PhishMe Appoints Mel Wesley as Chief Financial Officer

Industry Veteran to Position PhishMe for Continued Global Expansion and Explosive Growth

Leesburg, VA – March 30, 2017 – PhishMe® (cofense.com), the leading provider of human-phishing defense solutions, appointed technology industry veteran Mel Wesley to head up its finance department as the company’s new Chief Financial Officer (CFO). As PhishMe’s CFO, Wesley will shepherd the company as it continues to grow aggressively, capitalizing on the burgeoning demand for its solutions that thwart cyber attackers in their tracks.

Tales from the Trenches:  Loki Bot Malware

LokiOn March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets.

Included is an example of one of these emails along with basic Triage header information.

Each email analyzed contained instructions to open an attached .ace archive file that when decompressed revealed a Windows executable containing Loki Bot Malware.

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

The following Loki Bot executable was identified during our analysis.

Filename MD5 Size
shellOil.ace 5d70858b154c8b0eb205e84ca7f27a04 118,473
Shell Oil.exe 6a95ae2c90a4a3c5a2c1ce3eaf399966 245,760

Upon infecting a machine, this malware performs a callback to the following command and control host reporting the new infection and submitting any private data stolen during the infection process.

Command and Control URL IP Address Location
hxxp://elmansy.net/pdf/fre.php 118.193.173.208 China

The command and control domain ‘elmansy.net’ was created almost exactly a year ago on 2016-03-18 with the email address sherif-elfmannsy@hotmail.com. The IP address reveals that the domain is being hosted out of Jiangsu, China.

Take Away

As always, PhishMe cautions our customers to be wary of emails requesting information or promising reward.  Specific to this sample, we recommend that customers be observant for emails containing the subject line “Request for quotation” or emails promising business with new or unknown businesses. PhishMe Simulator customers who feel this type of offer might be successful with its employees should consider launching simulations that follow this style of attack to further train their users.

Additionally, incident responders should consider blocking the domain and IP address mentioned above, as well as searching endpoint systems for the MD5’s if internal systems support it.

The Phishing Defense Center is the hub for our remotely managed PhishMe Triage services.  The fully staffed center manages all internal reported emails for a number of organizations.  All information shared has been cleansed of any identifiable data.

What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from businessdictionary.com provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

As for how they get their intelligence, its different by vendor and it’s a great question to ask them if you evaluate their offerings.  And try before you buy—just like anything else—and that way you will know if it has value—and so will your CISO!

Ransomware Leads in Growth and Impact While Hackers Remain Committed to Data Theft

PhishMe’s 2016 Malware Year in Review analysis shows fast growth of Ransomware while hackers continue to quietly attempt to steal data

LEESBURG, VA – March 14, 2017: PhishMe Inc., the leading provider of human phishing defense solutions, today released findings showing that while Ransomware delivered the greatest impact and growth in 2016, threat actors continue to attempt data breaches and theft.

Tax-time Phishing: A Global Problem

I don’t think anyone likes to do taxes… unless you’re an accountant. Maybe.

Collecting all the documents, knowing which ones are needed, completing them in time, and handing over payments is a headache for individuals and companies alike. Phishing threat actors know this and will try to take advantage.

The United States Internal Revenue Service provides lots of resources about recent and relevant phishing attacks and scams targeting American taxpayers. Their international counterparts in the United Kingdom and Australia also provide extensive resources on recent attacks impacting their taxpayers. One important aspect of the material provided by these organizations is the delineation between what communication can be expected from each taxation authority and what forms of communication should be considered suspicious. For example, the Internal Revenue Service states that, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”

The most common social engineering tactics utilized by threat actors appeal to fear, uncertainty, and doubt—three things that, for some, go together with the tax filing season. Often, threat actors will use phishing narratives that threaten the recipient with legal action because they supposedly failed to properly file their taxes. Other techniques use reminders or “helpful hints” appealing to recipients’ uncertainty and desire to take the best route for doing their taxes. These messages are often used to deliver malware tools designed to steal personal and corporate information. However, other threat actors take a still-more direct route inspired by the CEO fraud and BEC attacks that have become very popular and very, very profitable. In these scenarios, the threat actors impersonate a VIP within a company or organization and simply request that someone in the company’s human resources department simply send a copy of all the income reporting forms for every employee in the company.

