New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases.

The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works:

Email Body

Figure 1: Email Body

The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the part of the from field that dictates the “nickname” displayed in the mail client to make it appear as if it originated within the company.

The email body is simple: recipients see the company name in bold at the top of the page. Greeted by only their first names, they are informed that “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”

It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link.

The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.

Figure 2: Phishing Pages

Once users click on the link, they are presented with a common imitation of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Salary Increase,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR ID 31510

Cofense TriageTM: YARA rule PM_Intel_CredPhish_31510

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM. Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Releases Annual Phishing Report; Flips Myth that Employees Are the Weakest Link in Cyber Defense

Record-breaking 20 million active phishing Reporters and 100+ million phishing simulations inform extensive study

Simulation frequency, relevance and employee reporting form resiliency trifecta

Leesburg, Va. – Oct. 30, 2019 – Armed with data generated by millions of real people, along with intelligence collected from more than 10 million phishing simulations delivered every month, the 2019 CofenseTM Annual Phishing Report, released today, sheds a light on employees’ susceptibility to fall for attacks and organizations’ phishing resiliency – a measure that tracks behavioral change from clicking phishing emails to active defense through reporting. Contrary to popular belief, employees are a powerful force that play a pivotal role in an enterprise’s phishing defense strategy. In fact, when properly conditioned to recognize and report attacks through regular and relevant phishing simulations, organizations are more likely to successfully defend against attacks designed to compromise customer information, steal intellectual property or destroy company data and IT infrastructure.

Cofense, the global leader in intelligent phishing defense solutions, has equipped more than twenty million people in organizations across the globe to report suspicious emails through Cofense ReporterTM, an easy to use, one-click email toolbar button.

“Security practitioners need to repudiate the common misconception that end users are the weakest link in organizational defense,” said Aaron Higbee, cofounder and chief technology officer, Cofense. “In fact, employees are the last and ultimate line of defense. With more than twenty million people across the globe empowered to flag potential attacks through Reporter, Cofense is helping thousands of organizations turn their workforce into highly tuned human sensors adept at reporting suspicious emails that frequently bypass security technologies.”

The research reveals three distinct best practices help organizations strengthen their resiliency and empower their users to become active defenders against attacks:

  1. Reporting: Organizations that arm their workforce with a straightforward and easy way to report suspicious emails exhibit strong phishing resiliency rates; in simulation exercises, their end users report phishing emails more than twice as often as they fall for the bait.
  2. Frequency: Regular phishing simulations significantly improve reporting rates and drive down users’ susceptibility to fall for phishing attacks. Organizations that run 12 or more simulations per year have twice as higher resiliency rates compared to those running fewer than 12.
  3. Relevance: Simulations that imitate real phish seen in the wild lead to markedly higher reporting rates and lower susceptibility rates amongst end users compared to organizations that randomly select phishing scenarios.

The ultimate pay-off of high organizational resiliency materializes when SOCs transform reported emails they receive into actionable intelligence. When well-positioned to prioritize and analyze employee-reported emails, SOCs can quickly and efficiently cut through the noise and neutralize a threat in minutes.

Report Available Now

To download the Cofense Annual Phishing Report, visit: http://phish.me/4zMY30pNtFt. Additionally, Cofense will also host a free webinar on November 12, 2019 at 2:00 p.m. EST.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

[email protected]

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services

There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point.

But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites.

Phishing Sites Are Using Redirect Methods to Avoid Detection

Let start with this example:

An attacker can easily set up a new domain and host a phishing site with a legit SSL certificate from most established certificate authorities for free. The attacker then can configure the server or webpage to redirect all connections that are not from the organization’s IP to an external safe site such as google.com.

If a security analyst then submits the URL to a third-party lookup tool, for example VirusTotal, the tool will only detect the site google.com and not the actual phishing site. At this point, the analyst can submit the URL to another URL scanning tool, but the results will all come back the same.

In the Cofense PDC, we are seeing an increase of phishing sites that are using redirect methods to avoid detection from URL scanners and unaware security analysts.

Here is another example with browser detection phishing websites:

This phishing link below redirected users depending on which browser they used.  If users use Firefox as their default browser, they will get the actual payload, while a Chrome default browser will get a redirect to MSN.

Figure 1: Original Phishing Email

When recipients click the ‘Open Notification’ link in the email message above, they are directed to the website below.

