Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

Update 2016-11-11:

It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.

PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.

The email addresses associated with the OPM breach have not been actively circulated.  As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.


A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.

One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.


Screenshot of phishing message impersonating OPM

The ZIP archives attached to these messages contains a hostile JavaScript application used to download and run a sample of the Locky encryption ransomware.

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.

These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.

Indicators of compromise related to this set of Locky emails are verbose—323 unique JavaScript application attachments were identified with the capability to download obfuscated Locky payloads from 78 distinct payload locations. These locations are listed below.















































































However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.





Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.



The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.

Never miss another phishing threat! Sign up for our complimentary Threat Alerts subscription service today.

Learn more about Locky and other ransomware threats at PhishMe’s Global Ransomware Resource Center.

Rohyt Belani Named a Technology Finalist in DC Inno’s 50 on Fire Awards

We are thrilled to announce that our Co-Founder and CEO Rohyt Belani has been named a finalist in the technology category for DC Inno’s 50 on Fire Awards. These are awards recognize the top 50 movers and shakers in Washington, D.C. across a variety of business verticals and practice, honored for their innovation, energy and contributions to their respective fields while making a big impact on the Washington, D.C. area.

Finalists have been carefully selected by DC Inno staff based on their 2016 editorial coverage of news and announcements, followed by an expert judging panel who will whittle down the top 50 honorees honored this year.

DC Inno recognizes professionals across a wide range of industry verticals, including: Community, Design, Education, Government & Advocacy, Healthcare & Medicine, Investment, Lifestyle, Marketing & Advertising, and Technology.

Read more about the 50 on Fire Awards on the DC Inno Blog.

Did you know that PhishMe was recently named one of the 50 Fastest Growing Private Companies of 2016 by the Washington Business Journal? Check out our recent press release to learn more.

PhishMe Adds International Training Modules to Complimentary Computer Based Training Program

Leesburg, VA – October 31, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, today announced the availability of new international modules for its complimentary CBT program, CBFree. The release, which follows PhishMe’s recognition as a leader by Gartner in the research firm’s 2016 Security Awareness Computer-Based Training Magic Quadrant, provides six fully translated and localized editions of CBFree. Available to any organization regardless of whether they are a PhishMe customer, CBFree provides employees with security awareness training on today’s greatest cybersecurity threats including spear-phishing, ransomware, and business email compromise (BEC).

Released during National Cyber Security Month in the U.S., the new modules have been delivered as a response to the huge number of localization requests PhishMe receives every month from organizations wanting to meet compliance obligations. Recognizing that cybercrime is a global problem and that many organizations have an internal requirement to provide a broader program for security awareness training to their employees, the localized modules for CBFree enable access to world class non-English CBT lessons.

“CBFree has proved extremely popular among companies looking to provide awareness CBTs to expand their security awareness programs and satisfy compliance requirements,” explained Jeff Orloff, Director of Content at PhishMe. “With our new international modules, we’ve made this valuable educational content available to a much wider audience. That said, PhishMe acknowledges that awareness is not the problem. CBTs alone won’t address the full extent of the cybersecurity problem. By offering CBTs at no cost, PhishMe is enabling organizations to focus their resources on instituting impactful programs to effect real changes in behavior.”

Now available in English, French, German, Japanese, Chinese, Spanish and Portuguese, PhishMe’s current library of complimentary CBTs includes 15 security awareness modules and three compliance training modules. The second phase of the International launch will accommodate for languages in the Middle East, Russia and Italy.

“Cyber Security Month has been illuminating this year for the security industry,” concluded Rohyt Belani, CEO, PhishMe. “The level of discussion around threats faced by the business community is higher and more complex than ever before. This, coupled with the growing popularity of our CBFree program and demand for international modules, emphasizes the growing need for company-wide engagement around cybersecurity. However, if we want to make a dent in the enormous scale of this problem and protect global enterprise now and in the future, we must continually expose employees to safe, managed experiences that condition them to adjust core behaviors. Only then will our line of defense be strong enough to make a difference.”

To learn more and to download these modules, please visit PhishMe CBFree.

