Business Email Compromise Phishing Attacks Soaring

Business email compromise phishing attacks are soaring. The profits that can be made from these types of attacks have made them highly popular with cybercriminals. That should be of major concern for all business leaders.

When people ask me “What’s going on with Phishing?” these days I tell them that 2015 will be remembered as the Year of the Email Phish.  Not Email Phish as in “someone sent me a link to a malicious website by email”, but rather Email Phish as in “the goal of this phishing attack is to steal my email password.”  During the calendar month of September 2015, we’ve received nearly 23,000 phishing reports for nearly 7,000 distinct domains that hosted a phishing attack intended primarily to lure the victim into revealing their userid and password.

Here are just a sampling from the 2,150 domains seen this week.  While Dropbox phish were very popular at the beginning of the month, we continue to see multi-brand targeting attacks also for Google Docs, Google Drive, and most recently Adobe ID.



We also continue to see stand-alone AOL, Gmail, Hotmail, Outlook, Outlook Web Access, and Yahoo phish as well.

Targeting email accounts with phishing is certainly not new.  The very first Phishing Trends report from the Anti-Phishing Working Group, in January of 2004, only contained evidence of 176 phishing attacks, but of the 24 brands represented, four were Email service providers — 34 AOL phish, 9 Earthlink phish, 3 Microsoft phish, and 2 Yahoo phish.

The dramatic shift this year might be best demonstrated though by comparing the top 20 phishing brands targeted in September 2014 to the top 20 phishing brands targeted in September 2015.

In September 2014, only 21% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider. Of 22,000 confirmed phishing reports on 7160 different domains, 257 different brands were being imitated.  But only two of the top ten brands were Email Service Providers, and those trailed dramatically behind the leading phishing targets.


In September 2015, 62.5% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider!  Of 47,800 confirmed phishing reports on 12,127 different domains, 333 different brands were being imitated.  While the vast majority of these were financial services industry brands, the Top ten brands were led by five Email Service Providers!  52% of all the domains we saw abused for phishing this month contained attacks designed to steal your email address and password!

What the criminals have realized, but our employees seem to have forgotten, is that your email account is the Keys to the Kingdom!   Criminals are definitely focusing on compromised email accounts as a favorite attack vehicle.  The FBI’s Internet Crime and Complaint Center ( shared an Advisory at the end of August warning that more than 7,000 US-based businesses had lost as much as $700 MILLION due to what is being called “Business Email Compromise” scams.  The key to many of these scams begins when a criminal phishes one of your employees to begin studying the nature and structure of your company.

  • How do you reset a forgotten password for your bank, credit card, or online store?  They send you an email!
  • How do the criminals learn the types of email that you are accustomed to exchanging in your workplace?  They READ YOUR EMAIL!
  • How do criminals know when you are traveling?   They READ YOUR EMAIL!
  • How do criminals send an email to your friends and co-workers that they are CERTAIN TO OPEN?   They USE YOUR EMAIL TO SEND IT!

So, phishing is on the rise in all of its forms — more financial institutions are targeted than ever before, more phishing websites are created than ever before, and more malware is being delivered than ever before.   But the newest trick that we must all be wary of is that the email we just received from our co-worker?   It may be from your co-worker, or it may be that your co-worker has already fallen for an Email Phishing attack!

So now what?

  1. Be certain if you use a File-sharing site, such as DropBox, Microsoft OneDrive, Google Drive, or Google Docs, that the email you are following is really from your co-worker!  Warn your co-workers of this type of attack by sharing a link to this blog post!
  2. SET ACCOUNT ALERTING or Two-Step Verification for your email accounts.  If a strange device logs in to your Gmail account, Google can let you know!  Microsoft and Yahoo have similar features as well.  If possible, require Two-Step Verification for access to Email accounts.  Follow the correct link below to learn how to set this feature up for your email!
  1. NEVER RE-USE PASSWORDS!  REMIND YOUR EMPLOYEES that they should never use a password from their business accounts on a non-business account.  Your personal email address and your business email address should have different passwords, as should your bank account, your credit card account, your cell phone provider account, etc.



Vistaprint Abuse – Free Phish for All

Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?

VIDEO UPDATE: Wire Fraud Phisher attempts to phish PhishMe, instead gets phished by PhishMe

(VIDEO UPDATE LINK: Defending Against Phishing Attacks: Case Studies and Human Defenses by Jim Hansen
• A human centric method of defense
• Attack case studies & attacker technique analysis
• Proactive simulation methods: educating workforces & detecting / thwarting attacks) 

(^ say that title ten time fast)

Every year PhishMe Simulator sends millions of phishing emails to its 500+ enterprise customers’ employees worldwide. PhishMe is hands down the most robust and sophisticated phishing platform in existence. To say that we are a little obsessive about Phishing is a bit of an understatement. In fact, we are sitting on innovations in phishing that the bad guys have yet to figure out.

