the CEO through email . Director of Human Resources Christopher Martin said that his payroll account 's manager receivedAttack.Phishingan email from someone who claimed to beAttack.PhishingScott Wise , the company 's CEO . The person then requested all 4,000 employee 's 2016 W-2 forms in a PDF format . After discovering that Wise did not send the email , Martin contacted the Internal Revenue Service about the breach . Reports have also been filed with the Federal Bureau of Investigation and Indiana State Police . Martin plans on contacting all employees affected about what they can do to protect themselves from unauthorized use of their personal information . No suspect information has been released at this time . CEO Scott Wise released a statement saying : `` Unfortunately , Scotty 's was the target of and fell victim to scammers , as so many other companies have . Scotty 's employees and customers are of tremendous importance to the company and Scotty 's regrets any inconvenience to its employees that may result from this scamming incident . Scotty 's will continue to work with federal and local law enforcement , the Internal Revenue Service and credit bureaus to bring the responsible party or parties to justice . ''
After national reports in the press this week where bank customers have been targeted by a ‘smishing’ scamAttack.Phishing, including a man from Coventry , Trading Standards is advising all residents to be on their guard . Smishing messages (SMS + fishing)Attack.Phishingusually contain a phony telephone number to call or link to a counterfeit website that will ask you to enter personal details or transfer money as your account is at risk . They can also ask you to call or text a premium-rate number they have created to run up a large bill . In the reports this week , three customers of the same bank receivedAttack.Phishingtext messages to say that there had been unusual activity on their accounts and given a phone number to call . When called , the people were convincedAttack.Phishingto give access to their online banking which generated a security code , which was then used to siphon money from accounts . ‘ Take Five ’ is a new campaign by Financial Fraud Action UK ( FFA UK ) designed to tackle financial fraud and is the first national campaign to be backed by all the major banks and other financial service providers across the UK . You can protect yourself from financial fraud by remembering some simple advice : Never disclose security details , such as your PIN or full password - it ’ s never okay to reveal these details . Don ’ t assume an email request or caller is genuine - people aren ’ t always who they say they are . Don ’ t be rushed – a genuine bank or organisation won ’ t mind waiting to give you time to stop and think . Listen to your instincts – if something feels wrong then it is usually right to pause and question it . Stay in control – have the confidence to refuse unusual requests for information . With financial fraud getting ever more sophisticated , anyone can be targeted and incidents are on the increase . Trading Standards advise to always be cautious with any unsolicited approaches .
Employees of US NGOs Fight for the Future and Free Press were targeted with complex spear-phishing attemptsAttack.Phishingbetween July 7 and August 8 , reported today the Electronic Frontier Foundation ( EFF ) . Both organizations targeted in the attacksAttack.Phishingare currently fighting against for Net Neutrality in the US . Based on currently available evidence , the attacks appear to have been orchestrated by the same attacker , located in a UTC+3-5:30 timezone , said EFF Director of Cybersecurity Eva Galperin and EFF security researcher Cooper Quintin . At least one victim fell for the attacks `` Although this phishing campaignAttack.Phishingdoes not appear to have been carried out by a nation-state actor and does not involve malware , it serves as an important reminder that civil society is under attack , '' said the two today . `` It is important for all activists , including those working on digital civil liberties issues in the United States , to be aware that they may be targeted by persistent actors who are well-informed about their targets ’ personal and professional connections . '' At least one victim fell for the 70 fake emails sentAttack.Phishingduring the phishing attemptsAttack.Phishing. Attackers did n't deliver malware but luredAttack.Phishingvictims away on a remote site designed to phish Google , Dropbox , and LinkedIn credentials . `` The attackers were remarkably persistent , switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time , '' EFF said . The most creative of the spear-phishing emails was when victims receivedAttack.Phishingemails with the subject line `` You have been successfully subscribed to Pornhub.com , '' or `` You have been successfully subscribed to Redtube.com , '' two very popular adult video portals . Minutes later , victims receivedAttack.Phishinganother email made to look likeAttack.Phishingit was coming fromAttack.Phishingthe same two services . These second emails contained explicit subject lines . Because spear-phishing emails were aimedAttack.Phishingat work emails , most victims would have been inclined to unsubscribe from the incoming emails . This was the catch , as attackers doctored the unsubscribe link , leadingAttack.Phishingvictims to a fake Google login screen . Attackers used different tactics as the campaign