Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon

Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message.

This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish.

Not Your Average Phish
The Cofense™ Phishing Defense Center (PDC) has recently been defending against an extensive Zombie Phishing campaign against multiple clients. Fraudsters hijack a compromised email account, and using that account’s inbox, reply to long dead conversations with a phishing link or malicious attachment. Due to the subject of the email being directly relevant to the victim, a curious click is highly likely to occur.

These Zombie Phish appear to use automatically generated infection URLs to evade detection. No two links are the same. These links are hidden behind unassuming “error” messages in the body of the email, providing an appealing scheme for users to fall victim to. Thus far, the PDC has observed two common Zombie Phishing templates that lead to malicious links. These email campaigns can be seen in Figures 1 and 2.

Figure 1

Figure 2

Another common hallmark of this campaign is the use of the .icu top-level domain (TLD), however this could change in the future. Example domains identified during this campaign, which abuse the .icu TLD, can be seen in Figure 3.

Figure 3 shows .icu domains associated with these campaigns.

Already, many of these domains have been shut down by their domain registrar after receiving reports of domain abuse. Figure 4 shows a domain associated with this campaign and the data that is collected and displayed by the registrar.

Figure 4, Courtesy of http://whois.domaintools.com

Additionally, the PDC has observed these phish using official organizational logos to add legitimacy to fake login pages – an example of such can be seen in figure 5. The pages are designed to impersonate an online portal of the target, including the company’s logo, and even its favicon. The end goal is credential theft of the victim.

Figure 5

Finally, any victim that visits the malicious website is “fingerprinted” using the host’s IP address as an identifier and upon entering credentials is immediately redirected to the same spam website seen by other victims. This is often via links obfuscated using URL shorteners (such as hxxps://href[.]li/). If the same host attempts to visit the phishing link again the spoofed login page is skipped and instead you are forwarded directly to the spam page. This finger-printing and the URL shortener obfuscation helps the attackers keep a low profile and continue their campaign unabated.

Conversation Hijacking
The tactic of “conversation hijacking” itself is by no means new, fraudsters have been hijacking compromised email accounts to dish out malware and phish as replies to prior conversations for years now. This technique is still popular because it makes victims much more likely to click on links and download or open files because their guard is down when these are within conversations already in their inbox. An ongoing and currently in the wild example of this is the Geodo botnet which has a history of inserting itself into existing email threads to deliver malicious documents that in turn download a sample of Geodo or other malware like Ursnif. However, the effectiveness of this tactic can depend greatly on the content of the conversations, a response to an automated advertising email is less likely to result in an infection than a response to a help desk support thread such as the one seen in Figure 6. Cofense IntelligenceTM has seen several Geodo campaigns consisting of responses to automated advertising emails indicating that, in some cases, the campaigns consist of indiscriminate responses to all emails in an inbox. Given that the volume of these “conversation hijacking” campaigns is still comparatively low, the smaller scope of these emails is likely limited by the number of ongoing conversations. Certain types of accounts therefore are more likely to draw threat actors direct attention and to induce them to invest additional effort and time into developing unique phishing campaigns for those accounts.

Preventing Your Personal Zombie Apocalypse
The PDC has compiled these quick tips to avoid losing your credentials (or your brains) to a Zombie Phish:

  • Be alert for email subjects that may appear relevant but are from old conversations.
  • Watch out for the hallmark green “error” button (pictured above in figure 1).
  • Don’t trust attached documents simply because they are replying to a conversation.
  • Mouse over buttons or links in suspicious messages to check them for the “.icu” top-level domain.

Cofense’s Phishing Defense CenterTM has observed that these campaigns have become increasingly clever, to combat this, training employees to be able to spot these types of emails is key. You can put down your nail-bats and pitchforks – a properly trained workforce is what is needed to defend your organization against the Zombie Phish hordes.