URL: hxxp://web-mobile-mail.inboxinboxqjua[.]host/midspaces/pseudo-canadian.html?minor=nailer-[recipient’s Email Address]

When someone clicks the URL, the experience can vary depending on the default browser, Firefox vs. Chrome.

The real phish site using Firefox:

Figure 2: Actual Phishing Site

Using Chrome:

Figure 3: Redirected Site

Regardless of the user’s geolocation, the URL redirect will go to the UK page. URL: https://www.msn.com/en-gb/news/uknews

Now let’s put the same URL in a popular URL scanner and see the results:

Figure 4: Virus Total Results of the Reported URL

The search results show that one of the vendors has detected the phishing site as malware. However, this is not the case.  Let’s look at the Details tab.

Figure 5: VirusTotal Details of the Reported URL

In the results it states that the final URL is to msn.com. We still do not know what the actual phishing site looks like, what the site is doing, or even if the phishing site is active at all.

There’s a Better Way to Check for Malicious Links

Organizations must ask if these URL scanners are providing enough information to analysts so they can complete their investigations.  Is the scanner testing the suspicious link with multiple user agents or querying the site with different source IP addresses?  While the URL scanning services are useful, they lack the basic dynamic analysis that most analysts will perform on a malicious website.

What if I told you that it is quick, easy, and more accurate by far to analyze URL based phishing attacks manually, using various tools such as User-agent switcher or with a VPN and proxy servers while in a dedicated virtual machine? Remember that if a phishing email bypassed those same scanners to reach your users’ inboxes, it’s an undiscovered phishing attack and will require human analysis.

To better equip your analysts, we came up with a list that your security team can use to detect these types of attacks.

  1. Create an isolated proxy server that can reach out to the phishing site without restrictions.

– If your company has locations in different countries, use additional proxy servers in those countries or use proxy services like Tor or a third-party VPN service.

– Acquiring a VPN service with multiple locations is another option.

– Create a “dirty” network to browse malicious sites that can also be used to analyze malware samples.

 

  1. Create a VM for URL analysis.

– This VM should be isolated from the organization’s network.

– VMs such as Remnux will have tools built-in to assist in URL and file analysis.

 

  1. Use Firefox for visiting the site

– Based on the vast amounts of customization, Firefox may be the best browser suited to URL analysis

– Add-ons such as User-agent switcher, FoxyProxy, and HTTP Header Live are essential.

– You can also use the browser’s developer tools to track requests, detect redirects, and alter elements on the page.

URL scanning services are useful to a point. These tools will alert you to some suspicious URLs, but often lack the details need for escalations and blocking the threat. More often than not, the tools will be a point of failure for your organization’s security due to the high amount of risk they introduce. So take a couple of minutes to look at that suspicious URL in a safe environment and see what it really does. It may save you lots of money and time cleaning up an incident.

 

HOW COFENSE SOLUTIONS CAN HELP

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

What’s Up With Malware? Find Out In Our Q3 Report

By Alan Rainer and Max Gannon

On the malware front, the summer of 2019 was quiet and steady-state. But the end of Q3 saw the infamous Emotet resurface, presaging a malware uptick in Q4. Read all about it in the Cofense Q3 2019 Malware Trends Report.

Maintaining a relative lull when Emotet suspended activity, threat actors in Q3 stuck to tried-and-true practices of intrusion. Phishing emails containing keyloggers (namely ‘Agent Tesla’) slightly rose in popularity, while information stealers like Loki Bot fell. Threat actors continue to seek the easiest, most efficient way of infiltrating users. Agent Tesla, for example, offers customer support and a web interface to develop and manage the keylogger. Similarly, cybercriminals continue to capitalize on known and patched vulnerabilities to deliver malware through phishing campaigns.

When Emotet resurfaced towards the end of Q3, this significant malware player wasted no time in compromising email chains or tricking users with convincing templates. As such, CofenseTM expects Q4 to show more malware activity.

Figure 1: Emotet Phishing Email Sample

Our Q3 report outlines these trends, alongside statistics, breakdowns of specific campaigns, and insights on what to expect in Q4, all of which you can use to defend your organization. Cofense IntelligenceTM provides phishing campaign updates throughout the year, which include the Strategic Analysis (a comprehensive threat report) and Executive Phishing Summary (a bi-weekly trend synopsis) communiqués.

