. But a source told the BBC that the most sensitive Foreign Office information is not kept on the systems targeted by the hackers . Research published on Thursday by cybersecurity firm F-Secure suggested the attackAttack.Phishingwas a "spear-phishing" campaignAttack.Phishing, in which people were sentAttack.Phishingtargeted emails in attempts to foolAttack.Phishingthem into clicking a rogue link or handing over their username and password . To do this , the attackers created a number of web addresses designed to resembleAttack.Phishinglegitimate Foreign Office websites , including those used for accessing webmail . F-Secure does not know whether the attack was successful . The company says the domains were created by hackers that it calls the Callisto Group , which it says is still active . However the UK 's National Cyber Security Centre ( NCSC ) declined to say who was behind the attack on the Foreign Office . The targeted emails that were sent outAttack.Phishingtried to foolAttack.Phishingtargets into downloading malware which was first developed for law enforcement by the Italian software company Hacking Team . Hacking Team 's surveillance tools were previously exposed in a cyberattack , first reported in 2015 . There is no suggestion that Hacking Team had any involvement in the attacks . F-Secure said that the use of the software should remind governments that they `` do n't have monopolies on these [ surveillance ] technologies '' , and that once created the software can fall into the hands of hackers . The BBC has not seen evidence conclusively identifying the origin of the attack . A cybersecurity expert at another company , who wished to remain anonymous , found a link to information uncovered in the investigation of Russian efforts to influence the US election . Two of the phishing domains used by the hackers were once linked to an IP address mentioned in a US government report into Grizzly Steppe . Grizzly Steppe is the name given by the US government to efforts by `` Russian civilian and military intelligence services to compromise and exploit networks and endpoints associated with the US election '' . However , the cybersecurity expert noted that this connection between the phishing domain and Grizzly Steppe may be a coincidence , as over 300 other domains - many of them not hacking-related - were linked to the same IP address . F-Secure told the BBC that it did notice some similarity between the Callisto Group 's hacking and previous attacks that have been linked to Russia . However , it said despite some similarities in the tactics , techniques , procedures and targets of the Callisto Group , and the Russia-linked group known as APT28 , it believed the two were `` operationally '' separate . It noted that the Callisto Group was also less `` technically capable '' than APT28 .
The Russian hacking group blamed for targeting U.S. and European elections has been breaking intoAttack.Databreachemail accounts , not only by trickingAttack.Phishingvictims into giving up passwords , but by stealingAttack.Databreachaccess tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attackAttack.Phishingwith its favored tactic of sending outAttack.Phishingphishing emails , Trend Micro said in a report Tuesday . The attackAttack.Phishingworks by sending outAttack.Phishinga fake email , pretending to beAttack.Phishingfrom Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has usedAttack.Phishing. The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupeAttack.Phishingusers into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to buildAttack.Phishingfake applications that can foolAttack.Phishingvictims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operatesAttack.Phishinglike every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing schemeAttack.Phishingfrom Fancy Bear manages to sidestep this security measure , by trickingAttack.Phishingusers into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacksAttack.Phishing. `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonatingAttack.Phishinga Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attackAttack.Phishingin 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attackAttack.Phishingattempts to trickAttack.Phishingusers into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .
Google users today were hitAttack.Phishingwith an extremely convincing phishing spreeAttack.Phishinglaunched by attackers who manipulated Google Docs ' legitimate third-party sharing mechanism . Targets receivedAttack.Phishingmessages with the subject like `` [ Sender ] has shared a document on Google Docs with you '' often from senders they knew . The messages contained links , which led to a page that clearly requested access to the user 's Gmail account . If the target user provides access , the attackAttack.Phishingbegins sendingAttack.Phishingspam to all the user 's contacts . Theoretically , the attacker could also accessAttack.Databreachthe victim 's messages and stealAttack.Databreachsensitive data , but thus far there have been no reports of such activity . Because it takes advantage of Google 's legitimate third-party sharing mechanism , the phishing message is much more difficult to identify as malicious . The icons and messaging are familiar to Google users . Gmail itself did not filter the messages as phishingAttack.Phishingor flag them as spam , but rather sent them to Gmail users ' `` Primary '' inbox mail folders . The senders were familiar enough to have the target in their contact lists . One way to spot the attack : some targets report that the message includes a recipient with an address that begins `` hhhhhhhhhhhhhh '' and ends with the domain `` mailinator.com . '' Google responded with a fix and issued a statement : `` We have taken action to protect users against an email impersonatingAttack.PhishingGoogle Docs , and have disabled offending accounts . We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . We encourage users to report phishing emails in Gmail . If you think you were affected , visit http : //g.co/SecurityCheckup '' Those who have already fallen victim to this attack should also go to their Google account permissions settings and revoke access to the false `` Google Docs '' application . They 're also advised to set up two-factor authentication .