progressed The PornHub and RedTube phishesAttack.Phishingwere not the only ones . Attackers also used other tactics . ⬭ Links to generic documents that asked users to enter credentials before viewing . ⬭ LinkedIn message notifications that tried to trickAttack.Phishingusers into giving away LinkedIn creds . ⬭ Emails disguised to look likeAttack.Phishingthey were coming fromAttack.Phishingfamily members , sharing photos , but which asked the victim to log in and give away credentials instead . ⬭ Fake email notifications for hateful comments posted onAttack.Phishingthe target 's YouTube videos . When the victim followed the link included in the email , the target would have to enter Google credentials before performing the comment moderation actions . ⬭ Emails that looked likeAttack.Phishinga friend was sharingAttack.Phishinginteresting news stories . Used topics and subject lines include : - Net Neutrality Activists 'Rickroll ' FCC Chairman Ajit Pai - Porn star Jessica Drake claims Donald Trump offered her $ 10G , use of his private jet for sex - Reality show mom wants to hire a hooker for her autistic son In one case , one of the targeted activists received a request from a user asking for a link to buy her music . When the target replied , the attacker answered backAttack.Phishingwith a Gmail phishing link , claiming the buy link did n't work . EFF experts say that victims who had two-factor authentication turned on for their accounts would have prevented attackers from logging into their profiles even if they had managed to obtainAttack.Databreachtheir password .
Employees of US NGOs Fight for the Future and Free Press were targeted with complex spear-phishing attemptsAttack.Phishingbetween July 7 and August 8 , reported today the Electronic Frontier Foundation ( EFF ) . Both organizations targeted in the attacksAttack.Phishingare currently fighting against for Net Neutrality in the US . Based on currently available evidence , the attacks appear to have been orchestrated by the same attacker , located in a UTC+3-5:30 timezone , said EFF Director of Cybersecurity Eva Galperin and EFF security researcher Cooper Quintin . At least one victim fell for the attacks `` Although this phishing campaignAttack.Phishingdoes not appear to have been carried out by a nation-state actor and does not involve malware , it serves as an important reminder that civil society is under attack , '' said the two today . `` It is important for all activists , including those working on digital civil liberties issues in the United States , to be aware that they may be targeted by persistent actors who are well-informed about their targets ’ personal and professional connections . '' At least one victim fell for the 70 fake emails sentAttack.Phishingduring the phishing attemptsAttack.Phishing. Attackers did n't deliver malware but luredAttack.Phishingvictims away on a remote site designed to phish Google , Dropbox , and LinkedIn credentials . `` The attackers were remarkably persistent , switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time , '' EFF said . The most creative of the spear-phishing emails was when victims receivedAttack.Phishingemails with the subject line `` You have been successfully subscribed to Pornhub.com , '' or `` You have been successfully subscribed to Redtube.com , '' two very popular adult video portals . Minutes later , victims receivedAttack.Phishinganother email made to look likeAttack.Phishingit was coming fromAttack.Phishingthe same two services . These second emails contained explicit subject lines . Because spear-phishing emails were aimedAttack.Phishingat work emails , most victims would have been inclined to unsubscribe from the incoming emails . This was the catch , as attackers doctored the unsubscribe link , leadingAttack.Phishingvictims to a fake Google login screen . Attackers used different tactics as the campaign progressed The PornHub and RedTube phishesAttack.Phishingwere not the only ones . Attackers also used other tactics . ⬭ Links to generic documents that asked users to enter credentials before viewing . ⬭ LinkedIn message notifications that tried to trickAttack.Phishingusers into giving away LinkedIn creds . ⬭ Emails disguised to look likeAttack.Phishingthey were coming fromAttack.Phishingfamily members , sharing photos , but which asked the victim to log in and give away credentials instead . ⬭ Fake email notifications for hateful comments posted onAttack.Phishingthe target 's YouTube videos . When the victim followed the link included in the email , the target would have to enter Google credentials before performing the comment moderation actions . ⬭ Emails that looked likeAttack.Phishinga friend was sharingAttack.Phishinginteresting news stories . Used topics and subject lines include : - Net Neutrality Activists 'Rickroll ' FCC Chairman Ajit Pai - Porn star Jessica Drake claims Donald Trump offered her $ 10G , use of his private jet for sex - Reality show mom wants to hire a hooker for her autistic son In one case , one of the targeted activists received a request from a user asking for a link to buy her music . When the target replied , the attacker answered backAttack.Phishingwith a Gmail phishing link , claiming the buy link did n't work . EFF experts say that victims who had two-factor authentication turned on for their accounts would have prevented attackers from logging into their profiles even if they had managed to obtainAttack.Databreachtheir password .
