WASHINGTON — The Internal Revenue Service said on Thursday that the personal data of as many as 100,000 taxpayers could have been compromised Attack.Databreach through a scheme in which hackers posed as Attack.Phishing students using an online tool to apply for financial aid . The breach may be the most extensive since 2015 , when thieves gained access Attack.Databreach to the tax returns of over 300,000 people by using stolen data and filed fraudulent returns to get refunds . The possibility of an attack became known in early March after the I.R.S . shut down its Data Retrieval Tool , which families used to import tax information to Fafsa , the Free Application for Federal Student Aid , on the Education Department ’ s website . The shutdown , at the height of financial aid application season , caused outrage among parents and students trying to fill out the complicated Fafsa forms . The I.R.S . has been struggling to overhaul its defenses against increasingly sophisticated cyberthreats as its budget shrinks and its staff dwindles . The agency became concerned last fall when it realized that it was possible for criminals to take advantage of the student loan tool that allows aid applicants to automatically populate the applications with their and their parents ’ tax information . The worry was that thieves might use the stolen data to file fraudulent returns and steal refunds , as they did two years ago . “ Fortunately we caught this at the front end , ” John Koskinen , the I.R.S . commissioner , said Thursday at a Senate Finance Committee hearing . The I.R.S . does not expect the tool to be secure and operational again until October . “ Our highest priority is making sure that we protect taxpayers and their identity , ” he said . But the breadth of the breach remains unknown , and Mr. Koskinen faced tough questions during the hearing as to why he did not act sooner . Senator Orrin G. Hatch of Utah , the Republican chairman of the committee , wondered why Mr. Koskinen had waited several months to shut down the tool after realizing that it might be vulnerable . Mr. Koskinen said he did not want to cut off a tool that millions of financial aid applicants use before the evidence of foul play was clear . After monitoring activity in the system , the I.R.S . noticed an unusual spike of unfinished applications in February that suggested criminals were at work . The commissioner , who in the past has faced calls from many Republican lawmakers to resign , said that the agency had already sent out 35,000 letters to taxpayers and that it was planning to contact 100,000 people to alert them that they might be at risk . The agency believes that fewer than 8,000 fraudulent returns were filed and processed , resulting in refunds issued . The questions about the security of data at the I.R.S . came less than two weeks before tax day and amid new calls from Republicans that Mr. Koskinen resign before his term ends in November . The commissioner has been a boogeyman for Republicans for years , because many in the party think that he has misled them over accusations that the agency overzealously audited certain conservative nonprofit groups .

Google and Facebook have confirmed that they fell victim to an alleged $ 100m ( £77m ) scam . In March , it was reported that a Lithuanian man had been charged over an email phishing attack Attack.Phishing against `` two US-based internet companies '' that were not named at the time . They had allegedly been tricked Attack.Phishing into wiring more than $ 100m to the alleged scammer 's bank accounts . On 27 April , Fortune reported that the two victims were Facebook and Google . The man accused of being behind the scam , Evaldas Rimasauskas , 48 , allegedly posed as Attack.Phishing an Asia-based manufacturer and deceived Attack.Phishing the companies from at least 2013 until 2015 . `` Fraudulent phishing emails were sent Attack.Phishing to employees and agents of the victim companies , which regularly conducted multimillion-dollar transactions with [ the Asian ] company , '' the US Department of Justice ( DOJ ) said in March . These emails purported to be from Attack.Phishing employees of the Asia-based firm , the DOJ alleged , and were sent from Attack.Phishing email accounts designed to look like Attack.Phishing they had come from Attack.Phishing the company , but in fact had not . The DOJ also accused Mr Rimasauskas of forging Attack.Phishing invoices , contracts and letters `` that falsely appeared Attack.Phishing to have been executed and signed by executives and agents of the victim companies '' . `` We detected this fraud against our vendor management team and promptly alerted the authorities , '' a spokeswoman for Google said in a statement . `` We recouped the funds and we 're pleased this matter is resolved . '' However , the firm did not reveal how much money it had transferred and recouped . Nor did Facebook - but a spokeswoman said : `` Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation . ''

