishing a victim to double-click an embedded icon to access some type of content . These objects are used to write a script application to the disk that facilitates the download and execution of a malware payload , PhishMe said . This method adds another set of techniques cybercriminals can use to evade anti-analysis and sandbox settings and to successfully infect computer systems , the company said . The threatening documents employ a similar look and feel to Microsoft Office documents using macro elements for malware delivery , but they do not feature the distinctive “ enable macros ” banner , PhishMe said . As a result , these documents defy the expectations for the delivery of malware that have been prominent in recent years . For example , a macro element can display icons or text that instruct a victim to “ enable editing ” in order to interact with a document and view content , but a document using the threatening OLE packages will not feature the characteristic yellow “ enable macros ” banner . The technique allows cybercriminals to deploy malicious files to a victim ’ s machine . Real and fake documents look similar , and the fake ones can fool Attack.Phishing even computer users who know what a macro looks like . A screen shot of the OLE Malware There are several reasons why these recent phishing campaigns Attack.Phishing distributing infected Microsoft OLE packages are particularly tricky Attack.Phishing to deal with , said Rohyt Belani , co-founder and CEO of PhishMe . “ First , because the malware is disguised as Attack.Phishing an unassuming Office document , threat actors can often use this technique to bypass the IT department ’ s sandbox environments , detection software or analysis tools that help identify malicious documents , attachments and links , ” Belani said . “ Second , since so many healthcare organizations rely on Microsoft Office applications to run their day-to-day business operations , security professionals can ’ t completely block Office documents entirely from e-mail systems . When technology layers fail and let these types of threats land in the inbox , there ’ s really one last line of defense to ensure these attacks don ’ t succeed – the employees themselves , Belani said . “ Humans , the end-users , are the linchpin for securing against attacks delivering sneaky payloads that easily bypass existing technology stacks , ” Belani said . “ We recommend healthcare CISOs seriously consider building strong phishing defense programs that transform employees into human sensors at the heart of the phishing defense strategy. ” Through behavioral conditioning , employees will become contextually aware of the e-mail content that enters their inbox , increasing their ability to recognize and report suspicious communications that very well may be phishing threats like OLE payloads , Belani said . “ By empowering employees to report suspicious e-mails directly to a healthcare organization ’ s security operations center , ” Belani added , “ this will drastically speed incident response capabilities to neutralize these threats before any major damage is inflicted . ”

Google has stopped Wednesday ’ s clever email phishing scheme Attack.Phishing , but the attack may very well make a comeback . One security researcher has already managed to replicate it , even as Google is trying to protect users from such attacks . “ It looks exactly like Attack.Phishing the original spoof Attack.Phishing , ” said Matt Austin , director of security research at Contrast Security . The phishing scheme Attack.Phishing -- which may have circulated Attack.Phishing to 1 million Gmail users -- is particularly effective because it fooled Attack.Phishing users with a dummy app that looked like Attack.Phishing Google Docs . Recipients who received Attack.Phishing the email were invited to click a blue box that said “ Open in Docs. ” Those who did were brought to an actual Google account page that asks them to handover Gmail access to the dummy app . While fooling Attack.Phishing users with spoofed emails is nothing new , Wednesday ’ s attack involved an actual third-party app made with real Google processes . The company ’ s developer platform can enable anyone to create web-based apps . In this case , the culprit chose to name the app “ Google Docs ” in an effort to trick Attack.Phishing users . The search company has shut down the attack by removing the app . It ’ s also barred other developers from using “ Google ” in naming their third-party apps . More traditional phishing email schemes Attack.Phishing can strike by tricking Attack.Phishing users into giving up their login credentials . However , Wednesday ’ s attack takes a different approach and abuses what ’ s known as the OAuth protocol , a convenient way for internet accounts to link with third-party applications . Through OAuth , users don ’ t have to hand over any password information . They instead grant permission so that one third-party app can connect to their internet account , at say , Google , Facebook or Twitter . But like any technology , OAuth can be exploited . Back in 2011 , one developer even warned that the protocol could be used in a phishing attack Attack.Phishing with apps that impersonate Attack.Phishing Google services . Nevertheless , OAuth has become a popular standard used across IT . CloudLock has found that over 276,000 apps use the protocol through services like Google , Facebook and Microsoft Office 365 . For instance , the dummy Google Docs app was registered to a developer at eugene.pupov @ gmail.com -- a red flag that the product wasn ’ t real . However , the dummy app still managed to fool Attack.Phishing users because Google ’ s own account permission page never plainly listed the developer ’ s information , unless the user clicks the page to find out , Parecki said . “ I was surprised Google didn ’ t show much identifying information with these apps , ” he said . “ It ’ s a great example of what can go wrong. ” Rather than hide those details , all of it should be shown to users , Parecki said . Austin agreed , and said apps that ask for permission to Gmail should include a more blatant warning over what the user is handing over . “ I ’ m not on the OAuth hate bandwagon yet . I do see it as valuable , ” Austin said . “ But there are some risks with it. ” Fortunately , Google was able to quickly foil Wednesday ’ s attack , and is introducing “ anti-abuse systems ” to prevent it from happening again . Users who might have been affected can do a Google security checkup to review what apps are connected to their accounts . The company ’ s Gmail Android app is also introducing a new security feature to warn users about possible phishing attempts Attack.Phishing . It 's tempting Attack.Phishing to install apps and assume they 're safe . But users and businesses need to be careful when linking accounts to third-party apps , which might be asking for more access than they need , Cloudlock 's Kaya said . `` Hackers have a headstart exploiting this attack , '' she said . `` All companies need to be thinking about this . ''