BT MAIL users should be on alert as a new email scamAttack.Phishingis discovered which could be used to gain accessAttack.Databreachto personal details . Users of BT ’ s popular email service should be aware of a new scam which is targeting customers across the UK . The latest threat , which was unleashed over the weekend , suggests that customers ’ bills are overdue and need to be paid as soon as possible . The full message reads , “ Your latest bill is now overdue . You can view it online at My BT or on the app . To log in , you 'll need your BT ID . This is usually your email address . “ You need to pay it as soon as possible to avoid service intreruption ! ” This scam then attempts to trickAttack.Phishingusers by suggesting they should click a link to pay their outstanding bill . There ’ s plenty of warning signs about this message including obvious spelling errors and the fact there ’ s no official BT branding on the email . Another reason why this is clearly a fake is that it 's been sentAttack.Phishingto people who do n't even use BT as their email provider . One person hit by the scam told Express.co.uk that they receivedAttack.Phishingthe email on Sunday and have never had a BT broadband or BT email account . UK Police have also sent out an alert warning BT customers about this latest scamAttack.Phishingand advising them not to be cautious when clicking in links embedded within emails . In a tweet Warwickshire Police said they had “ received an email from BT re an outstanding bill today - there are links on it to pay the bill . `` This is an obvious scam , '' the message on Twitter continued . `` Please if you receive a similar one DO NOT CLICK ON THE LINKS - BT have been made aware . '' Express.co.uk has contacted BT for comment on this latest scam . BT has plenty of advice on its website about staying safe online . The broadband supplier states that internet scams can take many forms , from ' phishingAttack.Phishing' , where a fake email or web site will try to get you to part with your bank account information , to scams pretending to beAttack.Phishingfrom online auction , job or other websites that try to collect your personal data . Not sure if an email you 've received is genuine ? Do n't click on it , and never give out your account or bank details . Stay safe by being aware of `` phishingAttack.Phishing`` and other scams that might find their way into your inbox .
A NEW DVLA car tax scamAttack.Phishingis doing the rounds online which could see motorists dupedAttack.Phishinginto entering sensitive information and being ripped off by criminals . Here ’ s what to do if you receive this message . DVLA car tax scam are not a new thing and every couple of months a new one does the rounds . Criminals pose asAttack.Phishingthe Driver and Vehicle Licensing Agency in a bid to extort motorists of their cash by requesting this bank details . These crooks usually try to achieve this by threatening a monetary punishment of some sort or in other cases by stating that the driver is entitled to a refund . The problem for some motorists could fallAttack.Phishingfor the fraudulent messages especially as they often look fairly professional and can even contain the logo of the DVLA Motorists Jason Price , however , was not fooledAttack.Phishingby the latest attempt by fraudsters trying to get him to hand over his details . Mr Price tweeted a link to the email that he receivedAttack.Phishingfrom the criminal pretending to beAttack.Phishingthe DVLA . The subject of the email is “ You are not up-to-date with your vehicle tax ” followed by a bogus item reference number , which presumably is to , in some way , make the email seem more legitimate . The contents of the email claim that the driver is not up to date with their vehicle tax and states that this is their ‘ last chance ’ to pay the remainder of the fee . It reads : “ Our records show that you are not up-to-date with your vehicle tax . “ This is a reminder ( V11 ) and a ‘ last chance ’ warning letter from us . “ Tax your car , motorcycle or other vehicle today to avoid unpleasant consequences . “ You must tax your vehicle even if you don ’ t have to pay anything , for example if you ’ re exempt because you ’ re disabled . “ You ’ ll need to meet all the legal obligations for drivers before you can drive. ” It also states that “ You can be fined up to £1,000 if you do not renew your car tax ” The DVLA has issued numerous warnings to customers in the past about how it will never contact the motorist in this way . “ # SCAM WARNING : We 're reminding customers that the only official place to find our services and information is on http : //GOV.UK “ Cyber scams are common so we want to help our customers to spot fraudulent activity. ” If you receive an email or message like this you should either report it or instantly delete it and not click the link in the message . If you ’ re unsure on the validity of a message then you can ring the licensing agency .
