Cofense Report Reveals Weaknesses in Secure Email Gateways, Illustrates Critical Role of Human Intelligence in Phishing Defense

2019 Phishing Threats and Malware Review highlights the latest evolutions to threat actor campaigns and enhanced capacity for malware to evade perimeter controls and penetrate user inboxes.

Leesburg, Va. – June 04, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today released the findings of their report, “2019 Phishing Threats and Malware Review”, which reveals key insights about how threat actors are evolving phishing campaigns, and provides direction to everyone from network defenders to CISO’s on how to prepare for the unknown. Despite significant investments in next-gen technologies, phishing threats continue to become more sophisticated and effective. The report uncovers how dangerous threat actors, armed with an ever-growing arsenal of tactics and techniques, continue to tweak their campaigns and enhance their capacity to deliver malware, ultimately getting more messages past perimeter controls to user inboxes.

The report features real and simulated threat findings generated from the Cofense Phishing Defense Center (PDC), Threat Intelligence and Research teams, and across a sampling of their global customer base; including real data from 1,400 customers in 50 countries and 23 major industries, and half of the Fortune 100. Specifically, between October 2018 and March 2019, the Cofense PDC verified over 31,000 malicious emails, 90 percent of which were found in environments running one or more secure email gateways (SEGs).

Key findings from the 2019 report include:

  • Between October 2018 and March 2019, 31,429 total threats were reported by end users after delivery to the inbox, which included 23,195 via credential phishing; 2,681 via business email compromise (BEC); 4,835 via malware deliver; and 718 via other scams.
  • Ninety percent of the malicious emails verified by the Cofense PDC during this period were found in environments running one or more SEG.
  • Threat actors are innovating relentlessly and are constantly refining their tactics, techniques, and procedures (TTP’s) as they develop new delivery mechanisms, phishing techniques, and ways to get around network defense technologies. Cofense is seeing activity such as the use of public, open source tools to evade detection and the leveraging of genuine O365 accounts to harvest credentials to increase the odds of reaching the inbox and delivering malware. The report outlines that sextortion and bomb scare extortion pay off significantly when utilized by threat actors.
  • Technologies like email gateways can’t keep pace with the speed of threat actors’ “product development”. SEG’s play a key role in phishing defense, but they are not infallible. The report identifies SharePoint, OneDrive and ShareFile as some of the most abused cloud providers and states that threat actors use geo-location to help prevent analysis by security tools or human researchers; enabling malware to slip through a SEG’s defenses.
  • Collective human intelligence is vital to phishing defense. When the phishing and malware threats analyzed in this report land in users’ inboxes, the human factor becomes decisive. It’s imperative to educate users through a phishing awareness program, focusing on threats that utilize the latest TTP’s. Both user education and incident response thrive when fed by threat intelligence on emerging TTP’s.

“Adversaries are constantly evolving their techniques and changing their infrastructure to complicate detection, meaning that indicators of compromise (IOCs) can grow stale extremely quickly. For holistic defense, users need to be prepared to identify and report any threats that do reach their inbox,” said Aaron Higbee, Co-Founder and CTO, Cofense. “Automated technical defense controls must be blended with a human element in today’s threat landscape. While timely threat intelligence helps head-off attacks and drown out the noise so that SOC teams can prioritize and focus on the most pernicious threats, Cofense is observing an ever-increasing surge of malicious emails that reach user inboxes daily. Once a message reaches an inbox, that end user is your last line of defense.”

Cofense is the only phishing defense company that holistically confronts phishing threats, looking at both the phishing tactics and techniques used to bypass perimeter controls to reach users inboxes, as well as how the malware is executed after delivery. Cofense’s multi-dimensional intelligence enables customers to prioritize and understand threats to mitigate phishing attacks faster.