A widely reported e-mail purporting to be Attack.Phishing a request to share a Google Docs document is actually a well-disguised phishing attack Attack.Phishing . It directs Attack.Phishing the user to a lookalike site and grants the site access to the target 's Google credentials . If the victim clicks on the prompt to give the site permission to use Google credentials , the phish Attack.Phishing then harvests Attack.Databreach all the contacts in the victim 's Gmail address book and adds them to its list of targets . The phish Attack.Phishing appears to have been initially targeted at a number of reporters , but it quickly spread widely across the Internet . Some of the sites associated with the attack appear to have been shut down . The e-mail uses a technique that a Trend Micro report linked last week to Pawn Storm , an ongoing espionage campaign frequently attributed to Russian intelligence operations . The attack uses the OAuth authentication interface , which is also used by many Web services to allow users to log in without using a password . By abusing OAuth , the attack is able to present a legitimate Google dialogue box requesting authorization . However , the authentication also asks permission for access to `` view and manage your e-mail '' and `` view and manage the files in your Google Drive . '' The fake application used in the Pawn Storm phish Attack.Phishing ( which posed as Attack.Phishing a Google security alert ) was named `` Google Defender . '' Today's phish Attack.Phishing asks the target to grant access to `` Google Docs '' —a fake application using the name of Google 's service . If the target grants permission , the malicious site will immediately harvest Attack.Databreach contacts from the target 's e-mail and send copies of the original message to them . [ Update , 4:40 pm EDT : ] Google has struck hard at the worm . Not only have all the sites associated with the phish Attack.Phishing been taken offline , but the permissions associated with the worm have been dropped from victims ' accounts . The domains used in the attack were registered through NameCheap , and used a Panama-based privacy service to conceal the registration information . The hostnames were pointed at a server behind Cloudflare 's content delivery and denial-of-service protection network .

As of June 2016 , more than 150 million active users interact with one another daily via Snapchat . Others are drawn by the service 's more recent features . Those include Snapcash , a method introduced for users to send mobile payments to their friends . Given the app 's popularity , it 's no wonder online criminals have set their sights on hacking users ' Snapchat accounts . For instance , back in late 2013 , a group of hackers published Attack.Databreach a database containing the usernames and phone numbers of approximately 4.6 million Snapchat users . Nefarious individuals could have used that information to profile targets across multiple web accounts . We also ca n't forget about the security incident Attack.Phishing that occurred back in February 2016 . In that attack Attack.Phishing , someone posed as Attack.Phishing the company 's CEO and convinced a Snapchat employee to send over payroll information . The successful phish ultimately compromised Attack.Databreach dozens of employees ' identities . To be fair , a mega breach on the scale of what affected LinkedIn , Tumblr , and Yahoo has yet to strike the messaging app . But that 's not to say criminals are n't trying to find a way into people 's accounts . Hackers clearly have Snapchat in their sights , which is why users need to learn how to spot the warning signs of a hack and how they can recover their accounts if someone compromises them .