Noticed more emails and texts lately claiming to beAttack.Phishingfrom your bank – and not just yours ? You ’ re not the only one . Action Fraud , the UK police ’ s dedicated fraud tracking team , has revealed a significant increase in reports about phishing attacksAttack.Phishingconnected to TSB ’ s massive IT outage have been reported . A total of 176 complaints have been received , or around ten a day since April 30 . “ There has been an uptick in phishing attemptsAttack.Phishingacross the piece , ” says an Action Fraud spokesperson . TSB ’ s banking meltdown , caused by a botched IT upgrade , still has not been remedied – nearly four weeks on . And the crisis has become paydirt for scammers and hackers , who have waded into a confusing , chaotic situation and are making out with thousands of pounds worth of savings from people ’ s accounts . And it ’ s not just TSB - the number of phishing texts claiming to beAttack.Phishingfrom other banks such as Barclays and NatWest also seems to be on the rise . “ When a ‘ change ’ goes wrong and so publicly like TSB ’ s , it ’ s like cyber blood in the water , ” explains Ian Thornton-Trump , chief technical officer of Octopi Managed Services , an IT company . “ Cyber criminals pay attention to companies rocked by internal scandals or public ‘ ball drops ’ and react accordingly. ” With the bank ’ s staff overloaded trying to fix the problems that caused the outage in the first place , fraudulent transactions aren ’ t being tracked or checked as quickly as they should be . “ It is a sad fact that fraudsters might try to take advantage of situations like these , ” says a TSB spokesperson . The scammers are using one of the most common tools in their arsenal : phishing attacksAttack.Phishing. They send outAttack.Phishingmass texts and emails to customers – many of whom identify themselves as TSB ’ s customers in increasingly irate social media posts – with links to legitimate-sounding but fraudulent websites . Customers are encouraged to click a link and input their username and password to process their complaints against the company – and lose control of their bank account . Lucy Evans , 23 , is one customer who has had her cash stolen . Her TSB current account was looted , and she ’ s receivedAttack.Phishinga number of texts purporting to beAttack.Phishingfrom TSB . She was defraudedAttack.Phishingby a combination of phone calls and texts . “ I think I was targeted whilst we couldn ’ t actually view our money , ” says Evans . “ Criminals are happy to exploit people ’ s misery , whatever form that might take , ” says professor Alan Woodward , a cybersecurity specialist from the University of Surrey . “ Criminals can pretend to beAttack.Phishingthe bank and ask customers to undertake strange actions that under normal operations would seem suspicious . Customers might be so delighted to actually be able to access their web banking that they might just let their guard down that little bit more than usual. ” TSB has to act more proactively to shut down fraudulent domains and to make the public more aware of the scams circulating , Woodward argues . “ TSB need to up their game in responding to customers – as that very lack of response can be used to lure customers in. ” For those who have fallen victim , the loss of money is adding insult to injury . “ I ’ m certain I ’ ll move banks , ” says Evans , who lost the contents of her current account . “ Most of the staff have been helpful and apologetic , but this should have been resolved by now . It seems they are not fit for purpose . ”
A massive phishing campaignAttack.Phishingtargeting Google accounts ripped through the internet on Wednesday afternoon . Several people online across a range of industries said they receivedAttack.Phishingemails containing what looked likeAttack.Phishinga link to a Google Doc that appeared to come fromAttack.Phishingsomeone they know . These , however , were malicious emails designed to hijack their accounts . It 's unclear exactly how the attack works at the moment , but it does appear to be highly sophisticated . A Reddit user has a good breakdown of what happens exactly when you click on the Google Doc button . In a few words , when you click on the link , the login screen takes you to a genuine Google domain , but that domain asks you to grant access to an app called Google Docs that is not the real Google Docs . And the `` Google Docs '' app reads all your email and contacts , and then self-propagates by sending more emails . We 've also heard reports that Google Drive was down , and experienced the outage ourselves , but can not yet confirm if that is related to the attack . ( It 'd be a hell of a coincidence , although Drive appears to be working again . ) `` We have taken action to protect users against an email impersonating Google Docs , and have disabled offending accounts , '' Google said in a statement sent to Motherboard . `` We 've removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . We encourage users to report phishing emails in Gmail . '' In a subsequent statement , Google said that the phishing campaignAttack.Phishingwas halted `` within approximately an hour '' and that it `` affected fewer than 0.1 % of Gmail users . '' While that sounds low , considering that Gmail has around 1 billion users , that 's still around one million victims .