Both techniques embody an interesting intersection that belies how threat actors operate. Threat actors often seek to infect the largest number of users possible with their malware tools. This allows them to maximize their opportunities for monetizing their malware deployments whether the malware in use is designed to provide access to private information or to simply encrypt it and demand a ransom payment. One example identified by PhishMe Intelligence in December 2016 targets individuals by offering up unsolicited tax advice regarding retirement savings. Attacks like these, if directed to victims outside of a firm or organization, can be used to impact those victims as individuals only.

Figure 1 – Unsolicited tax advice has been observed as an avenue for delivering malware

Threat actors have recognized this and some have adjusted their strategy. As a result, they have introduced attacks that take advantage of the intersection of two contemporary techniques.

First, they employ elements of soft targeting, a strategy in which phishers cast a wide net using a narrative intended to appeal to a class of individual. A prolific example of soft targeting is the ever-present “resume” phishing theme intended to disproportionately impact human resources personnel. Similarly, many tax-themed phishing campaigns are designed to disproportionately impact financial and accounting professionals within companies so the threat actor can gain access to the greatest amount of sensitive information at once. Whether the attack is designed to deliver a tool to steal financial information or hold it for ransom, threat actors appeal to accounting professionals’ careful handling of tax matters.

Second, phishers blend their techniques with the CEO fraud or BEC strategies by imposing a fake demand that an accounting professional turn over a company’s W-2 information for “review” by an imposter company VIP. These fraudulent requests are directed to someone within the organization responsible for fulfilling the requirement that tax information be completed promptly and accurately. The threat actor is therefore linking together the pressure of responding to senior management with the pressure of completing taxation paperwork promptly. The result if a compelling narrative that the threat actor hopes will result in the turnover of sensitive information about a company’s employees—simply by asking for it.

An example of the former was used to deliver the Spora Ransomware in January 2017 using a lure informing the victim that a “loyalty” tax refund may be available to them. With the listed sender “IndustrialandCommercial[.]com”, this was intended to resemble an opportunity for the recipient to learn more about a tax break to which their company may be entitled.

Figure 2 – Other campaigns have attempted to pitch a tax break to recipients

 

These appeals are not unique to the United States. Threat actors have frequently abused the names and impersonated representatives of taxation authorities around the world. Examples collected by PhishMe Intelligence in just past two months include emails delivering malware through impersonation of Australian, Brazilian, Indian, and Italian tax authorities. Each example delivered some form of malware utility used to carry out the theft of sensitive information.

Figure 3 – Australian Tax Office impersonated to deliver malware

Figure 4 – Increased diversity in impersonated tax authorities over the past year

Figure 5 – Examples include full internationalization in language selection

 

While these threat actors all sought to deliver some malware tools to their victims, threat actors requesting sensitive information have been active this year as well. The rash of BEC and CEO fraud scams that netted criminals around the world more than 3 billion dollars and lost US victims just shy of a billion dollars as of June 2016 per FBI reporting. Emulating this technique, other threat actors target the private, personal information of companies’ employees by sending emails to custodians of W-2 information while impersonating a member of a company’s top-level management. These emails simply ask individuals to turn over to the criminal all the W-2 information for the company.

Like taxes, it’s clear these types of attacks are not going away anytime soon. However, through consistent training organizations can battle these types of threats and potentially lower their impact. It’s important to remember that the IRS will never ask you for any sensitive information in an email, and when in doubt, go directly to the IRS website instead of following links in emails.

Now, there are 3 things about which you can be sure: Death, Taxes and Phishing!

PhishMe Wins Four 2017 Info Security Products Guide Global Excellence Awards®

PhishMe Wins for Best Security Service, Best Deployment in the U.S. and Top CEO and CTO Categories

LEESBURG, VA – March 3rd, 2017PhishMe, the leading provider of human-phishing defense solutions, was recently honored with four 2017 Info Security Products Guide Global Excellence Awards®, winning in every category in which it was a finalist. These prestigious global awards, put on by the industry’s leading information security research and advisory guide, recognize security and IT vendors with advanced, ground-breaking products and solutions that help set the bar higher for others in all areas of security and technologies. More than 40 judges from a broad spectrum of industry voices from around the world weighed the nominations, and their average scores determined the 2017 Global Excellence Awards finalists and winners.