To download the full report, please visit https://cofense.com/phishing-threat-malware-review-2019

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

By Deron Dasilva and Milo Salvia

Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

Patch or Pass? CVE-2017-11882 Is a Security Conundrum

CISO Summary

Since the latter part of 2018, threat actors have increasingly exploited two Microsoft vulnerabilities: CVE-2017-11882 and CVE-2018-0802. The first of these is especially popular. Cofense IntelligenceTM has seen it surge ahead of Microsoft macros as a favorite malware delivery method.

CVE-2017-11882 is an older vulnerability that in fact has a patch. However, it presents a conundrum for security teams that haven’t addressed the problem. They can choose to skip the patching, live with the risks, and keep on using the legacy program. Or they can update, patch, and lose the application entirely to gain much better security.

In the meantime, threat actors will happily exploit every chance they get.

Full Details

The vulnerabilities in Microsoft’s Equation Editor that are exploited in CVE-2017-11882 and CVE-2018-0802 have been “patched” for over a year. However, these vulnerabilities remain popular with threat actors and have become increasingly common since their inception. There are several factors involved, but Cofense Intelligence assesses that CVE-2017-11882 is still commonly used simply because it works, reaffirming the challenges associated with patching and the risks of operating legacy platforms. CVE-2017-11882 still works as a delivery mechanism on unpatched or unsupported versions of Microsoft Office and is most commonly used to deliver simple information stealers.

The Progression

In September 2018, Cofense Intelligence covered the most common malware delivery methods and highlighted Microsoft Office macros as making up the majority of the most common malware delivery methods. Over the last six months, we have observed a sharp increase in the exploitation of CVE-2017-11882.

The threat actors who switched to using CVE-2017-11882 as their primary delivery method focused significantly on information stealers, such as Loki Bot and AZORult, which make up 33% and 16% of the malware delivered respectively. In contrast, the most common Remote Access Trojan (RAT) is NanoCore RAT, which is the fifth most frequently malware delivered at only 7%.

Figure 1: Frequency of malware family delivered by CVE-2017-11882

But You Said There is a Patch!

Cofense Intelligence assesses that the most common reason CVE-2017-11882 still works for threat actors is that the patches intended to remedy it simply are not in place on several endpoints. Rather than assuming that support teams are incompetent, given that over a year has passed since the first patch, it is more likely that companies are being faced with a product support conundrum.

Businesses must choose between two options. The first is accepting a level of risk and continuing to use legacy programs by not patching. The second is to update, patch, and in this case, allow the removal of an application entirely in order to have significantly higher security. This is much easier for large businesses with great resources to devote to upgrades and security. For smaller businesses—including boutique subsidiaries of major businesses—this is much more difficult. Again, given the amount of time that has passed, it is unlikely at this point that anybody who has not yet updated will do so any time soon, allowing threat actors continued access.

To stay ahead of emerging phishing and malware threats, sign up for free Cofense™ Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

By Tej Tulachan and Milo Salvia

The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users.

Here’s how the phishing emails work.

Red Flag #1: ‘You Have Been Chosen.’

In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming crypto currency. Better yet, they will be automatically eligible to receive future giveaways. Wow! This common attack method works because, well, who doesn’t like free money?

Fig 1. Email Body

Red Flag #2: The Dreaded Embedded Link

If we take a deeper look into the message body, we can see that there is an embedded hyperlink <hxxps://mysccess[.]lpages[.]co/blockchain/> From this, we can instantly tell something is not right. We can also see that the website linked to is NOT the official Blockchain wallet login page “https://login.blockchain.com/#/login”

You have been chosen to receive $50 in Stellar XLM as a valued Blockchain Wallet user.

To claim your free Stellar XLM, log in to your wallet and verify your identity. It only takes a few minutes. Once your identity is verified your XLM will be on its way to your wallet.

Better yet, you will also be automatically eligible to receive future giveaways.

     GET STARTED.<hxxps://mysccess[.]lpages[.]co/blockchain/>

Fig 2. Email Body in Plain Text

Red Flag #3: Indicator of Compromised Mailbox

From the email headers we can see that the threat source originates from the domain ame.gob.ec. This domain belongs to an Ecuadorian municipal government body. We also note that the email headers do not appear to be spoofed in any way apart from the “Nickname field” has been change to “Blockchain.” This would indicate that the mailbox used to send the phishing campaign has itself been compromised.