PhishMe security researchers warn that the Locky ransomware is relying on the same delivery infrastructure which was previously used for the Sage ransomware distribution . Cybercriminals often share infrastructure between one another , so the fact that Locky and Sage use the same recourses is not that surprising . However , the fact also shows that the crooks behind Locky are working on securing new distribution venues after the main Locky distributor – Necurs botnet – recently went silent . The Sage ransomware first appeared on the malware stage at the end of last year and was analyzed early this year . The first distribution email messages relied on racy or explicit narratives to fool Attack.Phishing victims into opening the malicious attachments . Later , the operators abandoned this tactic and starting using business-related themes and random numbers in the subjects to avoid spam filters . Some of the delivery emails didn ’ t come with a subject at all but they did use the victim ` s name in the file attachment name . This file attachment was usually a double-zipper archive that contained a malicious .js file or an Office document . Other messages posed as Attack.Phishing a rejected financial transaction , failed deposit/refund or canceled order alerts in order to trick Attack.Phishing the users into opening them . The campaign , according to PhishMe , used a .zip file ( named “ document_1.zip ” ) , containing a JavaScript application in it , which would download the Sage ransomware in the form of a Windows executable . The payload was retrieved from the domain affections [ . ] top , and the malware relied on the same payment gateway ’ s Tor site as before , as well as the Tor2Web gateway addresses on rzunt3u2 [ . Then , however , on January 26th , another phishing campaign Attack.Phishing was spotted to distribute the Locky ransomware , leveraging the same email messages and metadata . ] top was used as a part of the distribution for this infection on January 30th . “ This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan ” . The connection between Kovter and Locky has been already analyzed a couple of times . Most recently , Microsoft discovered a two-step delivery technique which intended to drip Locky first , but if that failed , it switched to dropping the Kovter Trojan . This sharing of infrastructure between Locky and Sage once again proves how cybercriminals often reuse delivery infrastructure and malware support . The overlapping distribution of these two ransomware pieces can be seen as evidence of the commodity status for such infections .

Qatar is set to host the 2022 FIFA Soccer World Cup , and to do so , the country must build a number of stadiums . Additionally , Qatar 's economy is also in full bloom , and many companies taking advantage of local tax-free zones are also driving a real-estate boom , with tens of buildings being built every year . At the heart of Qatar 's roaring constructions sector are migrant workers , usually from East-Asian countries , such as India , Bangladesh , and most often Nepal . Loopholes in local legislation allow employers to withhold passports and force employees to work under appalling conditions , facing steep penalties , and even jail time if they try to leave the country before their contract expires . These conditions have attracted the attention of many activists , organizations , and journalists , that have published damning reports , even going as far as asking FIFA to revoke the rights to hold the 2022 World Cup until Qatar revises its labour laws . Claudio Guarnieri , a security researcher working for Amnesty International , has published a report today that reveals how an unknown person or group has created Attack.Phishing a fake persona named Saleena Malik , which they used to get close to journalists and activists . The primary goal was to become friends with potential victims , and after months of having private conversations , lure Attack.Phishing the target into accessing a phishing page disguised as Attack.Phishing a Google login , and collect their credentials . Malik 's phishing attacks Attack.Phishing did n't happen right away , but always after the victim had time to get acquainted with her fake persona . In most cases , Malik posed as Attack.Phishing a person with similar interests in activism and Qatar 's migrant labor laws . After months of private conversations via email , LinkedIn and/or Facebook , Malik would eventually invite Attack.Phishing a target to access a document or connect via Google Hangouts . In all cases , before accessing Malik 's documents or Google Hangouts , the victim would first be prompted Attack.Phishing by a fake login page that collected their credentials . Guarnieri , who was alerted to Malik 's actions by one of the targeted journalists , was able to identify where these phishing pages were hosted and where they sent data for storage . This is how the researcher tracked down at least 30 other victims of Malik 's expert phishing attacks Attack.Phishing . Additionally , with collaboration from victims , Guarneri was also able to discover that the people behind the Malik persona had also accessed some of the phished Gmail accounts . The intruder 's IP address belonged to a local Qatar Internet service provider . What the researchers was n't able to find was who was behind the attacks . His guesses include the government of Qatar , another government wanting to make Qatar look bad , or a contractor hired by one of the construction firms or a government agency . In a statement for Amnesty International , a spokesperson for the government of Qatar denied any involvement . These particular set of attacks Attack.Phishing show a deep knowledge of social engineering , and especially phishing tactics . Whoever was behind this campaign had both the knowledge , skills and patience to wait for the seeds he planted to bear fruits many months later