To receive a complimentary copy of the Gartner 2016 Security Awareness Computer-Based Training Magic Quadrant, click here.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision-making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe, Inc. Recognized by Washington Business Journal as One of Washington D.C.’s Fastest Growing Companies

LEESBURG, VA – October 28, 2016 PhishMe, Inc. a global provider of phishing defense and intelligence solutions for the enterprise, announced today that the Washington Business Journal has ranked the company as #21 of Washington’s 50 fastest growing private companies of 2016. PhishMe’s team was honored at a public award ceremony on Thursday, October 27, where their ranking on the list was announced. Additionally, the list has been published on the Washington Business Journal’s site.

This highly competitive list is comprised of companies that have recorded consecutive year-over-year growth of more than $2 million in revenue in 2013 and more than $10 million in revenue in 2015. The firms are privately held during the reporting period and must be headquartered in the Washington D.C. area. They cannot be subsidiaries of other companies. The Washington Business Journal then calculates the revenue growth percentages by which the companies are ranked. Only the top 50 make the list.

“Making the Washington Business Journal’s list of the fastest growing companies is a great honor and an indication of all the hard work our team has been doing,” said Rohyt Belani, Co-Founder and CEO of PhishMe. “As cybersecurity continues to be at the forefront of businesses in this digital age, our strong business fundamentals and ability to adapt to the market has afforded us the platform for strong growth.”

PhishMe has recently achieved record cumulative growth of more than 560 percent over the last three years. In addition, the company has helped more than half of the Fortune 100 organizations defend themselves against thousands of phishing attacks perpetrated by cybercriminals across the globe, helping PhishMe attain a 93 percent gross retention and negative net churn. This has resulted in PhishMe also being recognized as a leader in the 2016 Gartner Magic Quadrant for Security Awareness Computer-Based Training.

The company’s growth has landed PhishMe on multiple lists of the nation’s fastest growing companies, including Deloitte’s Technology Fast 500 and the Inc. 500/5000 Awards.

Connect with PhishMe Online

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Recognized by Gartner as a Leader in Magic Quadrant for Security Awareness CBT 2016

 PhishMe positioned as a leader for ability to execute and its completeness of vision

Leesburg, VA – October 28 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, announced today it was positioned as a leader by Gartner, Inc. in the global research firm’s 2016 Security Awareness Computer-Based Training Magic Quadrant for its ability to execute and its completeness of vision.

To receive a complimentary copy of the report, go to the PhishMe website.

“We are especially pleased to be included as a leader in the Gartner Security Awareness CBT Magic Quadrant this year,” stated Rohyt Belani, CEO and Co-Founder, PhishMe. “We take a more interactive approach to security awareness than the traditional vendors. PhishMe creates awareness and training materials as part of its Human Phishing Defense platform, which is designed to modify behavior through experiential learning and engagement. It’s an approach which has been proven to reduce the threat of employees falling victim to sophisticated cyberattacks by up to 95 percent.”

PhishMe provides a complete anti-phishing product portfolio that engages both everyday user and the IT Security response teams.  “PhishMe aggressively invests in new product capabilities and services, which is a critical requirement for any cybersecurity company,” commented Aaron Higbee, CTO and Co-Founder, PhishMe.  “Hackers are always coming up with new ways to circumnavigate our defenses and the onus is on security vendors to develop new ways to respond. We believe that Gartner has recognized PhishMe’s technical innovations and growth in this area.”

To protect against advanced phishing attacks coming from motivated attackers, many modern enterprises rely on PhishMe – including more than 50 percent of the Fortune 100 – as the foundation of their security programs. This is one more indication of PhishMe’s leadership in the security industry, along with many other awards and honors that the company has received, including the most recent accolades from: the 2016 SC Award, 2016 Inc 500/5,000 award, 2016 EY Entrepreneur of the Year finalist, 2016 Information Security Products Guide Global Excellence Award, 2016 CDM Infosec Awards and 2016 Washington Business Journal Best Place to Work Award.

To learn more about PhishMe’s solutions, please visit cofense.staging.wpengine.com.  The PhishMe human defense solution suite includes PhishMe Simulator, PhishMe Reporter, PhishMe Triage, PhishMe Intelligence and PhishMe CBFree.


Connect with PhishMe Online



Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including all warranties of merchantability or fitness for a particular purpose.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Viotto Keylogger: Freemium Keylogger for the Skids

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration.


The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable.

lureAlthough Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications, such as 7zip, will be able to extract these rarely-used archives. The content of the archive is a single PE32 executable name “DOCUMENT-71956256377.pdf.exe” which is a packed Viotto Keylogger sample, intentionally named with a double extension to entice victims to click and execute the malware.


