Quit Faking It—Train Your Users to Stop Real Phish

By Tonia Dudley

CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic.

When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end. This starts with how we provide simulation training, teaching users how to identify phish and react, and then how Security Operations teams mitigate the potential incident. Training against real phish, the ones your organization actually faces, is essential.

Let’s look at data to tell the story. It comes from our recently published Annual Phishing Report 2019. Looking at the data in Figure 1, which specifically related to “real phish,” we can see organizations that use templates based on real phishing emails (active threats) have far better results. Not only is the report rate higher, but we see the susceptibility rate also lower, ultimately affecting the overall resiliency rate.

Figure 1

When an organization has been running their program for a few years, they begin to wonder how much is enough and whether they should keep sending scenarios. We point to the phishing emails reported by our customers in our Cofense Phishing Defense CenterTM (PDC). More than 90% of emails reported came from environments that use a SEG. While the SEG is absolutely necessary to protect an organization, like any other defense it’s not infallible against threat actors who continually adjust their tactics to make their way into the inbox. This is why it’s vital to align your training scenarios to what gets past your SEG.

Taking another view, we see what happens with two common templates available for simulation campaigns. The first one is made to look similar to a social media message users might receive if they associate their work email with this site. You can see the click rate is fairly low. Are the threat actors really spending that much time making a phishing email look this fancy?

The second template looks very simplistic and our security awareness operator is less likely to select this template. It appears too basic, nobody would actually click the message, right? Yet, there is a much higher click rate on this template that mimics a real phishing message.

So are you preparing your organization to detect and report real phishing emails? Are you preparing them to defend against the actual messages that make it past your SEG? Our data shows that keeping it real makes a real difference.

View our report to learn other ways to double your resiliency to phishing.

 

HOW ELSE COFENSE CAN HELP

Most phishing threats observed by the Cofense Phishing Defense Center  bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

 

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

By Tonia Dudley, Cofense Security Solutions

Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here.

That database has since grown to over 330 million email addresses.

We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains.

To be clear, this threat is not a breach of any Cofense data or systems. Rather, it’s a botnet that our research team discovered out in the wild. The botnet uses email addresses and credentials which we believe were acquired via a series of breaches over the past decade. Visit our info center for additional resources.

Fig. Sample containing text as images to deceive automated analysis

Cofense LabsTM has created a sextortion lookup tool to check impacted accounts and domains as well as a resource center with helpful tips on how to protect your organization and your personal accounts from falling victim to these types of threats as well as the steps you can take should you receive a sextortion scam.

Cofense Labs will continue to monitor the botnet and share updates on our Twitter handles @Cofense and @CofenseLabs.

HOW COFENSE SOLUTIONS CAN HELP

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley

Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware.

Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect chain that eventually leads to a malicious macro-laden Microsoft Word file. The macro, upon execution, downloads the malware via PowerShell, which is a sample of the Predator the Thief information stealer.

The email body, shown in Figure 1 below, contains a warning that the recipient has 14 days to comply with the subpoena notice, a scare tactic designed to panic users into clicking. The link within the email leads to a Google Docs page and is benign, unlike the embedded URL within the Docs page that features a tailored redirection link pointing to a direct Microsoft OneDrive download. The Google Docs page is themed to fool a user into thinking the service is conducting security checks.


Figure 1: Sample Phishing Campaign Delivering Predator the Thief

Organizations defending against this multi-faceted threat have four options.

  • While a basic email security stack would likely misread the Google Docs URL as legitimate and allow the email to pass inspection—in fact, this campaign has passed through FireEye’s Secure Email Gateway (SEG) solution and may be overlooked by others—scanning the ensuing links at the network security level should reveal nefarious intent, at which point the security solutions should block further traversal.
  • Disabling Microsoft macros by default and monitoring PowerShell execution alongside educating users on the dangers of enabling macros is a safeguard against this threat.
  • Employing endpoint protection solutions that conduct memory analysis can spot the payload execution, thwarting an intrusion at the last step of the infection chain.
  • Having a highly tuned network security stack that monitors for exfiltrated data and suspicious HTTP POST packets can help spot an intrusion or block its exfiltration route.

Technical Findings

The email contains a link that leads to a trusted source, in which another link leads to yet another trusted source through a tailored redirecting URL in the middle. A macro-laden document is retrieved and used as a first stage downloader to execute a sample of Predator the Thief. The malware then infects the endpoint and attempts to exfiltrate sensitive data. At each step of this infection chain (outlined in Figure 2), correctly configured technology could have prevented successful execution, and a properly educated end user could have negated the entire scenario.


Figure 2: Infection Chain

Predator the Thief has all the basic capabilities of most information stealers. One of the unique things about this malware is its range of web browsers targeted, meaning a less popular web browser may still be affected. The authors disseminate their product via a Telegram channel that is also used as a customer support channel. Although Predator the Thief claims to have Anti-VM capabilities, older versions can be easily detected by automated AV scanning. A newer version can be quickly spotted in a sandbox once the binary has unpacked itself into memory. The execution of the binary on the endpoint is an additional focal point for defense within the endpoint protection program or product.

Predator the Thief targets cryptocurrency wallets, browser information, FTP, and email credentials. It can also take a screenshot of the infected machine. The information is stored in a file named “information.log” and sent to the Command and Control (C2) server via an HTTP POST to a network endpoint “gate.get” by default. The data in this file contains machine and user fingerprint data, stolen credentials, and network configurations. Once the information is gathered and the sample has successfully exfiltrated the data to the C2, the binary then cleans up parts of the infection and self-terminates. This infection clean-up process makes it much harder for endpoint forensic investigations that do not leverage verbose event logs and an endpoint detection system.

Indicators of Compromise

IOC Appendix Description
PM_Intel_PredatorThief_31571 Cofense Intelligence YARA Rule
hxxp://comrade696[.]xyz/api/gate[.]get C2 Network Endpoint
hxxp://bit[.]do/fcMEx “Legitimate” URL Shortener Service For Payload
hxxp://193[.]0[.]178[.]46/m2Dj5W Tailored Redirector
31[.]184[.]196[.]176 Macro Payload Host
comrade696[.]xyz C2 Address
hxxp://comrade696[.]xyz/api/check[.]get C2 Network Endpoint
hxxp://31[.]184[.]196[.]176/file8[.]exe Predator the Thief Payload
193[.]0[.]178[.]46 Tailored Redirector
hxxps://de5qqw[.]sn[.]files[.]1drv[.]com/details[.]doc Microsoft OneDrive Direct Word Document Download
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vR2ShicgBwEhJsMeJF-ho3xmeGvs4h3lpp33DGuVYXa0J7nDHSayHNnUqAuy8RgE1V6DN3rgEamM_l6/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTJwmMgl4cycKB1H3DLqE6hO7hBtIZV_R8vetvNk2hoHNvQrOQu6guqESe4ongHOe2qeuZl_hcwtpFi/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSC7TE8Jw2rj5mFmdo7SNhhVhYI5_chETx0Um8phyExpH2ok1_BYqbFBCmvu5SNE8USRHFQxAAdSUbe/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRHdNziiJLKswksr50gCvUFKGZPoB7aJ2X_u09dUvpXauv5zqPi6BRxmNlhpdQ3VoJnyDd-7UWe0eq4/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTDBKHYpJMHsTmAPu8Q3q41G3Sfq0398Mwe1bUth_4gbi9Q9X1uvjJ8Qpt1jfiDjkOvlrV3EGbn4pIH/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQYPpaggmpXxbXvzYbcuCFnVbVGFiprq8WT3U0cackWI9z6ECOKGQ75Zxi38IIAcR6U2mWRN-I91RJs/pub Google Docs Lure
hxxps://www[.]google[.]com/url?q=hxxp://193[.]0[.]178[.]46/m2Dj5W&sa=D&ust=1572032929507000 Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSpWb2Y8awd5BhJGCiiscMOhddh3Pf53q_E76aMV-H4L1Sy50O8V7wXJG8lLILi_woj35v22P2o0GZo/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSw-6rt5QaRo630a6nWVkraLUHH1HLP23pfkdYYxe3NS73ITrhzme_r_K0h67RQjrUjYgrVPDDNt9Yn/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTMEq8o1xfYAGRQqTnV_YP4IpoYFLRV0x3yagV4J8TC2vPAevx5y6UobCv9Oa9d1W-KzWbintL_fj2w/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRJh78bDJcfBuwt_yV7nhNRuboEHUyfET1yhta2B-_toyEPBl7OwADQHm9t28gfVQymkltq69smXgYw/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRZG0aGBmvWRzXhT-a68tBJcy1PSPA4blZ51daX_-OqtXwj-GeuEp-0RBbhazOBKi_Z2bE1AO8ejfTP/pub Google Docs Lure

 

HOW COFENSE CAN HELP

The Cofense Phishing Defense CenterTM finds that 89% of phishing threats that deliver malware have bypassed email gateways. Condition users to be resilient to phishing with Cofense PhishMeTM and remove the blind spot with Cofense Reporter TM. Cofense PhishMe offers a simulation template, “UK Ministry of Justice Subpoena – Office Macro”,” to educate users on the campaign described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Teams Up with AwareGO to Expand Security Awareness Training

LEESBURG, Va. – Nov. 5, 2019 – CofenseTM, the global leader in intelligent phishing defense solutions, and AwareGO (awarego.com), creators of succinct, high-quality security awareness training videos, today announced their partnership to empower organizations across the globe to tackle today’s top security issues head-on. Cofense’s security awareness training library now includes AwareGO’s security awareness videos covering critical topics facing today’s employees such as business email compromise, privacy, and insider threats.

Fifteen modules are currently available to customers of Cofense’s PhishMe solution. Since releasing Cofense CBFree as part of National Cybersecurity Awareness Month (#BeCyberSmart) in October 2015, Cofense has recognized that creative, accurate content and training materials are important to security awareness professionals to keep their programs engaging and interesting to maximize success with employees.

“Our goal has always been to create high-quality security awareness training videos that users can relate to,” says Ragnar Sigurdsson, CEO and founder, AwareGO. “We are truly excited to work with Cofense and provide them with our content. Not only are we collaborating to make cyber security training better and more engaging, it’s also an effort to make businesses more cyber secure in the long run. It’s an honor to work with Cofense and we see it as an affirmation to the quality of our videos that they chose to work with us.”

“All organizations must educate their employees about cyber security risks,” said Allan Carey, vice president of business development, Cofense. “That’s why we’re proud to partner with AwareGO to bolster the fresh, engaging and relevant training content available to customers and their employees. Effective employee education, training and behavioral conditioning is a critical element of a robust cyber defense strategy, allowing organizations to enhance their resiliency to attacks.”

###

About AwareGO
Made in Iceland by cyber security experts, AwareGO offers world’s simplest security awareness training (SAT) platform and a unique and innovative way to reach a diverse audience with super-short videos. AwareGO has mastered the formula to get end users to buy into cyber security education.

 

About Cofense
CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions worldwide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

AwareGO Media Contact
Neil Butchart
neil.butchart@awarego.com

 

Cofense Media Contact
press@cofense.com

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases.

The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works:

Email Body

Figure 1: Email Body

The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the part of the from field that dictates the “nickname” displayed in the mail client to make it appear as if it originated within the company.

The email body is simple: recipients see the company name in bold at the top of the page. Greeted by only their first names, they are informed that “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”

It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link.

The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.

Figure 2: Phishing Pages

Once users click on the link, they are presented with a common imitation of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Salary Increase,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR ID 31510

Cofense TriageTM: YARA rule PM_Intel_CredPhish_31510

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM. Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Releases Annual Phishing Report; Flips Myth that Employees Are the Weakest Link in Cyber Defense

Record-breaking 20 million active phishing Reporters and 100+ million phishing simulations inform extensive study

Simulation frequency, relevance and employee reporting form resiliency trifecta

Leesburg, Va. – Oct. 30, 2019 – Armed with data generated by millions of real people, along with intelligence collected from more than 10 million phishing simulations delivered every month, the 2019 CofenseTM Annual Phishing Report, released today, sheds a light on employees’ susceptibility to fall for attacks and organizations’ phishing resiliency – a measure that tracks behavioral change from clicking phishing emails to active defense through reporting. Contrary to popular belief, employees are a powerful force that play a pivotal role in an enterprise’s phishing defense strategy. In fact, when properly conditioned to recognize and report attacks through regular and relevant phishing simulations, organizations are more likely to successfully defend against attacks designed to compromise customer information, steal intellectual property or destroy company data and IT infrastructure.

Cofense, the global leader in intelligent phishing defense solutions, has equipped more than twenty million people in organizations across the globe to report suspicious emails through Cofense ReporterTM, an easy to use, one-click email toolbar button.

“Security practitioners need to repudiate the common misconception that end users are the weakest link in organizational defense,” said Aaron Higbee, cofounder and chief technology officer, Cofense. “In fact, employees are the last and ultimate line of defense. With more than twenty million people across the globe empowered to flag potential attacks through Reporter, Cofense is helping thousands of organizations turn their workforce into highly tuned human sensors adept at reporting suspicious emails that frequently bypass security technologies.”

The research reveals three distinct best practices help organizations strengthen their resiliency and empower their users to become active defenders against attacks:

  1. Reporting: Organizations that arm their workforce with a straightforward and easy way to report suspicious emails exhibit strong phishing resiliency rates; in simulation exercises, their end users report phishing emails more than twice as often as they fall for the bait.
  2. Frequency: Regular phishing simulations significantly improve reporting rates and drive down users’ susceptibility to fall for phishing attacks. Organizations that run 12 or more simulations per year have twice as higher resiliency rates compared to those running fewer than 12.
  3. Relevance: Simulations that imitate real phish seen in the wild lead to markedly higher reporting rates and lower susceptibility rates amongst end users compared to organizations that randomly select phishing scenarios.

The ultimate pay-off of high organizational resiliency materializes when SOCs transform reported emails they receive into actionable intelligence. When well-positioned to prioritize and analyze employee-reported emails, SOCs can quickly and efficiently cut through the noise and neutralize a threat in minutes.

Report Available Now

To download the Cofense Annual Phishing Report, visit: http://phish.me/4zMY30pNtFt. Additionally, Cofense will also host a free webinar on November 12, 2019 at 2:00 p.m. EST.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services

There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point.

But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites.

Phishing Sites Are Using Redirect Methods to Avoid Detection

Let start with this example:

An attacker can easily set up a new domain and host a phishing site with a legit SSL certificate from most established certificate authorities for free. The attacker then can configure the server or webpage to redirect all connections that are not from the organization’s IP to an external safe site such as google.com.

If a security analyst then submits the URL to a third-party lookup tool, for example VirusTotal, the tool will only detect the site google.com and not the actual phishing site. At this point, the analyst can submit the URL to another URL scanning tool, but the results will all come back the same.

In the Cofense PDC, we are seeing an increase of phishing sites that are using redirect methods to avoid detection from URL scanners and unaware security analysts.

Here is another example with browser detection phishing websites:

This phishing link below redirected users depending on which browser they used.  If users use Firefox as their default browser, they will get the actual payload, while a Chrome default browser will get a redirect to MSN.

Figure 1: Original Phishing Email

When recipients click the ‘Open Notification’ link in the email message above, they are directed to the website below.

URL: hxxp://web-mobile-mail.inboxinboxqjua[.]host/midspaces/pseudo-canadian.html?minor=nailer-[recipient’s Email Address]

When someone clicks the URL, the experience can vary depending on the default browser, Firefox vs. Chrome.

The real phish site using Firefox:

Figure 2: Actual Phishing Site

Using Chrome:

Figure 3: Redirected Site

Regardless of the user’s geolocation, the URL redirect will go to the UK page. URL: https://www.msn.com/en-gb/news/uknews

Now let’s put the same URL in a popular URL scanner and see the results:

Figure 4: Virus Total Results of the Reported URL

The search results show that one of the vendors has detected the phishing site as malware. However, this is not the case.  Let’s look at the Details tab.

Figure 5: VirusTotal Details of the Reported URL

In the results it states that the final URL is to msn.com. We still do not know what the actual phishing site looks like, what the site is doing, or even if the phishing site is active at all.

There’s a Better Way to Check for Malicious Links

Organizations must ask if these URL scanners are providing enough information to analysts so they can complete their investigations.  Is the scanner testing the suspicious link with multiple user agents or querying the site with different source IP addresses?  While the URL scanning services are useful, they lack the basic dynamic analysis that most analysts will perform on a malicious website.

What if I told you that it is quick, easy, and more accurate by far to analyze URL based phishing attacks manually, using various tools such as User-agent switcher or with a VPN and proxy servers while in a dedicated virtual machine? Remember that if a phishing email bypassed those same scanners to reach your users’ inboxes, it’s an undiscovered phishing attack and will require human analysis.

To better equip your analysts, we came up with a list that your security team can use to detect these types of attacks.

  1. Create an isolated proxy server that can reach out to the phishing site without restrictions.

– If your company has locations in different countries, use additional proxy servers in those countries or use proxy services like Tor or a third-party VPN service.

– Acquiring a VPN service with multiple locations is another option.

– Create a “dirty” network to browse malicious sites that can also be used to analyze malware samples.

 

  1. Create a VM for URL analysis.

– This VM should be isolated from the organization’s network.

– VMs such as Remnux will have tools built-in to assist in URL and file analysis.

 

  1. Use Firefox for visiting the site

– Based on the vast amounts of customization, Firefox may be the best browser suited to URL analysis

– Add-ons such as User-agent switcher, FoxyProxy, and HTTP Header Live are essential.

– You can also use the browser’s developer tools to track requests, detect redirects, and alter elements on the page.

URL scanning services are useful to a point. These tools will alert you to some suspicious URLs, but often lack the details need for escalations and blocking the threat. More often than not, the tools will be a point of failure for your organization’s security due to the high amount of risk they introduce. So take a couple of minutes to look at that suspicious URL in a safe environment and see what it really does. It may save you lots of money and time cleaning up an incident.

 

HOW COFENSE SOLUTIONS CAN HELP

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

What’s Up With Malware? Find Out In Our Q3 Report

By Alan Rainer and Max Gannon

On the malware front, the summer of 2019 was quiet and steady-state. But the end of Q3 saw the infamous Emotet resurface, presaging a malware uptick in Q4. Read all about it in the Cofense Q3 2019 Malware Trends Report.

Maintaining a relative lull when Emotet suspended activity, threat actors in Q3 stuck to tried-and-true practices of intrusion. Phishing emails containing keyloggers (namely ‘Agent Tesla’) slightly rose in popularity, while information stealers like Loki Bot fell. Threat actors continue to seek the easiest, most efficient way of infiltrating users. Agent Tesla, for example, offers customer support and a web interface to develop and manage the keylogger. Similarly, cybercriminals continue to capitalize on known and patched vulnerabilities to deliver malware through phishing campaigns.

When Emotet resurfaced towards the end of Q3, this significant malware player wasted no time in compromising email chains or tricking users with convincing templates. As such, CofenseTM expects Q4 to show more malware activity.

Figure 1: Emotet Phishing Email Sample

Our Q3 report outlines these trends, alongside statistics, breakdowns of specific campaigns, and insights on what to expect in Q4, all of which you can use to defend your organization. Cofense IntelligenceTM provides phishing campaign updates throughout the year, which include the Strategic Analysis (a comprehensive threat report) and Executive Phishing Summary (a bi-weekly trend synopsis) communiqués.

View the Q3 Report now.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, CofenseTM Phishing Defense CenterTM

This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways.