Google users today were hitAttack.Phishingwith an extremely convincing phishing spreeAttack.Phishinglaunched by attackers who manipulated Google Docs ' legitimate third-party sharing mechanism . Targets receivedAttack.Phishingmessages with the subject like `` [ Sender ] has shared a document on Google Docs with you '' often from senders they knew . The messages contained links , which led to a page that clearly requested access to the user 's Gmail account . If the target user provides access , the attackAttack.Phishingbegins sendingAttack.Phishingspam to all the user 's contacts . Theoretically , the attacker could also accessAttack.Databreachthe victim 's messages and stealAttack.Databreachsensitive data , but thus far there have been no reports of such activity . Because it takes advantage of Google 's legitimate third-party sharing mechanism , the phishing message is much more difficult to identify as malicious . The icons and messaging are familiar to Google users . Gmail itself did not filter the messages as phishingAttack.Phishingor flag them as spam , but rather sent them to Gmail users ' `` Primary '' inbox mail folders . The senders were familiar enough to have the target in their contact lists . One way to spot the attack : some targets report that the message includes a recipient with an address that begins `` hhhhhhhhhhhhhh '' and ends with the domain `` mailinator.com . '' Google responded with a fix and issued a statement : `` We have taken action to protect users against an email impersonatingAttack.PhishingGoogle Docs , and have disabled offending accounts . We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . We encourage users to report phishing emails in Gmail . If you think you were affected , visit http : //g.co/SecurityCheckup '' Those who have already fallen victim to this attack should also go to their Google account permissions settings and revoke access to the false `` Google Docs '' application . They 're also advised to set up two-factor authentication .
A massive phishing campaignAttack.Phishingtook place today , but Google 's security staff was on hand and shut down the attacker 's efforts within an hour after users first reported the problem on Reddit . According to multiple reports on Twitter , the attacksAttack.Phishingfirst hitAttack.Phishingjournalists , businesses , and universities , but later spread to many other users as well . The attack itself was quite clever if we can say so ourselves . Victims receivedAttack.Phishinga legitimate ( non-spoofed ) email from one of their friends , that asked them to click on a button to receive access to a Google Docs document . If users clicked the button , they were redirected to the real Google account selection screen , where a fake app titledAttack.Phishing`` Google Docs '' ( not the real one ) asked the user 's permission to authorize it to access the shared document . In reality , the app only wanted access to the user 's Gmail inbox and contact list . After gaining accessAttack.Databreachto these details , the fake app copied the user 's contact list and sentAttack.Phishinga copy of itself to the new set of targets , spreading itself to more and more targets . The email was actually sentAttack.Phishingto `` hhhhhhhhhhhhhhhh @ mailinator.com , '' with the user 's email address added as BCC . Following the incident , Mailinator intervened and blocked any new emails from arriving into that inbox . Because of this self-replicating feature , the phishing attackAttack.Phishingspread like wildfire in a few minutes , just like the old Samy worm that devasted MySpace over a decade ago . Fortunately , one Google staff member was visting the /r/Google Reddit thread , and was able to spot a trending topic detailing the phishing campaignAttack.Phishing. The Google engineer forwarded the Reddit thread to the right person , and within an hour after users first complained about the issue , Google had already disabled the fake app 's ability to access the Google OAuth screen . Later on , as engineers had more time to investigate the issue , Google issued the following statement : We have taken action to protect users against an email impersonatingAttack.PhishingGoogle Docs & have disabled offending accounts . We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . We encourage users to report phishing emails in Gmail . There are no reports that malware was deployed in the phishing attackAttack.Phishing. Cloudflare was also quick to take down all the domains associated with the phishing attackAttack.Phishing. Users that clicked on the button inside the phishing email can go to the https : //myaccount.google.com/permissions page and see if they granted the app permission to access their account . The real Google Docs is n't listed in this section , as it does not need permissions , being an official Google property .