The difference in PhishMe emails versus the bad guys, is that ours are carefully crafted to deliver a memorable experience. Our experiences are masterfully designed to change human behavior to avoid phishing. So what happens when one of our own employees is on the receiving end of a wire fraud phish? Read on…

Upatre Malware Anti-Sandboxing Mechanism Uncovered

Researchers have been studying the Upatre malware anti-sandboxing mechanism over the course of the past few days, after capturing a number of samples of the malware.

The Upatre malware anti-sandboxing mechanism involves a delay in activity. A 12-minute delay to be precise. That is how long it takes before the malware downloads its malicious payload. The delay is an anti-sandboxing tactic to ensure that the malware is not being executed in a sandbox environment where its actions can be analyzed and studied by security researchers. An early example of this technique can be found in any of the binaries delivered by the spam messages profiled in PhishMe Intelligence database (Threat 4301) using spam email content like that shown in the image below:

Sandbox and analysis evasion is not a new technique for malware. Many of the mechanisms utilized by malware to detect that they are under analysis are exceedingly complex. Those anti-sandboxing mechanisms look for evidence of a sandbox hidden deep in the environment.

This often takes two forms—searching for traces that would indicate that the malware is being run on a virtual machine or searching for tools used by malware researchers to analyze the sample. These tasks require comparison of registry entries, device names, and running processes against known values that would reflect that the environment in which the malware is being run is not a real computer. However, as a result of the ongoing arms race between researchers and threat actors, analysis techniques have been developed that allow for researchers to avoid giving away their presence to the malware’s runtime. In fact, many of these analysis techniques have been implemented in automated and inline sandboxing tools, where advanced and sophisticated virtual machines are used to screen content for malware.

However, the Upatre malware anti-sandboxing mechanism is somewhat different to highly technical anti-sandboxing and analysis techniques. Instead, Upatre malware exploits characteristics of researcher behavior in creating and utilizing analysis environments. A similar tactic is employed by the Dyre Trojan, in that the malware interrogates the number of cores in the computer’s processor, refusing to execute in cases where there is only one. The Dyre Trojan makes the assumption that many analysis sandboxes will utilize a virtualized processor with only one core while nearly all real, consumer-grade computers will have at least two cores in their processors.

A similar line of thinking is employed in the Upatre malware anti-sandboxing mechanism. The assumption made by the threat actor is that no real computer in use by a human being will be booted immediately before executing the malware binary. Instead, this behavior would be characteristic of a sandbox being started immediately before the introduction and execution of a malware binary.

Upatre malware utilizes the Windows GetTickCount function, used to enumerate the number of milliseconds that have passed since the Windows system was started. This is an effective means of tracking the system’s uptime, providing the malware binary an insight into the duration for which the system has been running. This anti-sandboxing mechanism is a simple branch in the malware’s execution logic. If the GetTickCount function returns a value that is too small—less than approximately 720 seconds or twelve minutes—the malware takes a branch that leads directly to a process exit. However, if GetTickCount returns a value greater than the twelve-minute uptime the malware will proceed to download and deobfuscate its Dyre malware payload.

Figure 2 shows the assembly code passed to the processor by an Upatre sample utilizing this uptime constraint. The red-highlighted breakpoint is the beginning of the code section where the value returned by GetTickCount is handled, while the black-highlighted line shows this value stored in the processor’s eax register as the hexadecimal value 0x001EA5E. That corresponds to a decimal value of 125,534 representing the approximately 125,000 milliseconds of uptime for the analysis system. After the return, immediately below the black-highlighted entry, the malware branches to either terminate the process or continue with the download and execution of a Dyre sample.

By denying researchers or sandboxing tools the ability to observe the malware’s runtime behavior, except under certain specific circumstances, the threat actor preserves an element of secrecy for his or her operations. The indicators by which an Upatre sample can be identified are not revealed, thereby preventing those resources from being shared widely among researchers. Furthermore, since the malware’s hostile behavior lies beyond the crucial uptime-dependent branch, many sandbox tools would not provide visibility into the malware’s fully completed runtime, thereby missing crucial intelligence on this rapidly evolving threat.

PhishMe customers have access to the special report on this topic in their documents folder on PhishMe Intelligence. If you are not currently a PhishMe Intelligence customer and would like further information, please contact the PhishMe team today.

A Peek Inside an Affiliate’s Malspam Operation: Kovter and Miuref/Boaxxe Infections

In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.

Yara CTF – The Answers

Hello everyone, and thank you for coming to check out the Yara CTF answers! We had a TON of folks who were interested in the challenge, many submitted answers, and many folks enjoyed the challenges. Some of the best feedback we received was “This was the shortest plane ride over to Vegas. Thanks, PhishMe!”