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works.

Figure 1: Email Headers

The phishing email originates from a compromised press email account with privileged access to MailChimp. The threat actor used the MailChimp app to launch a “marketing campaign” comprised of phishing emails. Because the emails came from a legitimate marketing platform, they passed basic email security checks like DKIM and SPF. As we can see from the headers in figure 1, the email passed both the DKIM authentication check and SPF.

Figure 2: URL

The threat actor was able to obfuscate the URLs contained in the email by using MailChimp’s redirect services. This method hides the true destination and replaces it with a list manage URL. The threat actor also gains the ability to track whether a link has been clicked by a recipient.

Email Body

The email pretends to be a notification from “Stripe Support,” informing the account administrator that “Details associated with account are invalid.” The administrator needs to take immediate action, otherwise the account will be placed on hold. This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions.

The email body contains a button with an embedded hyperlink: “Review your details.” When clicked, the recipient is redirected to a phishing page. Usually one can check the destination of the hyperlink by hovering over it with the mouse curser. The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title “Review your details” when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination from a vigilant recipient.

 Figure 3: Email Body

Figure 4: Malicious Button

The phishing page is an imitation of the Stripe customer login page. In fact, it consists of three separate pages. The first one aims to harvest the admin’s email address and password, while the second page asks for the bank account number and phone number associated with the account. Lastly, the recipient is redirected back to the account login page which displays an error massager, “Wrong Password, Enter Again.” This leads the recipient to believe an incorrect password has been entered and redirects back to the legitimate site, so the recipient doesn’t suspect foul play.

Figure 5: Phishing Pages

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Stripe Account Notification,” to educate users on the campaign described in today’s blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM

The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors.

A typical theme for these campaigns revolves around finances, orders, and shipments. The most common way for this keylogger to make it to the endpoint is by archiving the executable and attaching it to a phishing email. This delivery vector can be successful if the email security stack does not have a standard in place for allowed archival types, does not conduct archive file analysis, or determines the file to be an unknown archive type.

For the infection chain, there are numerous methods a threat actor can choose. Most notably, Agent Tesla leverages a document exploiting an equation editor vulnerability documented in CVE-2017-11882 as the first stage loader. Exploiting this vulnerability allows for the attached document to download and execute a binary on the victim’s endpoint once opened. Although a patch has been out for this vulnerability, threat actors continue to utilize it for exploits.

An Office macro-laden document is the second most popular ‘stage one’ loader for this keylogger. This is somewhat surprising, given the fact that the macro builder is embedded into the Agent Tesla web panel as a feature, thus making it easier than the CVE-2017-11882 exploit to capitalize on. As such, this keylogger demonstrates features that fit closer in line with a Remote Access Trojan (RAT), including the capability to take screenshots or control the webcam. Agent Tesla adds to its robustness with the ‘File Binder’ option which links a selected file on the endpoint to the Agent Tesla executable and executes the keylogger at the same time as the selected file. This is done to keep the keylogger up and running without interaction needed from the victim.

Unlike most RAT suites, Agent Tesla’s preferred exfiltration method for the stolen data is the use of email. The web panel allows for a threat actor to set an email address as the recipient or the sender and has the ability for the email traffic to be SSL encrypted. This exfiltration technique can be avoided by blocking all traffic using SMTP that does not match organizational or enterprise standards. Agent Tesla, however, can also exfiltrate the stolen information via FTP or an HTTP POST. Each of these exfiltration methods can be defended against with proper firewall, content filtering, and alerting rules in place.

Figure 1: An example phishing email with Agent Tesla keylogger attached.

Agent Tesla’s recent rise to the top of the phishing threat landscape shouldn’t be a surprise, given the ease of use, options, and technical support from the creators. Network safeguards can help stop the exfiltration of data from a successful infection. Patching and updating user endpoints can combat at least one of the delivery mechanisms used within these phishing campaigns. Educating users on company standards for file extensions and Office macro use can combat the other two delivery mechanisms.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.