View the Q3 Report now.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, CofenseTM Phishing Defense CenterTM

This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways.

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works.

Figure 1: Email Headers

The phishing email originates from a compromised press email account with privileged access to MailChimp. The threat actor used the MailChimp app to launch a “marketing campaign” comprised of phishing emails. Because the emails came from a legitimate marketing platform, they passed basic email security checks like DKIM and SPF. As we can see from the headers in figure 1, the email passed both the DKIM authentication check and SPF.

Figure 2: URL

The threat actor was able to obfuscate the URLs contained in the email by using MailChimp’s redirect services. This method hides the true destination and replaces it with a list manage URL. The threat actor also gains the ability to track whether a link has been clicked by a recipient.

Email Body

The email pretends to be a notification from “Stripe Support,” informing the account administrator that “Details associated with account are invalid.” The administrator needs to take immediate action, otherwise the account will be placed on hold. This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions.

The email body contains a button with an embedded hyperlink: “Review your details.” When clicked, the recipient is redirected to a phishing page. Usually one can check the destination of the hyperlink by hovering over it with the mouse curser. The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title “Review your details” when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination from a vigilant recipient.

 Figure 3: Email Body

Figure 4: Malicious Button

The phishing page is an imitation of the Stripe customer login page. In fact, it consists of three separate pages. The first one aims to harvest the admin’s email address and password, while the second page asks for the bank account number and phone number associated with the account. Lastly, the recipient is redirected back to the account login page which displays an error massager, “Wrong Password, Enter Again.” This leads the recipient to believe an incorrect password has been entered and redirects back to the legitimate site, so the recipient doesn’t suspect foul play.

Figure 5: Phishing Pages

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Stripe Account Notification,” to educate users on the campaign described in today’s blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM

The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors.

A typical theme for these campaigns revolves around finances, orders, and shipments. The most common way for this keylogger to make it to the endpoint is by archiving the executable and attaching it to a phishing email. This delivery vector can be successful if the email security stack does not have a standard in place for allowed archival types, does not conduct archive file analysis, or determines the file to be an unknown archive type.

For the infection chain, there are numerous methods a threat actor can choose. Most notably, Agent Tesla leverages a document exploiting an equation editor vulnerability documented in CVE-2017-11882 as the first stage loader. Exploiting this vulnerability allows for the attached document to download and execute a binary on the victim’s endpoint once opened. Although a patch has been out for this vulnerability, threat actors continue to utilize it for exploits.

An Office macro-laden document is the second most popular ‘stage one’ loader for this keylogger. This is somewhat surprising, given the fact that the macro builder is embedded into the Agent Tesla web panel as a feature, thus making it easier than the CVE-2017-11882 exploit to capitalize on. As such, this keylogger demonstrates features that fit closer in line with a Remote Access Trojan (RAT), including the capability to take screenshots or control the webcam. Agent Tesla adds to its robustness with the ‘File Binder’ option which links a selected file on the endpoint to the Agent Tesla executable and executes the keylogger at the same time as the selected file. This is done to keep the keylogger up and running without interaction needed from the victim.

Unlike most RAT suites, Agent Tesla’s preferred exfiltration method for the stolen data is the use of email. The web panel allows for a threat actor to set an email address as the recipient or the sender and has the ability for the email traffic to be SSL encrypted. This exfiltration technique can be avoided by blocking all traffic using SMTP that does not match organizational or enterprise standards. Agent Tesla, however, can also exfiltrate the stolen information via FTP or an HTTP POST. Each of these exfiltration methods can be defended against with proper firewall, content filtering, and alerting rules in place.

Figure 1: An example phishing email with Agent Tesla keylogger attached.

Agent Tesla’s recent rise to the top of the phishing threat landscape shouldn’t be a surprise, given the ease of use, options, and technical support from the creators. Network safeguards can help stop the exfiltration of data from a successful infection. Patching and updating user endpoints can combat at least one of the delivery mechanisms used within these phishing campaigns. Educating users on company standards for file extensions and Office macro use can combat the other two delivery mechanisms.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works.

Email Body

The email pretends to be a notification from “Stripe Support,” informing the account administrator that “Details associated with account are invalid.” The administrator needs to take immediate action, otherwise the account will be placed on hold. This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions.