Malicious attachment contains executable.

Since this malware was written in VB6, we can decompile the unpacked, malicious binaries to verify our classification. By viewing the VB6 forms, we can see that the hidden Form1 contains the name of Viotto Keylogger:


Decompiled VB6 forms.

Now that we have seen an example of how this malware propagates in the wild, let’s examine the family itself. When an analyst has access to a malware’s builder (an application that enables the easy customization of malware samples), we can save precious reverse engineering time by analyzing its capabilities and features to better understand how this malware behaves.


Most of the indicators that comprise a Viotto Keylogger infection can be set at build time when the actor creates the stub (the malware sample that infects a victim’s computer). In the public version 3.0.2 of the builder, the malicious actor can specify where the keylogger’s logs will be stored, the installation method for persistence, and the delivery method of the logs via SMTP and/or FTP. In the paid, private version of the builder, the actor is able to control even more settings, such as encrypting the Keylogger logs with RC4 with a hardcoded key and enabling a Screen Capture feature that periodically sends screenshots of the victim’s desktop back to the actor. Another feature included in both versions that is not highlighted in the builder’s options is the ability to capture all text copied to the victim’s clipboard.


VKL Builder’s main screen.

The storage location option for the keylogger log files can be set by the malicious actor at build time. They also have the ability to specify a custom log filename and to set hidden file attributes. The log files can be saved in the following locations on the infected machine’s disk:

  • Root (C:\)
  • Windows (C:\Windows)
  • System32 (C:\Windows\System32)
  • Program Files (C:\Program Files)
  • Application Path (copied where originally executed)
  • Temp (C:\Users\{username}\AppData\Local\Temp)
  • AppData (C:\Users\{username}\AppData\Roaming)

Options where keylogger logs will be stored.


As described above, depending on the settings enabled during built time of the stub, the actor has the ability to enable infection persistence through reboots of the infected machine. The actor can also select the option to save a copy of the executable which has the same file system options as the log file storage locations. The copy of this executable can then be executed during Windows’ start up events for persistence through computer restarts. Although multiple instances of the stub can be launched by selecting any combination of startup entries, the stub ensures it’s the only process currently running by checking the mutex (a program object lock used to avoid multiple instances of the same malware from running). The default mutex is “ViottoLogger”; however, this setting can also be changed in the builder. The following startup registry keys are viable options:

  • Current User\Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
  • Local Machine\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • Winlogon\Shell (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
  • Winlogon\Userinit (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  • Explorer\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run)

Windows startup persistence options.

Keylogger Data Exfil

Viotto Keylogger is capable of sending the recorded keystrokes, clipboard contents, and screenshots to the perpetrator in an email (via SMTP) or to a file server (via FTP). The email option can be delivered to open relays that do not require authentication or to accounts that require authentication over SMTP using Transport Layer Security (TLS). By utilizing TLS, the account credentials and email contents will be encrypted in transit. Most of the VB6 code in this keylogger was copied from sources freely available on the internet, as indicated in the builder’s About screen:


Extracting Exfil Credentials

Skids wishing to use this malware creator be forewarned: your email and FTP credentials can be easily obtained! Although most of these samples in the wild will be packed, a quick and easy way to extract the malware actor’s credentials being used for victim data exfiltration is by analyzing the application’s process memory. Analysts are not only able to extract this information on the same machine utilizing a program such as Process Hacker, but personally, I prefer keeping my memory analysis tools outside of the infected machine by analyzing full VM RAM dumps with either the Rekall or Volatility memory analysis frameworks. We can also extract the malware sample’s configuration, including any SMTP/ FTP exfil credentials, statically. The malware sample’s configuration is stored plaintext in the Resources section of the stub:


The decompiled FindResource section loads the stub configuration.

The PhishMe Research team also wrote a Python script to extract the Viotto Keylogger configuration from an unpacked sample:



The recent sighting of the freely-available Viotto Keylogger in the wild reminds us that cybercrime has a low barrier to entry and that tools built years ago continue to be used to exploit unsuspecting users. PhishMe Simulator trains and encourages users to recognize and report the type of email messages that are delivering this threat. The next step is to act on those reports, and PhishMe Triage enables your team to sift through all reports and quickly and efficiently act on the ones that pose a threat to your organization. Click here to learn more.


Related SHA256 Hashes




Download the Viotto Keylogger yara rule or the configuration extractor.