Cofense offers comprehensive phishing training to arm your employees with the weapons they need to protect your organization. And if you need reinforcements to help against the hordes, the Cofense Phishing Defense Center is happy to do battle with you.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Indicators of Compromise:

Observed Domains
message-akbq[.]cdnmsgload[.]icu

id-Wdtd[.]cdnmsgload[.]icu

message-XPsO[.]cdnmsgload[.]icu

www-jaus[.]check256ssl[.]icu

www-gcgc[.]emailmobile[.]icu

www-wNZq[.]emailmobile[.]icu

message-ncvm[.]emailmobile[.]icu

message-fbfa[.]extmailread[.]icu

www-gwXs[.]fetchemailgo[.]icu

message-jkgj[.]fetchemailgo[.]icu

www-udzi[.]fetchemailgo[.]icu

www-DQcE[.]inboxloaderror[.]icu

message-rpaK[.]inboxloaderror[.]icu

id-jPXC[.]iosemail[.]icu

id-oexq[.]iosemail[.]icu

www-BEOb[.]iosemail[.]icu

id-hKHR[.]iosemail[.]icu

message-EQdH[.]loadcdnmsg[.]icu

www-IqMJ[.]loadcdnmsg[.]icu

message-kqif[.]loading8[.]icu

message-pzvv[.]loading8[.]icu

www-qtnt[.]loading8[.]icu

id-pjgx[.]loading8[.]icu

www-ZMZs[.]loading8[.]icu

www-YIjn[.]loading8[.]icu

message-spuj[.]mail-load[.]icu

www-stxs[.]msgmailweb[.]icu

message-cmmh[.]portalmail[.]icu

message-pcsf[.]secure2[.]icu

id-amjs[.]securemail1[.]icu

www-tesj[.]userclientmsg[.]icu

 

Observed IPs

198[.]46[.]131[.]54

192[.]3[.]202[.]53

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense Phishing Defense Center and known to target South American users.

Threat Actors Seek Your Credentials Before You Even Reach the URL

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique.

Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened in Adobe Reader or Adobe Acrobat. When the PDF is opened in either Adobe Reader or Acrobat, the victim will be prompted through the PDF to enter their Amazon.de email address and password (Figure 1).

Figure 1:  The German-language PDF prompts the victim to enter their Amazon credentials (Note: The credentials entered in the screenshot are false and are used as an example.)

Once the credentials are accepted, the victim receives another pop-up window warning the victim that the PDF is attempting to open a webpage to panelessolaresparaguay[.]com (Figure 2).

Figure 2: The victim is required to click “Allow” in order to proceed to the next step

After clicking “Allow,” the PDF opens a browser window and directs the victim to a German Amazon phishing page, whose URL contains the email address entered in the PDF prompt in the path of the URL:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step1[.][email protected](.)com

Figure 3 displays the first step in the German Amazon phishing page which has a loading image and a countdown informing the victim that a verification code has been sent to the recipient, yet Figure 3 does not specify the method by which the recipient will receive the code.

Figure 3: The PDF directs the victim to a German Amazon phishing page

When the page finishes loading, the victim is required to enter a code that was supposedly sent to the victim’s phone number, possibly in an attempt overcome Two Factor Authentication (2FA) (Figure 4). However, the phish never once prompts the victim to enter a phone number in this scam. The victim also has the option of clicking on what appears to be a link that would supposedly provide information on retrieving the code labeled “Haben Sie den Code nicht erhalten?” (English translation: “Did not you receive the code?”). Instead, the link does not direct the victim to another page and the victim is forced to enter any string of characters to proceed to the next step. Thus, it is more likely this is done not to overcome 2FA but to distract intended victims and leave them none-the-wiser that they exposed their credentials.

The following URL directs the victim to step 2:

hxxp://sellercentral.amazon.de[.]347ty49h89ehg8ui7yt348[.]panelessolaresparaguay[.]com/step2[.]php

Figure 4: The field will accept any information entered to proceed to the next page

After the victim enters a “code” and clicks the button to proceed to the next step, the page redirects the victim to the genuine Amazon Seller Central’s European website on Amazon.de, indicating the phishing scam is completed.

This credential phishing scam underscores a unique method of stealing login credentials before the victim is required to interact with a browser window. This is unusual given that most scams harvest credentials via a phishing webpage. In analyzing this campaign, Cofense Intelligence found that opening the PDF in non-Adobe applications will not display the login prompt and, because the PDF states the document cannot be opened in a browser, victims cannot interact with the PDF in Adobe PDF Online, an application used to edit PDFs in a browser.

The tactics, techniques, and procedures observed in this credential phishing scam highlight a unique method in which threat actors now steal their victims’ credentials. Credential phishing scams like the one above pose a serious risk to individuals and organizations and emphasize the importance of phishing awareness and education. Learn how Cofense PhishMeTM empowers users to recognize and report suspicious messages and avoid falling victim to costly phishing scams.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Hunts Phishing Threats Round the Clock with Enhanced 24-hour Global Phishing Defense Services

Expanded 24/7 Phishing Defense Service helps multi-national organizations across the world quickly hunt cyberthreats no matter the time or day

LEESBURG, VA – October 25, 2018: Cofense™, the leading provider of human-driven phishing defense solutions worldwide, announced today expanded 24/7 Phishing Defense Services to identify and mitigate active phishing attacks in progress. With this expanded support, the Cofense Phishing Defense Center (PDC), powered by Cofense Triage™, will immediately begin their human-vetted analysis, investigation and mitigation of reported phishing threats, regardless of what day or time the attack was reported. This provides organizations a significant advantage in the fight against targeted phishing attacks across multiple regions and time zones.

H-Worm and jRAT Malware: Two RATs are Better than One

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB.

Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a .jar Java application.

Figure 1: Phishing lure delivering jRAT and H-Worm

While the .jar file is a sample of jRAT, it also drops a copy of H-Worm on the infected machine. The VBScript file is tasked with downloading a Java Runtime Environment (JRE), if it is not already on the machine, which allows the .jar file to run. This VBScript file is a sample of H-Worm. The delivery is unusual compared to older analyses of H-Worm with jRAT, which typically consists of a single payload used to facilitate the infection of both H-Worm and jRAT (and sometimes H-Worm with other malware families).

Two RATs, One Infection

Disseminating two similarly functioning malware families in a single infection is not a new tactic. Threat actors do this to exfiltrate more valuable information and to carry out additional tasks that support further infection or monetization. Some of the functions and capabilities of H-Worm and jRAT are shown below.

Figure 2: Distinct functions and similarities of H-Worm and jRAT

Each remote access trojan serves a specific purpose, such as keylogging, monitoring audio or video, or modifying the registry. At the end of the day, the specific malware or number of malware families used in a single infection cycle does not matter to the threat actor as long as there is a better chance for a successful infection. In the end, all that matters to the threat actors is if they were able to exfiltrate the information they seek.

However, for many attackers, the outcome of a successful infection also relies upon the successful delivery of a phishing email. Threat actors will continue to develop new tactics, techniques, and procedures (TTPs) to lure their intended targets. The first step to avoid an infection like the one above is to recognize and report suspicious messages. Educating computer users to identify suspicious emails can help your organization stop an attack on your infrastructure.

Learn how Cofense PhishMeTM conditions users to recognize active phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

America’s First: US Leads in Global Malware C2 Distribution

By Mollie MacDougall and Darrel Rendell

Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution.

Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence of host compromises within the United States.

Map 1: All IPs, both resolved from domain and names and direct-connects, observed during 2018

Chart 1 reflects the top 5 data points observed in Map 1, calculated relative to one another.

Chart 1: Top 5 C2 location points across the globe, year-to-date 2018.

Maps 2 and 3 detail the juxtaposition in C2 locations between TrickBot and Geodo Tier 1 proxy nodes.

Map 2: TrickBot C2 distribution year-to-date 2018

Map 3: Geodo C2 distribution year-to-date 2018

At first glance, the contrast between Geodo and TrickBot may seem odd; Geodo overwhelmingly favors US hosts whereas TrickBot has a propensity toward Russian devices. However, Geodo uses networks of compromised web servers, running Nginx to serve as Tier 1 proxy nodes. More specifically, Geodo uses legitimate web servers as a reverse proxy, tunnelling traffic through these legitimate web servers to hosts on the true hidden C2 infrastructure. TrickBot, on the other hand, almost exclusively uses for-purpose Virtual Private Servers (VPSs) to host its nefarious infrastructure.

TrickBot’s C2 distribution trends significantly more eastward—with a greater number of C2 locations in Eastern Europe and Russia. TrickBot campaigns almost always target Western victims. In June, Cofense Intelligence released a report detailing sustained, pernicious attacks against UK targets. TrickBot’s targeting of Western victims from Eastern-hosted C2 could be due to the lack of extradition agreements amongst those countries (Figure 1). Still, TrickBot does rely on some C2 locations in North America and Western Europe. This could alternatively be a strategic move wherein TrickBot uses regionally diverse C2 locations to make it more difficult to profile its infrastructure, to introduce uncertainty and help keep the hosts viable for the longest possible time. Chart 2 is a companion of Map 2, detailing TrickBot’s favored demographics.

Figure 1: Countries with which the US has extradition agreements.1

Chart 2: A breakdown of TrickBot’s C2 locations. Note: In the ‘Other’ category, 64% are Eastern (including Eastern European).

Looking Ahead

The scattering of C2 locations for Geodo and TrickBot demonstrates the vast infrastructure of two of the most pernicious malware currently distributed via phishing. This suggests that these malware families will almost certainly remain on the scene in the months to come. An avid network defender should take note that using geolocation to help differentiate legitimate traffic from potentially malicious traffic may not be as effective as it seems. In light of the case study above, it would be prudent to actively monitor the threat landscape from a reliable source and stay vigilant.

To learn more about 2018 Geodo and TrickBot activity, view the Cofense™ analysis.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

1 https://en.wikipedia.org/wiki/Extradition_law_in_the_United_States

 

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER

Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface.

Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks

That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous to claim these technologies prevent all threats. At Cofense™, we deal with hundreds of phish that bypass email gateways and lead to compromised user accounts.

Security solutions like Proofpoint and Mimecast routinely fail to stop phishing attacks while leaving customers with a false sense of security. We see this all the time, including attacks where Proofpoint and Mimecast failed to defang URLs as advertised. These services also routinely fail to stop basic phishing schemes, including some that use hosted services like Drive and Sharepoint; campaigns that use attachments to deliver malware or malicious links; and Business Email Compromise (BEC) attacks.

Below are a few of the many cases where we have seen Proofpoint and Mimecast let simple phishing attacks proceed without a fight.

Phishing Using Trusted Services

Cofense has often found that hyperlinks to traditionally trusted web services can easily make their way through firewalls and email gateways. Unfortunately, due to their low cost and free business models, services such as Google Drive, SharePoint, WeTransfer, and Dropbox are used by malicious actors to host files that contain embedded links to credential phishing sites. Email gateways are unable to access the embedded link and thus cannot check or block the link in question. See figure 1 below for an example of a PDF file with an embedded phishing link that was hosted on Google Drive:

Figure 1 – A common PDF containing a phishing URL

The text “Document.pdf (150.45 kb)” is a hyperlink to a shortened URL, which then redirects the victim to the “Smartsheet” branded phish seen in figure 2 below:

Figure 2 – A “Smartsheet” branded credential phish.

This phishing email made it through Proofpoint which failed to stop the attack due to the attacker’s evasion techniques. Luckily, the employee was well trained and reported the phish immediately.

Social Engineering, Business Email Compromise, & Vish

Some basic social engineering tactics can elicit a victim’s credentials without ever having to send malicious links or attachments to the user, making email gateways useless because there are no URLs to block.

Business Email Compromise is a common type of social engineering that tries to strike up a conversation with an employee in hopes of committing fraud, such as a fraudulent wire transfer or harvesting of company PII, as shown in Figure 3 below.

Figure 3 – A Business Email Compromise attack initiation

Additionally, Cofense frequently observes vishing attacks. In one attack, (Figure 4) the vish impersonate a trusted company requesting a phone call to fix a non-existent issue with the victim’s account. These attacks allow threat actors to gain a victim’s account information over the phone or over email without ever using malicious content that could be blocked by an email gateway.

Figure 4 – A social engineering Vishing attack

Malicious Attachments

Fabricated invoices and receipts, password protected PDFs, and other malicious attachment schemes are all common phishing tactics. Because most automated solutions only screen links in the body of the message, these attached phish regularly waltz their way past email gateways.

Recently, a password protected PDF phishing campaign targeted Cofense customers and completely circumvented Proofpoint protection. This phish included the password to the attached document within the body of the email, urging users to open it upon receipt, seen in Figures 5 and 6 below.

Figure 5 – Content snippet of a phishing email including a document’s password.

After opening the password protected PDF, the user is confronted with a link to a credential phishing site.

Like the previous example, basic word documents with hyperlinks consistently bypass automated security solutions like Proofpoint and Mimecast, as seen in figure 6.