From: Blockchain <__________@ame.gob.ec>

Subject: Your airdrop of $50 is ready

Thread-Topic: Your airdrop of $50 is ready

Thread-Index: ozUHxyzm9QIDwDzmfizGH/nj/m+1AA==

Importance: high

X-Priority: 1

Date: Tue, 7 May 2019 12:03:45 +0000

Message-ID: <1224264524.394597.1557230625931.JavaMail.zimbra@ame.gob.ec>

Content-Language: fr-FR

 

Fig 3. Email Headers

Phishing Page: The main phishing page is a simple imitation of the https://login.blockchain.com/#/login page, but it contains the ability to steal all the information needed for an attacker to fully compromise your bitcoin wallet: wallet ID, passcode, and email address. Once the details are filled in, it will redirect to the legitimate blockchain site.

 

Fig 4. Phishing Page

Fig 5. Legitimate page

Right through the Gateway!

During our analysis, we noticed that the phishing email passed right through two different email security solutions: Forcepoint and Microsoft Anti-Spam and Anti-Malware solution in Office 365.

Conclusion: Again, we’ve detected 180+ of these emails in the past week alone. In recent headlines, hackers stole bitcoin worth $41 million from Binance, one of the world’s largest cryptocurrency exchanges, using a number of techniques including phishing emails. The attack was the latest in a string of thefts from cryptocurrency exchanges around the world. Be sure to educate users about phishing threats in general and Bitcoin wallet phishing in particular!

Learn more about the Cofense Phishing Defense Center. See how we analyze user-reported emails to provide actionable threat intelligence.

IOC’s

hxxps://mysccess[.]lpages[.]co/blockchain/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Achieves SOC 2 Type II Compliance for PhishMe and Hosted Triage

Phishing Defense Leader Continues to Pursue Compliance Certifications for Data Security

LEESBURG, Va.May 16, 2019 — Today Cofense™, the global leader in intelligent phishing defense solutions, announced it has successfully completed a Service Organization Controls (SOC) 2 Type II examination for Cofense PhishMe™ and Hosted Cofense Triage™. These product lines provide technology to help organizations train their employees to identify potential phishing risks and properly handle phishing attacks by individuals attempting to manipulate or deceive email recipients. Coalfire Controls, LLC, an independent CPA firm, conducted the audit.

SOC 2 compliance is a key industry standard in data security. Designed for entities operating in the technology and cloud computing sector, SOC 2 evaluates a service provider’s ability to securely manage customer data. In pursuit of this certification organizations undergo a rigorous analysis that includes the following trust services criteria: security, availability, processing integrity, confidentiality and privacy. Cofense achieved SOC 2 Type I compliance in February 2018, which is based on having the suitable controls in operation. For Type II, Cofense successfully showed the effectiveness of these controls over a period of time.

“Pursuing industry-leading certifications is just one way Cofense continues to demonstrate our commitment to larger compliance efforts that exceed enterprise standards,” said Keith Ibarguen, Chief Product Officer, Cofense. “SOC 2 Type II compliance is a proven standard to ensure the processing integrity, availability, security, confidentiality and privacy of customer data. Cofense aims to not only help our customers maintain strong security through our innovative technology offerings, but to also maintain strong relationships and trust through our own security and privacy practices.”

“Many organizations outsource information security operations to third-party vendors, and if their data is not handled securely, risk of exposure to data theft, extortion and malware increases dramatically. Given this threat of exposure, SOC 2 Type II is essential for organizations to clearly demonstrate the security control posture of their solutions,” states Chris Beiro, Sr. Director, SOC Practice, Coalfire. “Coalfire examined the PhishMe and Hosted Cofense Triage solutions and found that controls were suitably designed and operating effectively to provide reasonable assurance that the trust services criteria were met throughout the review period.”