Figure 1: Email Body

The email body contains a button with an embedded hyperlink, as seen above: “Review your details.” When clicked, the recipient is redirected to a phishing page. Usually one can check the destination of the hyperlink by hovering over it with the mouse curser. The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title “Review your details” when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination from a vigilant recipient.

Figure 2: Malicious Button

The phishing page is an imitation of the Stripe customer login page. In fact, it consists of three separate pages. The first one aims to harvest the admin’s email address and password, while the second page asks for the bank account number and phone number associated with the account. Lastly, the recipient is redirected back to the account login page which displays an error massager, “Wrong Password, Enter Again.” This leads the recipient to believe an incorrect password has been entered and redirects back to the legitimate site, so the recipient doesn’t suspect foul play.

Figure 3: Phishing Pages

IOCs:


Cofense Resources
HOW COFENSE CAN HELP

Cofense PhishMeTM offers a simulation template, “Stripe Account Notification,” to educate users on the campaign described in today’s blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense and Eze Castle Integration Partner to Strengthen Security Awareness in the Investment Industry

LEESBURG, Va. – October 16, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today announced it has entered a strategic Managed Security Services Provider (MSSP) partnership with Eze Castle Integration, a leading provider of managed services and complete cloud solutions for the investment industry. Cofense will provide world-class security awareness and phishing simulation solutions to Eze Castle, enhancing their cybersecurity services portfolio to offer an end-to-end managed awareness and phishing simulation service for their financial customers.

Cyber-attacks and data breaches remain at the top of risks facing organizations today, and the majority of breaches begin with phishing. Effective employee education, training and conditioning is a critical element of a robust cyber defense strategy, allowing enterprises to bolster their resiliency to attacks. Eze Castle customers can take advantage of Cofense’s award-winning, human-driven training tools through Eze Castle’s managed service expertise, including more than 50 cyber-related and compliance-based training modules and insight into the latest phishing campaigns affecting the financial industry.

Eze Castle will also receive hands-on training from Cofense to help identify the right cadence of phishing simulations—from basic to more nuanced scenarios—along with tips for measuring results and communicating program success to an organization’s executives.

“We are proud to partner with Eze Castle Integration as part of our elite group of service providers that are enabling more organizations with the resources needed to thwart phishing attacks across the globe,” said Robert Iannicello, vice president of global channel sales, Cofense. “Together, we look forward to empowering employees in the investment industry to proactively report suspicious emails and generate actionable intelligence that gives their organization the upper hand in stopping phishing attacks in their tracks.”

“In today’s technology-driven world, cybersecurity threats are one of the greatest risks facing the investment industry,’ said Steve Schoener, chief technology officer, Eze Castle Integration. “We follow a security first approach to IT and deliver fully managed security solutions, such as Cofense PhishMe and Security Awareness Modules, to help our customers bolster the security of their environments – whether they reside in a public, private or hybrid cloud, or on-premises.”

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services 

Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin.

Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity.

Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began writing detection rules to block those emails, threat actors modified the text by replacing it with an image, which prevented key words from being identified by Secure Email Gateways (SEGs). The bitcoin address was left as a plain text string in the email, so it could be easily copied. As enterprises began checking for bitcoin addresses, threat actors removed text and images and switched to attaching PDF documents containing the threats. Most recently, threat actors began encrypting PDF attachments and including the password in the email body to foil any further SEG detection rules.

This latest sextortion version is using a Litecoin wallet address instead of bitcoin to evade detection. Previous iterations showed a gradual shift away from identifiable patterns and to alternative crypto currencies, in an attempt to foil SEG bitcoin-detection rules. The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.

As this latest twist shows, threat actors can switch to the next crypto currency and attempt to iterate through all the scam’s previous versions. While there are thousands of crypto currencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.

Avoiding this scam is simple with phishing awareness training. Your users can safely ignore the emails—if threat actors actually had such access and data, they would include stronger proof. Also educate users about sites such as haveibeenpwned.com, so they can know if their email address is likely to become a target.

Cofense will also be publishing a rule to detect attacks we’ve seen so far using this new method.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “Fear Driven Phishing Scams Involving Embarrassing Situations,” to educate users on sextortion and similar scams.

Cofense Labs has published a database of 300 million compromised email accounts for use in sextortion campaigns. Find out if your organization’s accounts are at risk.

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeeker TM.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.