Employees of US NGOs Fight for the Future and Free Press were targeted with complex spear-phishing attempts Attack.Phishing between July 7 and August 8 , reported today the Electronic Frontier Foundation ( EFF ) . Both organizations targeted in the attacks Attack.Phishing are currently fighting against for Net Neutrality in the US . Based on currently available evidence , the attacks appear to have been orchestrated by the same attacker , located in a UTC+3-5:30 timezone , said EFF Director of Cybersecurity Eva Galperin and EFF security researcher Cooper Quintin . At least one victim fell for the attacks `` Although this phishing campaign Attack.Phishing does not appear to have been carried out by a nation-state actor and does not involve malware , it serves as an important reminder that civil society is under attack , '' said the two today . `` It is important for all activists , including those working on digital civil liberties issues in the United States , to be aware that they may be targeted by persistent actors who are well-informed about their targets ’ personal and professional connections . '' At least one victim fell for the 70 fake emails sent Attack.Phishing during the phishing attempts Attack.Phishing . Attackers did n't deliver malware but lured Attack.Phishing victims away on a remote site designed to phish Google , Dropbox , and LinkedIn credentials . `` The attackers were remarkably persistent , switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time , '' EFF said . The most creative of the spear-phishing emails was when victims received Attack.Phishing emails with the subject line `` You have been successfully subscribed to Pornhub.com , '' or `` You have been successfully subscribed to Redtube.com , '' two very popular adult video portals . Minutes later , victims received Attack.Phishing another email made to look like Attack.Phishing it was coming from Attack.Phishing the same two services . These second emails contained explicit subject lines . Because spear-phishing emails were aimed Attack.Phishing at work emails , most victims would have been inclined to unsubscribe from the incoming emails . This was the catch , as attackers doctored the unsubscribe link , leading Attack.Phishing victims to a fake Google login screen . Attackers used different tactics as the campaign progressed The PornHub and RedTube phishes Attack.Phishing were not the only ones . Attackers also used other tactics . ⬭ Links to generic documents that asked users to enter credentials before viewing . ⬭ LinkedIn message notifications that tried to trick Attack.Phishing users into giving away LinkedIn creds . ⬭ Emails disguised to look like Attack.Phishing they were coming from Attack.Phishing family members , sharing photos , but which asked the victim to log in and give away credentials instead . ⬭ Fake email notifications for hateful comments posted on Attack.Phishing the target 's YouTube videos . When the victim followed the link included in the email , the target would have to enter Google credentials before performing the comment moderation actions . ⬭ Emails that looked like Attack.Phishing a friend was sharing Attack.Phishing interesting news stories . Used topics and subject lines include : - Net Neutrality Activists 'Rickroll ' FCC Chairman Ajit Pai - Porn star Jessica Drake claims Donald Trump offered her $ 10G , use of his private jet for sex - Reality show mom wants to hire a hooker for her autistic son In one case , one of the targeted activists received a request from a user asking for a link to buy her music . When the target replied , the attacker answered back Attack.Phishing with a Gmail phishing link , claiming the buy link did n't work . EFF experts say that victims who had two-factor authentication turned on for their accounts would have prevented attackers from logging into their profiles even if they had managed to obtain Attack.Databreach their password .

The Necurs botnet has , once again , begun pushing Locky ransomware on unsuspecting victims . The botnet , which flip-flops from sending Attack.Phishing penny stock pump-and-dump emails to booby-trapped files that lead to malware ( usually Locky or Dridex ) , has been spotted slinging Attack.Phishing thousand upon thousand of emails in the last three or four days . “ Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky , ” Cisco Talos researchers noted on Friday . In the first part of the spam campaign , the emails contain no text except in the Subject line , which simply says “ Receipt ” or “ Payment ” , followed by random numbers . Those numbers are seen again in the name of the attached PDF file ( as seen in the screenshot above ) . Later , the emails were made to look like Attack.Phishing they contained a scanned image in PDF format for the recipient to peruse . In both cases , the attached PDF contains embedded Word documents with macros , and in order for them to be opened and run the aforementioned macros , users are required to enable them . This is achieved through subterfuge : the victims are shown a note saying that the document is protected , and that they have to “ Enable editing ” in order to view it . Before that , the victims are also prompted to allow the opening of the file – a step that ’ s required for the malware to bypass the protection offered by the program ’ s sandbox . “ The word document itself contains an XOR ’ d Macro that downloaded the Locky sample from what is likely a compromised website , ” the researchers explained , noting that the DNS requests associated with the domain serving the malware have been spiking , but that it ’ s difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign . Users who go through through all the motions required to serve the malware will end up with their files encrypted and the .osiris extension added to them . The criminals behind the ransomware are asking for Attack.Ransom 0.5 Bitcoin ( around $ 620 ) in order to decrypt the files . Unfortunately for them , there is currently no way to decrypt the files without paying the ransom Attack.Ransom , so they ’ ll need to choose between losing the files ( if they have no backup ) or paying up Attack.Ransom ( although there is no guarantee that the crooks will keep their word ) .

