Double Barrel Throwdown Results

The winner of our inaugural Double Barrel Throwdown is @_tdudley. Her scenario leveraged curiosity, posing as a recruiter the email entices the recipient to click a link to find out about a lucrative job opportunity. This original idea was persuasive (who isn’t curious about an exciting job opportunity?) and realistic (recruiters send out emails like this all the time to corporate email addresses). Overall, the decision was not easy, but her entry stood above the rest when judged against our criteria: originality, persuasiveness, and realism.

PhishMe Unveils Phish Reporter at Black Hat USA 2013

CHANTILLY, Va., July 31, 2013 — PhishMe, the leading provider of security behavior management services that improve employees’ resilience towards spear phishing, malware, and drive-by attacks, today announced the availability of its patent-pending Phish Reporter™, the first technology available to enterprises that aggregates and normalizes user-provided reports of suspicious emails. Phish Reporter is an Outlook Add-in that installs a button on the user’s toolbar, allowing them to report suspected phishing emails with the push of a button, and improve organizational detection and response time to threats.

An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.

Royal Baby Spam and Malware Attack Happening Now

It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.

Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.

This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.

As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”

What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?

They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:

“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN

To demonstrate the relatedness of the spam, a list of the URLs that were used by each of the four campaigns is listed at the end of this article, labeled either “Snowden”, “Ender”, “Obama”, or “Tree”, corresponding to each of the four campaigns. We threw all of the advertised URLs into a fetcher and found that there were malicious files found at each of the destinations. The first link (from earlier in the day) pointed to two Javascript files that were used to redirect the visitor to an Exploit Kit that would cause malware to be dropped onto their computer. The second (later in the day, and still live at the time of writing) pointed to three Javascript files that redirected the user to a different Exploit Kit site.

I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.

(early morning version <== redirects to / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
- which loads two Javascript files: / kurile / teeniest.js / prodded / televised.js
(afternoon version <== redirects to / topic / accidentally-results-stay.php )
index.html with MD5 = bc73afe28fc6b536e675cea4ac468b7d
- which loads three Javascript files: / advantageously / autopilots.js / mussiest /syndicating.js /drubbing / mouthful.js

Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version. == and is still an active infector as of this timestamp.
I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at as Zeus.

Adobe Flash Player Update?

After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.

After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.

After the second infection, my sandbox went to “ / forum / viewtopic.php” ( which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.

“” ( to fetch “f7Qsfao.exe”
(VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware
”” ( to fetch “dbm.exe”
(VirusTotal: 8 of 46)
”” ( to fetch “q7ojEH7.exe”
(VirusTotal: 4 of 46)
”” ( to fetch “SAQjaWu.exe”
(VirusTotal: 8 of 46)

Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “” (IP: and “” (IP:

According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)

What is definition of phishing?

According to a recent infographic produced by via resource, 37.3 million users were subject to phishing attacks in 2012, but what definition of phishing is being used? What does phishing actually mean?

As consumers increase the amount of time that they spend online, cybercriminals are ramping up their productivity – launching larger, more efficient and increasingly targeted attacks against brands both in and outside the financial services industry.

PhishMe delivers email-based anti-phishing solutions. Through our interactions with prospects and customers, we’ve realized that there are several different definitions of phishing floating around and that often the term “phishing” is used interchangeably with terms like “malware” and “spam”.

What’s in a word? Well, it’s an important distinction. While both phishing, malware and spam are rampant in today’s threatscape, they are not one and the same. Pure phishing threats are analyzed and acted upon differently than spam and malware.

A general definition of phishing by Wikipedia:

“Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

Phishing is, admittedly, a wide-reaching term. There are several ways to carry out a phishing attack, which is likely where some of the confusion comes into play. In the broad sense, you could say that phishing is any attempt on behalf of a cybercriminal to steal credentials. This can be carried out via a phishing website where the victim is prompted to enter his credentials or via a malicious executable.

At PhishMe, we categorize a malicious threat as phishing according to the following two rules:

  1. If the page is representing a brand and asks for any login/personal information.
  2. If the URL is not say “, and if you do a Whois on it, the domain is not registered to that company name. So, if the URL is and displays the logo of a major brand, it is trying to make itself look like that major brand.

What’s the difference between Phishing and Malware?

The relationship between phishing and malware is a bit blurry, mostly because they often work together to achieve the goal of the cybercriminal. In fact, the term “malware” is often included in phishing discussions.

Now that being said, here is Wikipedia’s malware definition:

“Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.”

“….Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or Trojans rather than viruses…”

One key distinction is that not all malware is delivered via email. Malware converges with phishing when it is being used as an accessory to execute the phishing attempt.

When it comes to defining today’s malicious threats, where do you encounter confusion? How do you differentiate between them? Share your thoughts in the comments section below.

Allan Carey Joins PhishMe as Vice President of Marketing

CHANTILLY, Va., July 18, 2013 — PhishMe®, Inc., the leading provider of security behavior management services that improve employees’ resilience towards spear phishing, malware, and drive-by attacks, today announced that Allan Carey has joined as Vice President of Marketing. Carey brings more than 13 years of information security industry experience to PhishMe, including progressive marketing, sales and partner development expertise. In his new role, Carey will be responsible for the global strategy and execution of PhishMe’s marketing initiatives, expanding its market share and supporting the growing success of PhishMe’s sales team and partner alliances.

The Double Barrel Throwdown 2013

One of the great things about the IT Security industry is the intelligent, creative, and interesting people who work in this field. PhishMe challenges you to show just how witty you really are by submitting us your best idea for a Double Barrel phishing scenario. Read below for contest details: