Just a friendly reminder that phishing scams Attack.Phishing which spoof Attack.Phishing the boss and request W-2 tax data on employees are intensifying as tax time nears . The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks . On Thursday , March 16 , the CEO of Defense Point Security , LLC — a Virginia company that bills itself as “ the choice provider of cyber security services to the federal government ” — told all employees that their W-2 tax data was handed Attack.Databreach directly to fraudsters after someone inside the company got caught Attack.Phishing in a phisher ’ s net . Alexandria , Va.-based Defense Point Security ( recently acquired by management consulting giant Accenture ) informed current and former employees this week via email that all of the data from their annual W-2 tax forms — including name , Social Security Number , address , compensation , tax withholding amounts — were snared Attack.Databreach by a targeted spear phishing email . “ I want to alert you that a Defense Point Security ( DPS ) team member was the victim of a targeted spear phishing email that resulted in the external release Attack.Databreach of IRS W-2 Forms for individuals who DPS employed in 2016 , ” Defense Point CEO George McKenzie wrote in the email alert to employees . “ Unfortunately , your W-2 was among those released outside of DPS . ” W-2 scams Attack.Phishing start with spear phishing emails usually directed at finance and HR personnel . The scam emails will spoof Attack.Phishing a request from the organization ’ s CEO ( or someone similarly high up in the organization ) and request all employee W-2 forms . Defense Point did not return calls or emails seeking comment . An Accenture spokesperson issued the following brief statement : “ Data protection and our employees are top priorities . Our leadership and security team are providing support to all impacted employees. ” Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone ’ s taxes and request a large refund in their name . Scammers in tax years past also have massively phished Attack.Phishing online payroll management account credentials used by corporate HR professionals . This year , they are going after people who run tax preparation firms , and W-2 ’ s are now being openly sold in underground cybercrime stores . Tax refund fraud affects hundreds of thousands , if not millions , of U.S. citizens annually . Victims usually first learn of the crime after having their returns rejected because scammers beat them to it . Even those who are not required to file a return can be victims of refund fraud , as can those who are not actually due a refund from the IRS .

A flaw in Safari – that allows an attacker to spoof Attack.Phishing websites and trick Attack.Phishing victims into handing over their credentials – has yet to be patched Vulnerability-related.PatchVulnerability . A browser address bar spoofing flaw was found Vulnerability-related.DiscoverVulnerability by researchers this week in Safari – and Apple has yet issue Vulnerability-related.PatchVulnerability a patch for the flaw . Researcher Rafay Baloch on Monday disclosed Vulnerability-related.DiscoverVulnerability two proof-of-concepts revealing Vulnerability-related.DiscoverVulnerability how vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fix Vulnerability-related.PatchVulnerability the flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addresses Vulnerability-related.PatchVulnerability the issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixed Vulnerability-related.PatchVulnerability the vulnerability Baloch found Vulnerability-related.DiscoverVulnerability in the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory released Vulnerability-related.PatchVulnerability August 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoof Attack.Phishing the website , using it to lure Attack.Phishing in victims and potentially gather credentials or spread malware . For instance , the attacker could send Attack.Phishing an email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to be Attack.Phishing Gmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discovered Vulnerability-related.DiscoverVulnerability to have the flaw , said Baloch . Baloch is known for discovering Vulnerability-related.DiscoverVulnerability similar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosed Vulnerability-related.DiscoverVulnerability to both Microsoft and Apple and Baloch gave both a 90-day deadline before he went public Vulnerability-related.DiscoverVulnerability with the flaws . Due to the Safari browser bug being unpatched Vulnerability-related.PatchVulnerability , Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .

A flaw in Safari – that allows an attacker to spoof Attack.Phishing websites and trick Attack.Phishing victims into handing over their credentials – has yet to be patched Vulnerability-related.PatchVulnerability . A browser address bar spoofing flaw was found Vulnerability-related.DiscoverVulnerability by researchers this week in Safari – and Apple has yet issue Vulnerability-related.PatchVulnerability a patch for the flaw . Researcher Rafay Baloch on Monday disclosed Vulnerability-related.DiscoverVulnerability two proof-of-concepts revealing Vulnerability-related.DiscoverVulnerability how vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fix Vulnerability-related.PatchVulnerability the flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addresses Vulnerability-related.PatchVulnerability the issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixed Vulnerability-related.PatchVulnerability the vulnerability Baloch found Vulnerability-related.DiscoverVulnerability in the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory released Vulnerability-related.PatchVulnerability August 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoof Attack.Phishing the website , using it to lure Attack.Phishing in victims and potentially gather credentials or spread malware . For instance , the attacker could send Attack.Phishing an email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to be Attack.Phishing Gmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discovered Vulnerability-related.DiscoverVulnerability to have the flaw , said Baloch . Baloch is known for discovering Vulnerability-related.DiscoverVulnerability similar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosed Vulnerability-related.DiscoverVulnerability to both Microsoft and Apple and Baloch gave both a 90-day deadline before he went public Vulnerability-related.DiscoverVulnerability with the flaws . Due to the Safari browser bug being unpatched Vulnerability-related.PatchVulnerability , Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .

“ Over the past several weeks , we have seen a combination of attack techniques . One , where an attacker impersonates a travel agency or someone inside a company . Recipients are told an email contains an airline ticket or e-ticket , ” said Asaf Cidon , vice president , content security services at Barracuda Networks . Attachments , he said , are documents rigged with malware or are designed to download it from a command and control server . Cidon said other aviation-themed phishing attacks Attack.Phishing contain links to spoofed Attack.Phishing airline sites . In these types of attacks , adversaries go to great lengths to spoof Attack.Phishing the airline ’ s site . “ It ’ s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies , ” Cidon said . Recent phishing campaigns Attack.Phishing , he said , are targeting logistic , shipping and manufacturing industries . Barracuda ’ s warning comes a week after the U.S. Computer Emergency Readiness Team issued an alert of similar attacks targeting airline consumers . It warned email-based phishing campaigns Attack.Phishing were attempting to obtain credentials as well . “ Systems infected through phishing campaigns act as an entry point for attackers to gain access Attack.Databreach to sensitive business or personal information , ” according to the US-CERT warning . Delta said some victims were sent Attack.Phishing emails that claimed to contain invoices or receipts inside attached documents . When asked about the warning , Delta declined to comment . More troubling to Barracuda researchers was the success rate adversaries are having with phishing campaigns Attack.Phishing it is tracking Attack.Phishing . “ Our analysis shows that for the airline phishing attack Attack.Phishing , attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails , ” Cidon wrote in a research note posted Thursday . “ This is one of the highest success rates for phishing attacks Attack.Phishing ” . In June , Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks . Researchers say crooks attempting to install malware and perpetrate credential-harvesting attacks Attack.Databreach are more likely to use social engineering to trick Attack.Phishing people into installing malware than to exploit vulnerabilities with tools such as exploit kits .

