A Peek Inside an Affiliate’s Malspam Operation: Kovter and Miuref/Boaxxe Infections

In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.

Yara CTF – The Answers

Hello everyone, and thank you for coming to check out the Yara CTF answers! We had a TON of folks who were interested in the challenge, many submitted answers, and many folks enjoyed the challenges. Some of the best feedback we received was “This was the shortest plane ride over to Vegas. Thanks, PhishMe!”

PhishMe Named to Inc. 5000 List of Fastest Growing Private Companies; Anti-Phishing Solution Provider Identified as a Top 10 Security Company

LEESBURG, Va., August 17, 2015 – PhishMe® Inc., the leading provider of phishing threat management solutions that empower employees to be a layer of human security sensors against phishing, malware, and drive-by attacks, today announced that Inc. Magazine has named it one of the 2015 Top 5000 Fastest-Growing Private Companies in the U.S. PhishMe ranked in the 89th percentile of all companies evaluated. Among security companies, it ranked in the top 10 nationwide and No. 2 in the State of Virginia.

PhishMe Enhances Real-Time Malicious File Analysis and Notification to Further Strengthen Enterprise Defenses Against Phishing Attacks

LEESBURG, Va. and LAS VEGAS – August 5, 2015 – PhishMe® Inc., the leading provider of phishing threat management solutions that empower employees to be a layer of human security sensors against phishing, malware, and drive-by attacks, today announced enhancements to its PhishMe Triage product. Triage is the industry’s only anti-phishing solution that leverages human intelligence to provide security operations center (SOC) analysts and incident response teams with real-time, automated analysis and insights into live phishing attacks against their organizations. New to Triage are:

Yara CTF, Blackhat 2015

Welcome and good luck on the CTF!

Password: “Go forth and hack!!##one1”, no quotes.

PM_Yara_CTF_2015

One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP!

Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error.

Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.

The Danger of Sensationalizing Phishing Statistics

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

These Are Not The (CryptoLocker) Resumes You’re Looking For

For a long time, attackers have used .zip files in order to carry their bad stuff to organizations. Typically attackers include the malware in an .exe or screensaver file in the .zip , but we’ve noticed attackers trying to tell a different story in a recent wave of attacks.  Here’s a screenshot of one of the emails:

FIgure 1 -- Phishing email

Figure 1 — Phishing email

Once opened, the user is prompted to download a .zip file. We can see this in the iframe of the html file inside, as well as the .zip file that is downloaded.