The purpose of SOC standards are to help provide confidence and peace of mind for organizations and their third-party partners. Cofense maintains policies, strategies and processes that are designed to satisfactorily safeguard customer data. For more information, please visit http://www.cofense.com.

About Cofense 
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact 
press@cofense.com

Pretty Pictures Sometimes Disguise Ugly Executables

CISO Summary

Reaching deep into their bag of tricks to avoid detection, threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents.

This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees not to fall for phishing emails and encourage them to report any they find suspicious.

Full Details

Cofense Intelligence™ has been tracking the ongoing usage of image files to disguise malicious executables, a technique that can easily bypass network security measures. Threat actors will use a first stage malware downloader to retrieve an image file, most often a .jpg. The malware downloader then extracts a malicious executable that is embedded within the image. Finally, the malware runs the extracted binary in memory to avoid dropping an additional executable to disk. By using this technique to download the second binary, threat actors are able to avoid detection by some anti-virus (AV) programs that can determine the downloaded file to be an image but do not check the rest of the file contents.

Delivery

The malware downloader often used to deliver these types of files is an executable using the .NET framework. From May 2018 to April 2019, Cofense Intelligence saw images with embedded executables comprising more than 70% of the binaries downloaded by .NET executables. The images can be anything from famous actors to server rooms, but one of the more common ones can be seen in Figure 1.

Figure 1: Commonly seen image

The images used not only display correctly but often have additional “metadata,” an example of which can be seen in Figure 2. This metadata is not present in all cases and may be an artifact from the original image before it was modified.

Figure 2: Additional meta data included in the image

Contents

The downloaded files are treated as images because of their file header and to a lesser degree, their file extension. File headers help the operating system determine how to interpret the contents of the file and can indicate several factors, such as whether a file is an image or an executable. Figure 3 illustrates that images with the .jpg extension, also known as JPEG images, will have the characters “JFIF” near the start of the file.

Figure 3: JPEG image file header

This header is also used by most AVs to determine the file type, as it is much more reliable than a file extension. When a “JFIF” header is read by most AVs the rest of the file will be ignored as long as the image is not broken or incomplete. The subterfuge of using an image file header also enables threat actors to bypass most network security measures which, like local AV, will treat the file as an image and ignore its content. By including an image that will properly display, threat actors are able to satisfy all of the conditions required for their malicious content to be ignored by security measures and “safely” delivered to the endpoint. This also ensures that if a file is manually downloaded and opened it will appear legitimate to the end user.

Extracting

Creating an image file that meets these requirements also ensures that the operating system does not recognize the file as an executable and will not execute the file, regardless of the program used to open it. This fact requires a downloader, such as a .NET executable, to “extract” the malicious executable from the image file. This can be easily done by searching the file contents for the file header representing an executable, “MZ,” as shown in Figure 4.

Figure 4: Embedded executable header

Once this header is found, the executable content is carved out and loaded into memory rather than executing a file dropped to disk. Because the content is executed in memory rather than from an actual executable file, it is less likely to be recognized by AV as malicious. Most AV solutions do not monitor the memory of a process already running, which allows the malware to perform most of its activities without being noticed.

Staging

The fact that both a downloader and an image file are required to complete the infection is an important part of the infection strategy. If an image file is run by itself in an automated environment, it will simply display an image, with the only possibility of detection relying on the image file content having suspicious text. If only the downloader is executed and the image payload is unavailable, then it may be detected as suspicious, but on its own would not provide defenders with enough information to fully combat the threat. This requirement of having both stages together helps hide from defenders using automated analysis systems that are focused on individual files.

