Cofense Intelligence™ recently identified a TrickBot campaign that was noteworthy not for its exceptional guile or novel technique, but rather for its lack thereof. Absent any images or convincing textual narrative, the campaign lacks all the hallmarks of this TrickBot distribution group’s modus operandi.
Part 2 of 3
Last week, we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.
Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.
Recently, an older email security detection bypass method was seen being used to successfully surpass Microsoft’s spam and phishing filters. This technique described above makes use of two methods and was dubbed “ZeroFont Phishing” by Avanan. ZeroFont Phishing is the method when attackers insert random strings within keywords or phrases that many artificially intelligent systems use to identify malicious or suspicious content. When these strings are placed within the HTML span tags mixed with setting the font-size attribute to zero, they become invisible to the end user, but simultaneously appear to neuter the ability of existing Natural Language Processing (NLP), Machine Learning (ML), and Artificial Intelligence (AI) systems to understand what is in the plaintext of the email. In the majority of implementations NLP attempts to understand the meaning of email text to determine context and patterns that will assist in overall classification. These methods are not new, so we decided to take a deeper look at these older techniques and explore the potential variants that could have similar results.
Fortune 50 Security industry veteran positioned to drive key programs that boost customers’ cybersecurity resiliency and improve incident response efforts
Leesburg, VA — July 11, 2018 – Cofense™, the leading provider of human-driven phishing defense solutions worldwide, today announced the appointment of Tonia Dudley to serve as the company’s first Security Solutions Advisor. In this role, Tonia will focus on phishing defense advocacy while demonstrating how Cofense phishing defense solutions helps organizations across the globe minimizing the impact of phishing attacks while reducing the cost of operations. Tonia will evangelize Cofense’s approach to phishing defense and incident response to new and existing customers, prospects and the overall information technology market through a variety of speaking engagements, publishing platforms and media opportunities. Tonia also plans on advising Cofense product teams on specific customer and market-driven needs to help streamline product roadmaps and create Cofense’s inaugural international customer advisory board.
Part 1 of 3:
Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing.
As a result, the questions we are now answering for board members globally are –
- “What phishing threats do you need to be the most concerned with?”
- “How likely are you to stop those specific attacks in progress?”
In the same time frame, the World Economic Forum’s Partnering for Cyber Resilience initiative proposed a model for quantifying the financial impact of cyber-threats. It’s called value at risk (VAR) and can be quite useful when applied to phishing.
While the two measures mentioned above can and do begin to answer the questions already posed, they can also enable us to better understand and measure the Value at Risk associated with different types and models of attacks.
In other words, we can answer even more questions for your CEO and Board.
- “If this phishing attack breaches our network, how much will it cost us?”
- “Which phishing attacks should we worry about the most?”
- “Are we improving our capability to resist those attacks?”
Here’s How It Works
Most breaches begin as phishing attacks. People quibble over the exact stat, but no one doubts that phishing is the #1 attack vector. It’s easy enough to fool employees into clicking on an email loaded with malware or a social engineering scam. One example: a crook in Lithuania fleeced Facebook and Google out of $100 million via emails spoofing a legitimate vendor asking for wire transfers.
To understand the risks of similar scenarios, a phishing-specific VAR model pulls together multiple data points to better visualize the impacts of:
- Known Active Threats —
- Highlights the type and frequency of phishing attacks your company currently faces.
Note: The above graphic represents results of active threat phishing simulations run from March through May of 2018. Note the decline in resilience for those simulation models as the chart moves left to right. This indicates lower resilience for the threats listed to the right-hand side of the chart. Were these your company’s results, your program would best reduce current risk by focusing on repetition of those lower resilience simulations.
- Company Resilience to Known Active Threats —
- A ratio representing the ratio of reporting to susceptibility
- Associated Dollars at Risk —
- Identify and document the value of any impacts or losses from a phishing-related breach and the estimated cost of recovering from that breach.
These 3 factors can be tied together to provide a visual representation of phishing value at risk. In the chart below the X-axis represents the frequency of known attacks (increasing left to right). The Y-axis represents the capability to recognize and report (measured as the ratio of reported only over those susceptible in simulations) those specific threats. The size of the plot point indicates the value of data potentially exposed as part of your active threat simulations.
Plotting frequency (likelihood) of attack, your capability to recognize and report, and value of exposed data, as outlined above, shows your active-threat risk profile. The visual helps identify the specific types of attack your anti-phishing programs should focus on. To address higher-risk threats, simulate them more often.
Note: all threats identified on your chart represent a risk of exposure. Those plotted in the upper right are the most frequently faced and that your company is least likely to recognize and report.
To recap, knowing your phishing VAR means knowing the types and frequency of phishing attacks your organization faces, your ability to resist each type of attack, and the dollars each type might expose. An understanding of value at risk keeps your anti-phishing relevant, both in awareness training and incident response.
It also helps your leadership team make more confident decisions about risk tolerance, cyber-security investments, and risk mitigation strategies. You’ll be using your anti-phishing program data to figure out optimum ways to protect… data and dollars.
Next week in part 2, we’ll look at ways to assess the value of everything you protect. For another perspective on how to maintain your anti-phishing program, view our “Left of Breach” e-book.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
Cofense Intelligence™ has uncovered a recent AZORult stealer phishing campaign that delivers the malware via malicious attachments. Older versions of AZORult stealer have been delivered via intermediary loaders, typically Seamless or Rammnit malware. In this latest campaign, the attached documents use multiple techniques to download and execute an AZORult sample, indicating a shift by the threat actors behind the campaign to adopt more evasive delivery techniques.
By Brendan Griffin and Max Gannon
A classic phishing technique involves timing attacks to match major holidays and other global and regional events. One example of this scenario in a phishing attack captured by Cofense Intelligence™ delivering the Geodo botnet malware on July 3, 2018. In this attack the threat actor appeals to the patriotic nature of the Fourth of July holiday and recipients’ sense of patriotism in its content. In these messages, the attacker reminds the recipient of the sacrifices of American service member as part of a narrative designed to entice victims to click on the link in the messages to access an Independence Day-themed greeting card. In doing so, the victim will receive a Microsoft Word document equipped with macro scripting designed to download and run the Geodo malware.
Cofense Intelligence™ recently observed a sample of Zeus Panda which, upon further research, revealed the malware has been increasingly employing a very creative tactic. This crafty malware variant distracts its victims while quietly draining the victims’ bank accounts, even those accounts that employ additional security mechanisms such as Multi-Factor Authentication. After transferring funds, the malware then masks any evidence that the illicit transactions ever occurred. This tactic ensures that victims with the deepest pockets will remain in the dark as their bank accounts are silently liquidated.
Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.