The PhishMe Advantage – ROI

Return on Investment

Measuring the return on investment (ROI) from your PhishMe solution is simple and easy. The most obvious and significant impact is the dramatic reduction you will see in the overall risk of a phishing attack both getting past your perimeter protection and your skilled users but there are other ways to measure your investment:

Monetary ROI

Customers can realize monetary ROI from PhishMe by reducing their overall risk to phishing and other security threats. Adversaries have successfully employed phishing tactics to steal intellectual property, personally identifiable information, and other sensitive information that can harm an organization’s competitive advantage and reputation.

The costs of a data breach vary and can range from hundreds of thousands to billions of dollars. The costs of incident response and mitigation will be, at a minimum, a few hundred thousand to millions of dollars. While the loss of intellectual property and sensitive information can have a severe financial and legal impact on an organization.

PhishMe’s solutions lower the likelihood of users being susceptible to various security risks while also increasing your IT Security team’s ability to quickly and accurately identify and mitigate an attack in progress. PhishMe’s experience sending simulated phishing attacks to over 20 million unique users has shown that prior to training, organizations show a reduction in repeat “clicker” susceptibility to phishing of 95%.  Download our Phishing Susceptibility Report for the full details.

Time ROI

There is also the opportunity cost view of measuring the ROI from PhishMe. Specifically, this includes the amount of time and resources your IT organization must commit when responding to user reports of falling for phishing attacks, resetting passwords, slow computer performance caused by malware, and unwinding the damage caused by such incidents. The internal cost to identify, respond, triage and recover compromised systems can place an unbearable strain on the IT service organization. Most firms find that cutting the need for this effort by 50% to 80% results in significant savings of time, labor and energy, all of which can be focused on core business operations that can help your business grow.

PhishMe’s innovative training solutions will save your entire organization time and resources while increasing employee productivity. On average, PhishMe simulated training exercises conducted periodically takes 1/30th as much time as traditional computer-based training (CBT).


PhishMe Announces Phishing Program Excellence Award Winners

Palo Alto Networks, AVANGRID, and others honored at Submerge 2016 for their innovative work in phishing prevention.

Leesburg, VA – October 14,  2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, has announced the winners of the PhishMe Excellence Awards at Submerge 2016, its inaugural phishing and defense summit and user conference. PhishMe chose the winners for their innovative, successful programs designed to combat phishing attacks and protect their enterprise from the risks of malware infiltration and fraud loss.

An anonymous panel of judges comprised of PhishMe product experts, industry leaders and security professionals reviewed the applications and designated the following companies winners across a number of different categories.

  • AVANGRID, Inc. a diversified energy and utility company, received the Phishing Defense Program of the Year, for consistently demonstrating the most effective all-around, top-performing phishing defense program with superior performance in detection, alerting, reporting, training, participation and results.
  • Palo Alto Networks, the next-generation security company, received the Most Innovative Phishing Defense Program Award, which recognized the company’s ability to think outside the box to leverage fresh approaches to achieve optimal training effectiveness and boost company-wide cyber education participation.
  • Additionally, PhishMe recognized industry leaders for achievements in the field of incident response, honoring the team that demonstrated superior overall process of responding to phishing threats in the Incident Response Team of the Year category, and the PhishMe Community Trailblazer of the Year, an award created to recognize the PhishMe user who has gone above and beyond in their phishing defense efforts.

Co-founders Rohyt Belani, PhishMe CEO, and Aaron Higbee, PhishMe CTO, presented the awards to the winners on-stage at the PhishMe Submerge Conference in Orlando, Florida. More than 100 phishing defense professionals attended this inaugural conference, which provided them with opportunities to learn from industry experts while networking with peers and other PhishMe users from all over the world.

After the award ceremony, Belani commented, “I would like to extend my huge congratulations to our winners and to all those who applied for the PhishMe Excellence Awards this year. The quality of the submissions was outstanding and a credit to the entire industry. I’m highly encouraged to see the commitment companies and individuals exhibit in protecting their businesses against increasingly sophisticated phishing attacks. PhishMe is very proud to be part of such a remarkable and growing community and we look forward to seeing everyone next year at Submerge 2017.”

For more information about the PhishMe Submerge Conference and the PhishMe Excellence Awards, please follow this link.