Google has stopped Wednesday ’ s clever email phishing scheme Attack.Phishing , but the attack may very well make a comeback . One security researcher has already managed to replicate it , even as Google is trying to protect users from such attacks . “ It looks exactly like Attack.Phishing the original spoof Attack.Phishing , ” said Matt Austin , director of security research at Contrast Security . The phishing scheme Attack.Phishing -- which may have circulated Attack.Phishing to 1 million Gmail users -- is particularly effective because it fooled Attack.Phishing users with a dummy app that looked like Attack.Phishing Google Docs . Recipients who received Attack.Phishing the email were invited to click a blue box that said “ Open in Docs. ” Those who did were brought to an actual Google account page that asks them to handover Gmail access to the dummy app . While fooling Attack.Phishing users with spoofed emails is nothing new , Wednesday ’ s attack involved an actual third-party app made with real Google processes . The company ’ s developer platform can enable anyone to create web-based apps . In this case , the culprit chose to name the app “ Google Docs ” in an effort to trick Attack.Phishing users . The search company has shut down the attack by removing the app . It ’ s also barred other developers from using “ Google ” in naming their third-party apps . More traditional phishing email schemes Attack.Phishing can strike by tricking Attack.Phishing users into giving up their login credentials . However , Wednesday ’ s attack takes a different approach and abuses what ’ s known as the OAuth protocol , a convenient way for internet accounts to link with third-party applications . Through OAuth , users don ’ t have to hand over any password information . They instead grant permission so that one third-party app can connect to their internet account , at say , Google , Facebook or Twitter . But like any technology , OAuth can be exploited . Back in 2011 , one developer even warned that the protocol could be used in a phishing attack Attack.Phishing with apps that impersonate Attack.Phishing Google services . Nevertheless , OAuth has become a popular standard used across IT . CloudLock has found that over 276,000 apps use the protocol through services like Google , Facebook and Microsoft Office 365 . For instance , the dummy Google Docs app was registered to a developer at eugene.pupov @ gmail.com -- a red flag that the product wasn ’ t real . However , the dummy app still managed to fool Attack.Phishing users because Google ’ s own account permission page never plainly listed the developer ’ s information , unless the user clicks the page to find out , Parecki said . “ I was surprised Google didn ’ t show much identifying information with these apps , ” he said . “ It ’ s a great example of what can go wrong. ” Rather than hide those details , all of it should be shown to users , Parecki said . Austin agreed , and said apps that ask for permission to Gmail should include a more blatant warning over what the user is handing over . “ I ’ m not on the OAuth hate bandwagon yet . I do see it as valuable , ” Austin said . “ But there are some risks with it. ” Fortunately , Google was able to quickly foil Wednesday ’ s attack , and is introducing “ anti-abuse systems ” to prevent it from happening again . Users who might have been affected can do a Google security checkup to review what apps are connected to their accounts . The company ’ s Gmail Android app is also introducing a new security feature to warn users about possible phishing attempts Attack.Phishing . It 's tempting Attack.Phishing to install apps and assume they 're safe . But users and businesses need to be careful when linking accounts to third-party apps , which might be asking for more access than they need , Cloudlock 's Kaya said . `` Hackers have a headstart exploiting this attack , '' she said . `` All companies need to be thinking about this . ''

Social media phishing attacks Attack.Phishing jumped by a massive 500 % in Q4 , driven by a huge increase in fraudulent accounts including many posing as Attack.Phishing customer support for big name brands , according to Proofpoint . The security vendor revealed the findings in its Q4 2016 Threat Summary and Year in Review report . It claimed Attack.Phishing fraudulent accounts across sites like Twitter and Facebook increased 100 % from the third to fourth quarter . Such accounts are used for phishing Attack.Phishing , malware distribution , spam and other ends . In fact , Proofpoint observed a 20 % increase in Facebook and Twitter spam from Q3 to Q4 , with the quarter recording the second highest spam volume in the year . Yet it was a particular variety of phishing that caught the eye . So-called “ angler phishing Attack.Phishing ” is a relatively new tactic in which the black hats register fake Twitter accounts that masquerade as Attack.Phishing customer support accounts . They monitor the real support accounts for irate customer messages and then quickly jump in to send messages back to those users loaded with malicious links . The tactic was particularly common among financial services and entertainment accounts , according to the report . Elsewhere , the number of new ransomware variants grew 30-fold over Q4 , and malicious email campaigns grew significantly , with Q4 's largest campaign 6.7 times the size of Q3 's . Some of the biggest campaigns apparently involved hundreds of millions of messages dropping Locky ransomware . However , there was some good news , with scams involving the spoofing of CEO emails sent to Attack.Phishing CFOs falling 28 % in the final quarter . This is partly because CFOs are more cautious about the veracity of such messages , but can also be linked to a 33 % surge in DMARC implementation which helped to block attempts to spoof Attack.Phishing the CEO ’ s email address . In addition , exploit kits remained at low levels of activity after some high profile Angler EK arrests in Q2 , although large scale malvertising campaigns persisted , Proofpoint claimed .