A Twitter user by the name @ EugenePupov is trying to take credit for the massive phishing attackAttack.Phishingthat hitAttack.PhishingGmail users last night , and which attempted to trickAttack.Phishingusers into granting permission for a fake Google Docs app to access their Gmail inbox details . While Google intervened and stopped the self-spreading attack about an hour after it started — which is a pretty good response time — questions still linger about who was behind it . If there 's one thing we know for sure , is that the fake Google Docs app was registered using the email eugene.pupov @ gmail.com . The owner of the aforementioned @ EugenePupov Twitter account , who took credit for the attacks , claimed in a series of tweets [ assembled below ] it was only a test . While some might think this is an open & close case , it is not quite so . For starters , the Twitter account was registered yesterday , on the same day of the attack , which is n't necessarily suspicious , but it 's odd . Second , if you would try to reset that Twitter account 's password , you 'll see that the Twitter account is n't registered with the same address used in the phishing attacksAttack.Phishing. Registering a Twitter account with the eugene.pupov @ gmail.com email would n't haven been possible either way , as this Gmail address is n't registered at all . Furthermore , a Coventry University spokesperson told Bleeping Computer today that no person with the name Eugene Pupov is currently enrolled at their institution . Later they confirmed it on Twitter . If things were n't shady enough , the Twitter account used a profile image portraying a molecular biologist named Danil Vladimirovich Pupov , from the Institute of Molecular Genetics , at the Russian Academy of Sciences . When other users called out [ 1 , 2 ] the Twitter account for using another person 's image , the man behind the @ EugenePupov account simply changed it to a blank white image . To clarify what exactly is going on with the Twitter account images , we 've reached out to the real Danil Pupov hoping for some answers , as we were n't able to find any good reasons for why a molecular biologist would fiddle around with Gmail spam campaings and fake Google Docs apps . As things are looking right now , it appears that someone is either in the mood for a prank , or the real person behind the attack is trying to plant a false flag and divert the attention of cyber-security firms investigating the incident [ 1 , 2 ] . As for Google , after a more thorough investigation , the company says that only 0.1 % of all Gmail users receivedAttack.Phishingthe phishing email that contained the link to Pupov 's fake Google Docs app that requested permission to access users ' inboxes . That 's around one million users of Gmail 's one billion plus userbase .
Google has stopped Wednesday ’ s clever email phishing schemeAttack.Phishing, but the attack may very well make a comeback . One security researcher has already managed to replicate it , even as Google is trying to protect users from such attacks . “ It looks exactly likeAttack.Phishingthe original spoofAttack.Phishing, ” said Matt Austin , director of security research at Contrast Security . The phishing schemeAttack.Phishing-- which may have circulatedAttack.Phishingto 1 million Gmail users -- is particularly effective because it fooledAttack.Phishingusers with a dummy app that looked likeAttack.PhishingGoogle Docs . Recipients who receivedAttack.Phishingthe email were invited to click a blue box that said “ Open in Docs. ” Those who did were brought to an actual Google account page that asks them to handover Gmail access to the dummy app . While foolingAttack.Phishingusers with spoofed emails is nothing new , Wednesday ’ s attack involved an actual third-party app made with real Google processes . The company ’ s developer platform can enable anyone to create web-based apps . In this case , the culprit chose to name the app “ Google Docs ” in an effort to trickAttack.Phishingusers . The search company has shut down the attack by removing the app . It ’ s also barred other developers from using “ Google ” in naming their third-party apps . More traditional phishing email schemesAttack.Phishingcan strike by trickingAttack.Phishingusers into giving up their login credentials . However , Wednesday ’ s attack takes a different approach and abuses what ’ s known as the OAuth protocol , a convenient way for internet accounts to link with third-party applications . Through OAuth , users don ’ t have to hand over any password information . They instead grant permission so that one third-party app can connect to their internet account , at say , Google , Facebook or Twitter . But like any technology , OAuth can be exploited . Back in 2011 , one developer even warned that the protocol could be used in a phishing attackAttack.Phishingwith apps that impersonateAttack.PhishingGoogle services . Nevertheless , OAuth has become a popular standard used across IT . CloudLock has found that over 276,000 apps use the protocol through services like Google , Facebook and Microsoft Office 365 . For instance , the dummy Google Docs app was registered to a developer at eugene.pupov @ gmail.com -- a red flag that the product wasn ’ t real . However , the dummy app still managed to foolAttack.Phishingusers because Google ’ s own account permission page never plainly listed the developer ’ s information , unless the user clicks the page to find out , Parecki said . “ I was surprised Google didn ’ t show much identifying information with these apps , ” he said . “ It ’ s a great example of what can go wrong. ” Rather than hide those details , all of it should be shown to users , Parecki said . Austin agreed , and said apps that ask for permission to Gmail should include a more blatant warning over what the user is handing over . “ I ’ m not on the OAuth hate bandwagon yet . I do see it as valuable , ” Austin said . “ But there are some risks with it. ” Fortunately , Google was able to quickly foil Wednesday ’ s attack , and is introducing “ anti-abuse systems ” to prevent it from happening again . Users who might have been affected can do a Google security checkup to review what apps are connected to their accounts . The company ’ s Gmail Android app is also introducing a new security feature to warn users about possible phishing attemptsAttack.Phishing. It 's temptingAttack.Phishingto install apps and assume they 're safe . But users and businesses need to be careful when linking accounts to third-party apps , which might be asking for more access than they need , Cloudlock 's Kaya said . `` Hackers have a headstart exploiting this attack , '' she said . `` All companies need to be thinking about this . ''
Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big , metropolitan areas in countries like Brazil . He managed to buy a new one , but kept the same number for convenience . Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password . Fortunately , he was able to recover and update it , as his phone number was tied to his Facebook account . But a pickpocket accessing his victim ’ s Facebook account is quite unusual . After all , why would a crook be interested with his victim ’ s Facebook account for when the goal is usually to use or sell the stolen device ? It didn ’ t stop there ; a day after , my friend curiously receivedAttack.Phishinga phishing SMS message on his new phone . What ’ s interesting here is the blurred line between traditional felony and cybercrime—in particular , the apparent teamwork between crooks and cybercriminals that results in further—possibly more sophisticated—attacks . Figure 1 : SMS message with a link to a phishing page The SMS message , written in Portuguese , translates to : “ Dear user : Your device in lost mode was turned on and found ; access here and view its last location : ” . The message was accompanied with a link pointing to hxxp : //busca-devices [ . ] pe [ . ] hu , which we found to be a phishing page with a log-in form asking for Apple ID credentials . We then checked the last location of his stolen iPhone , the official iCloud website indeed confirmed that it was where he had the phone snatched . Figure 2 : Phishing page asking for Apple ID credentials Connecting the dots , it appears the modus operandi is to physically steal the victim ’ s phone ( while in use , so they can still access the apps ) , uncover the device ’ s number , then try changing the password of installed social networking ( and possibly email ) apps—probably to extort the victim in the future—before turning the stolen device off as soon as possible . Attackers then try to grab the victim ’ s Apple ID credentials using a phishing page and a socially engineered SMS message pretending to beAttack.PhishingApple . Apart from perpetrating identity theft , getting their hands on Apple credentials allows them to disable the Activation Lock feature in iOS devices which would enable them to wipe the phone ( as part of an attack , or for them to reuse the device ) . Figure 3 : iCloud phishing page advertised in the Brazilian underground Interestingly , we came across an iCloud phishing page peddled for R $ 135 ( roughly equivalent to US $ 43 as of May 4 , 2017 ) during one our recent forays into the Brazilian underground . The phishing page offered for rent came with a video tutorial explaining how the service works . Coincidence ? While there may be no direct correlation , it wouldn ’ t be surprising if it somehow intersects with my friend ’ s iPhone scam situation—given how Apple credentials are one of the commodities sold in Brazil ’ s online underworld . In fact , this kind of attack has been reported in Brazil as early as 2015 . The moral of my friend ’ s story ? Traditional crime and cybercrimes are not mutually exclusive and can , in fact , work together in seemingly bigger attacks or malicious schemes . Another lesson learned ? Physical security strengthens cybersecurity . This rings true—even intuitive—not only to individual end users . Organizations understand that the risks of attacks are just as significant if their workplace ’ s perimeters aren ’ t as properly secure as their virtual/online walls . Indeed , today ’ s increasingly intricate—and in a lot of cases , brazen—attacks , whether physical or in cyberspace , call for being more proactive . Being aware of red flags in phishing scamsAttack.Phishing, securing the privacy of mobile apps , and adopting best practices for BYOD devices , are just some of them . These are complemented by physically securing mobile devices—from password-protecting important documents to employing biometrics or strong PINs to prevent unauthorized access to the device ’ s apps . Users can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Apple devices ( available on the App Store ) that can monitor and block phishing attacksAttack.Phishingand other malicious URLs . For organizations , especially those that use BYOD devices , Trend Micro™ Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protect devices from attacks that leverage vulnerabilities , preventing unauthorized access to apps , as well as detecting and blocking malware and fraudulent websites . With help from our colleagues from PhishLabs , we were able to take down the phishing pages that were still online . We also disclosed to Apple our findings related to this threat . The domains we uncovered related to this scam are in this appendix .