An effective new phishing attack Attack.Phishing is hitting Attack.Phishing Gmail users and tricking Attack.Phishing many into inputing their credentials into a fake login page . The phishers start Attack.Phishing by compromising a Gmail account , then they rifle through the emails the user has recently received Attack.Phishing . After finding one with an attachment , they create an image ( screenshot ) of it and include it in a reply to the sender . They use the same or similar subject line for the email , to invoke recognition and automatic trust . “ You click on the image , expecting Gmail to give you a preview of the attachment . Instead , a new tab opens up and you are prompted by Gmail to sign in again , ” WordFence CEO Mark Maunder warns . The phishing page is a good copy of Gmail ’ s login page , and its URL contains the accounts.google.com subdomain , which is enough to fool Attack.Phishing many into believing that they are on a legitimate Google page . “ This phishing technique Attack.Phishing uses something called a ‘ data URI ’ to include a complete file in the browser location bar . When you glance up at the browser location bar and see ‘ data : text/html… .. ’ that is actually a very long string of text , ” Maunder explained .

GreatHorn analyzed more than 56 million emails from 91,500 corporate mailboxes from March to November 2016 . The data found that display name spoofs are the clear phishing weapon of choice for cybercriminals . Attackers are increasingly relying on highly targeted , non-payload attacks that exploit trust and leverage pressure tactics to trick Attack.Phishing users into taking action that will put their organizations at risk . Of the more than 537,000 phishing threats Attack.Phishing GreatHorn detected in its research , 91 percent ( 490,557 ) contained characteristics of display name spoofs . Display name spoofs impersonate Attack.Phishing a person familiar to a business user in order to fool Attack.Phishing the recipient into thinking that the message came from Attack.Phishing a trusted source . It ’ s an extremely effective tactic against a workforce deluged with incoming communications all day , every day . Direct spoofs were the second most popular attack type ( 8 percent ) , and domain lookalikes made up less than 1 percent of phishing attacks Attack.Phishing . “ Stopping spear phishing attacks Attack.Phishing isn ’ t as simple as pushing a button ; the sheer volume of these attacks , coupled with the size of the attacks surface and security resource constraints , makes it impossible to mitigate risk solely via human intervention , no matter how much you try to train your end users , ” said GreatHorn CEO Kevin O ’ Brien

PhishMe security researchers warn that the Locky ransomware is relying on the same delivery infrastructure which was previously used for the Sage ransomware distribution . Cybercriminals often share infrastructure between one another , so the fact that Locky and Sage use the same recourses is not that surprising . However , the fact also shows that the crooks behind Locky are working on securing new distribution venues after the main Locky distributor – Necurs botnet – recently went silent . The Sage ransomware first appeared on the malware stage at the end of last year and was analyzed early this year . The first distribution email messages relied on racy or explicit narratives to fool Attack.Phishing victims into opening the malicious attachments . Later , the operators abandoned this tactic and starting using business-related themes and random numbers in the subjects to avoid spam filters . Some of the delivery emails didn ’ t come with a subject at all but they did use the victim ` s name in the file attachment name . This file attachment was usually a double-zipper archive that contained a malicious .js file or an Office document . Other messages posed as Attack.Phishing a rejected financial transaction , failed deposit/refund or canceled order alerts in order to trick Attack.Phishing the users into opening them . The campaign , according to PhishMe , used a .zip file ( named “ document_1.zip ” ) , containing a JavaScript application in it , which would download the Sage ransomware in the form of a Windows executable . The payload was retrieved from the domain affections [ . ] top , and the malware relied on the same payment gateway ’ s Tor site as before , as well as the Tor2Web gateway addresses on rzunt3u2 [ . Then , however , on January 26th , another phishing campaign Attack.Phishing was spotted to distribute the Locky ransomware , leveraging the same email messages and metadata . ] top was used as a part of the distribution for this infection on January 30th . “ This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan ” . The connection between Kovter and Locky has been already analyzed a couple of times . Most recently , Microsoft discovered a two-step delivery technique which intended to drip Locky first , but if that failed , it switched to dropping the Kovter Trojan . This sharing of infrastructure between Locky and Sage once again proves how cybercriminals often reuse delivery infrastructure and malware support . The overlapping distribution of these two ransomware pieces can be seen as evidence of the commodity status for such infections .