In examples uncovered by Check Point , the emails were made to look like Attack.Phishing they were sent from Attack.Phishing a tax agency , and ostensibly warn the recipients about inconsistencies in their tax returns . The attached file ( Dokument.zip ) they are instructed to open is made to look like Attack.Phishing a document file , but is actually an application . If the victim downloads and opens it , it will perform a myriad of silent changes on the target machine , all geared towards setting up a malicious proxy server , which will allow the attacker to gain complete access to all victim communication . “ [ The malware ] uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac . This means that the malware is capable , for example , of capturing account credentials for any website users log into , which offers many opportunities for theft of cash and data , ” Malwarebytes researchers explained . “ Further , OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious websites in place of legitimate ones. ” In another instance , unearthed by Malwarebytes , another variant of the same dropper doesn ’ t do the fake “ OS X Updates Available ” routine , but installs an open source backdoor named Bella , generally available from GitHub . The software is a Python script capable of extracting Attack.Databreach a wide variety of sensitive data from macOS machines ( passwords , keychain , screenshots , location data , iMessage and SMS chat transcripts , etc. ) . This version of the script has been configured to connect to a C & C server in Moscow . “ Business users should be aware that this malware could exfiltrate Attack.Databreach a large amount of company data , including passwords , code signing certificates , hardware locations and much more . If you ’ ve been infected , contact your IT department , ” the researchers advised , and noted that it is unknown whether there is any connection between Noah , the author of Bella , and the creators of the OSX.Dok malware . “ Bella may simply have been used by unrelated hackers since it is freely available as open-source software , ” they pointed out . Well , the valid developer certificate that has been used to sign the malware has been revoked by Apple , so potential new victims won ’ t be able to open the app and get infected . Of course , future versions of the malware could be signed with another , likely stolen , developer certificate . In the meantime , though , users who have been successfully hit with OSX.Dok are advised to either erase the hard drive and restore the system from a backup made prior to infection , or get help in cleaning the machine from an expert . “ Removal of the malware can be accomplished by simply removing the two [ malicious ] LaunchAgents files , but there are many leftovers and modifications to the system that can not be as easily reversed . Changes to the sudoers file should be reversed and a knowledgeable user can easily do so using a good text editor ( like BBEdit ) , but making the wrong changes to that file can cause serious problems , ” they noted . The bad certificate should also be removed , and so should a LaunchAgents file named homebrew.mxcl.tor.plist . But , according to them , “ the numerous legitimate command-line tools installed , consisting of tens of thousands of files , can not be easily removed . ”

In examples uncovered by Check Point , the emails were made to look like Attack.Phishing they were sent from Attack.Phishing a tax agency , and ostensibly warn the recipients about inconsistencies in their tax returns . The attached file ( Dokument.zip ) they are instructed to open is made to look like Attack.Phishing a document file , but is actually an application . If the victim downloads and opens it , it will perform a myriad of silent changes on the target machine , all geared towards setting up a malicious proxy server , which will allow the attacker to gain complete access to all victim communication . “ [ The malware ] uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac . This means that the malware is capable , for example , of capturing account credentials for any website users log into , which offers many opportunities for theft of cash and data , ” Malwarebytes researchers explained . “ Further , OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious websites in place of legitimate ones. ” In another instance , unearthed by Malwarebytes , another variant of the same dropper doesn ’ t do the fake “ OS X Updates Available ” routine , but installs an open source backdoor named Bella , generally available from GitHub . The software is a Python script capable of extracting Attack.Databreach a wide variety of sensitive data from macOS machines ( passwords , keychain , screenshots , location data , iMessage and SMS chat transcripts , etc. ) . This version of the script has been configured to connect to a C & C server in Moscow . “ Business users should be aware that this malware could exfiltrate Attack.Databreach a large amount of company data , including passwords , code signing certificates , hardware locations and much more . If you ’ ve been infected , contact your IT department , ” the researchers advised , and noted that it is unknown whether there is any connection between Noah , the author of Bella , and the creators of the OSX.Dok malware . “ Bella may simply have been used by unrelated hackers since it is freely available as open-source software , ” they pointed out . Well , the valid developer certificate that has been used to sign the malware has been revoked by Apple , so potential new victims won ’ t be able to open the app and get infected . Of course , future versions of the malware could be signed with another , likely stolen , developer certificate . In the meantime , though , users who have been successfully hit with OSX.Dok are advised to either erase the hard drive and restore the system from a backup made prior to infection , or get help in cleaning the machine from an expert . “ Removal of the malware can be accomplished by simply removing the two [ malicious ] LaunchAgents files , but there are many leftovers and modifications to the system that can not be as easily reversed . Changes to the sudoers file should be reversed and a knowledgeable user can easily do so using a good text editor ( like BBEdit ) , but making the wrong changes to that file can cause serious problems , ” they noted . The bad certificate should also be removed , and so should a LaunchAgents file named homebrew.mxcl.tor.plist . But , according to them , “ the numerous legitimate command-line tools installed , consisting of tens of thousands of files , can not be easily removed . ”