Connect with PhishMe Online


About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Media Contacts:


Wes Anderson

Cohn & Wolfe US for PhishMe

Phone: 323.602.1080

Email: phishme@cohnwolfe.com


Francesco Tius

AxiCom UK for PhishMe

Phone: +44 (0)20 8392 4061

Email: phishme@Axicom.com[/vc_column_text][/vc_column][/vc_row]

The (BEC) Song Remains the Same

I had a dream, a crazy dream, that we stopped responding to ridiculous email messages demanding that a wire be sent immediately.  Also in that dream, all the bad guys were caught and had to pay restitution and go to jail.

While that second part may never happen, there has been definite progress toward the dream goal and there are definite steps to take to ensure that you – and others in your company – do not fall victim to a BEC email.

Coordinated by the National Cyber-Forensics & Training Alliance (NCFTA), contact information and incident details are being swapped quickly in the business and financial communities, allowing wires to be successfully recalled from far-flung places, facilitating the identification of fraudster activity, and preventing additional victimizations.  However, the typical scenario involves the disappearance of money into the hands of criminals much faster than the victim realizes that they have made a grave mistake in acting upon a fraudulent email message.

The FBI has now released three major advisories* regarding the Business Email Compromise scam.  The below charts illustrate how the estimated number of victims and the estimated volume of dollar losses have increased dramatically with each Public Service Announcement.


chart-2And, though the Internet Crime Complaint Center (IC3) first noticed an uptick in related complaints in October 2013, the ruse has been a common one in Europe for even longer.  A fellow security researcher in France, where they call this ‘The President’s Scam’, has been closely tracking a certain group since 2011.

The most common sequence of events is that a C-level employee email address is either compromised or spoofed in order to send a convincing message to someone in the company with the authority to send a wire.  It appears that oftentimes the fraudsters have done their homework on who’s who also, gleaning names, titles, and even travel schedules of executives from social media accounts.  We have shared examples before; just over a year ago, PhishMe CTO, Aaron Higbee, described an attempt against PhishMe.


Also around this same time last year, Centrify CEO, Tom Kemp, detailed EIGHT different attempts against his company, which itself provides multi-factor authentication services.

Unfortunately, the number of victims continues to rise.  Think about it…every business is a potential victim; so, until everyone knows how to spot this scam, we will keep hearing more horror stories.

The following are some things to keep in mind when you review an email asking you to move money on behalf of your company:

  1. Is the message really from the person that it appears to be from? Review the headers carefully. What is the reply-to address? Was the message actually sent from a lookalike domain name, such as PHlSHME.com with the letter L in place of the letter I?
  1. Does the tone and writing style of the author match what you know of the purported sender of the message?
  1. Are you being asked to reply directly to the message, instead of crafting a new email message? Are you being pressured to keep the transaction to yourself for some reason? Does the email message have a strong sense of urgency?
  1. Is there a link to click or an attachment to open, supposedly containing the wire instructions? As part of this scam, wiring instructions are typically sent to the victim in a subsequent message, after they have initially hooked you into responding.  Usually they are in the body of the follow-up message, but sometimes they are in a PDF attachment.
  1. Don’t think that the receiving bank will necessarily be overseas. Money mules in the United States are operating domestic bank accounts, helping to launder the money while sometimes thinking they are performing a legitimate work-from-home service.
  1. Be willing to stand your ground when something seems ‘off’ about a request. Demand that you personally speak to the person requesting the urgent wire transfer.  When you save the company millions, the CEO will be glad you bugged her for a moment.

And below are some Action Items that you can take today to help prevent becoming the next victim:

  1. Enable two-factor authentication on your email account. If your email provider does not offer this, change providers.
  1. Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
  1. Use different passwords for each online service; use a password manager if needed.
  1. Require dual approval and out-of-band authentication for all wires. Understand that wire transfers are one of the most risky transactions and usually cannot be recalled because they are designed to provide immediate access to and an irrevocable settlement of funds.
  1. The PhishMe Simulator/Reporter combination conditions your employees to spot and submit fraudulent email messages. Contact PhishMe to sign up for Simulator and Reporter so that you can start shoring up your first line of defense.

If you realize that you may have fallen for this scam, call your bank immediately.  Also call your local FBI office and ask for assistance (Find contact information here.) Even if you never wired the money, report the attempt by filing a complaint form with IC3 because this helps the NCFTA track and correlate attacks, improving the likelihood of an eventual prosecution.

*Links to the full FBI PSAs:

Behavioral Conditioning, Not Awareness, Is the Answer to Phishing


You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.