Figure 6 – A .docx file with an embedded phishing link

Companies that rely purely on automated gateway solutions consistently fail to stop phish embedded within attachments.

Weakness in their Strength

These email security gateways perform better when a malicious link is in the body of an email. However, we have observed cases where many of those emails bypass such gateways and reach the targeted victim. Following are some examples where either Mimecast or Proofpoint failed to rewrite the URL completely. Additionally, we will look at a very interesting example where Proofpoint did rewrite the URL completely but failed to block it, allowing the user to engage with the malicious website.

Proofpoint Examples

Figure 7 below shows the first example where the email gateway failed to correctly rewrite the URL:

Figure 7 – Banco do Brasil Email

The email above includes a link “INICIAR REGULARIZAÇÃO” that will redirect the user to a malicious website. A closer look at the HTML code of the email body (Figure 8) reveals that the href of the link brings the user to hxxp://50[.]63[.]162[.]13/dkng[.]html, which redirects again to hxxps://atualizacaocliente[./]info/loginseguro/Operador/.

Figure 8 – HTML Code of Banco do Brasil Email

The email gateway failed to rewrite the initial URL hxxp://50[.]63[.]162[.]13/dkng[.]html.

Figure 9 shows another example where the email gateway did not rewrite the URLs in the email:

Figure 9 – Example 2 Email

Investigating the HTML body of the email again reveals that the link in the email directs the user to hxxp://s1[.]sleove[.]com/id (Figure 10).

Figure 10 – Example 2 HTML Body

In both examples above, the email gateway failed to rewrite the URLs and replace them with a safe landing page for potential victims.

Mimecast

The following examples focus on Mimecast and demonstrate that Mimecast failed to rewrite the URL within the body of the emails (Figure 11, Figure 12, Figure 13).

Figure 11 – Mimecast Example 1

Figure 12 – Mimecast Example 2

Figure 13 – Mimecast Example 3

The Phishing Defense Center has analyzed all three emails mentioned above and identified that they are part of a Geodo campaign. Geodo, also known as Emotet, is a banking trojan which steals financial information and often enables other malware to be installed on the victim’s computer. Many of the URLs that Mimecast missed to rewrite are related to Geodo campaigns.

Proofpoint Rewrites but Does Not Block

While spot-checking the 1,095 cases where the gateway did rewrite the URLs, we have identified another issue: the gateway did rewrite the URL, but it did not block the URL, thereby allowing the user to browse to and interact with a malicious page. As clearly shown in Figure 14, the URL is appended with https://urldefense.proofpoint.com, which suggests that this customer uses Proofpoint as the email security solution.

Figure 14 – Proofpoint Email where URL was not blocked

However, a click on the rewritten Proofpoint URL directs the user to hxxps://olook[.]ml, a phishing page that is attempting to steal user credentials, as shown in Figure 15.

Figure 15- Phishing Page after clicking on rewritten Proofpoint URL

The submit button calls a JavaScript file which validates the input and if the input is accepted, sends the data to the attacker.

Conclusion

These examples show that email gateways often fail to stop phishing threats. While both Proofpoint and Mimecast were successful in rewriting and blocking URLs, there were still many cases where those products did not or would not have prevented a compromise. Simply relying on email gateways to stop malicious emails can leave you with a false sense of security and can result in breaches.

Understanding the weaknesses in Proofpoint, Mimecast, and other automated gateway solutions can be the first step in learning how to better defend yourself. Only a holistic strategy will work against the full spectrum of phishing attacks your company sees.

To learn more about active phishing threats, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

  1. Verizon, Data Breach Investigations Report, 2018.
  2. Symantec, Internet Security Threat Report, 2018.

Cofense Report Reveals 10 Percent of User-Reported Emails Across Key Industries are Malicious, Over Half Tied to Credential Phishing

The 2018 State of Phishing Defense Report highlights top phishing email subjects and industries most susceptible and resilient to phishing attacks

Leesburg, VA – October 11, 2018 – Cofense™, the leading provider of human-driven phishing defense solutions worldwide, today released the findings of their report, “The State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks” which reveals today’s top phishing attacks and how companies can effectively manage those risks.

Phishing Enables Domestic Violence. Education Can Help Stop It.

According to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1  Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.