Why It Matters

Although not a new technique, the consistent popularity and utility of this approach to malware delivery merits attention. Threat actors abuse of operating system and AV reliance on file header recognition has been and will continue to be a problem. An example of threat actors abusing this reliance to trick AV systems as well as analysts was also recently covered by CofenseTM. Tuning AV systems to detect malware without relying on file headers is difficult and, in some cases, impossible. To properly recognize threats, it is important to have a full picture of the different components involved in an attack rather than attempting to organize individual and possibly incomplete analysis. To avoid this pitfall and better protect their network environments, organizations need to ensure that employees are trained to not fall victim to the phishing emails and that defenders are ready should an incident happen.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Babylon RAT Raises the Bar in Malware Multi-tasking

CISO SUMMARY 

Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. 

Full Details

Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is encrypted, allows for dynamic domains, and can turn a client into a reverse SOCKS proxy for further obfuscation. This weaponized RAT has many real-time client interaction methods and is capable of information theft. The administration panel has features that can allow for lateral propagation across end points on a network. This tool has enough features that, if used correctly, could devastate any organization.  

Babylon RAT’s client code is written in C# and is dependent on .NET 4.5. The administration panel (shown in Figure 1) is written in C++, and provides the functionality to manage multiple server configuration options. One option is the port number in which the administration panel will open and listen in when the server is started. Another option is a network key for authentication of the infection to the administration panel. Lastly the configurations allow for the setting of the IP version in which it will connect. The File drop down at the top provides access to the server, configurations, and the payload builder. 

Figure 1: The administration panel and the management tabs for Babylon RAT 

C2 Details 

The initial C2 connection the client binary makes after being executed is hardcoded into the binary when it is built. The building process suggests dynamic domains so that the IP address can be changed without interruption to the communication. This connection is encoded and contains fingerprinting information about the infected host. This information includes IP address, Country, Username, PC name, Operating System (OS) details, and which program window is active for the end user. After initial communication with the C2, the infected endpoint will update the administration panel every 5 seconds by default. The check-in notice sent to the server from the client consists of very small network packets, only about 4-8 bytes in size. Figure 2 shows the administration panel with the details listed above. 

Figure 2: The administration panel and the fingerprinted information as listed above for Babylon RAT 

Babylon RAT has the ability to turn an infected machine into a SOCKS proxy, specifying between version 4 or 5. The main difference in the versions: version 5 provides authentication from the client to the proxy, which helps negate abuse from unwanted parties. By creating a SOCKS proxy, the threat actors create an encrypted tunnel and can have all of the infected hosts use it as a gateway, which allows for network capturing. This can also allow for a threat actor to need only one exit point within a network, while maintaining the infection of multiple machines. Meaning, if a threat actor can maintain communication with one endpoint in a network, he can then propagate laterally and have all the traffic from the infected clients C2 network flow back out the one endpoint. With access to the command prompt and stolen credentials, this would be trivial to do. This technique would also bypass email and URL filtering of unwanted binaries. Figure 3 shows the SOCKS proxy endpoint details and the amount of traffic flowing through it. 

Figure 3: The SOCKS proxy tab and the details associated 

The client builder gives the option to use two different C2 domains for redundancy. When combining the ability to use multiple dynamic domains with a proxy server, a threat actor could effectively create layers of obfuscated traffic between the endpoint and the client through multiple channels.  

Figure 4: The surveillance options that are available to the operator 

Notice in Figure 4 the option for password recovery. The password recovery module looks through applications, including web browsers, and harvests credentials but does not gather the OS user credentials. Although one could surmise that with the username above and a couple of passwords harvested, the OS user credentials could be compromised. If the OS user credentials are compromised, it would be easy for the operator to open the remote command prompt and attempt to log in to other network machines using those credentials. If successful at logging into another machine, it is then possible for the operator to have the second machine download/execute another payload. This would need to be automated, but it does reflect a propagation method for the RAT. Figure 5 shows the system options including the remote command prompt option. 

Figure 5: The system options that allow for further interaction and detail of the infected system 

Weaponized 

Adding to its already long list of functions, Babylon RAT has the ability to produce Denial of Service (DoS) attacks to targets from the infected hosts. The DoS feature can be set to a hostname or IP range and allows for multiple protocols to be initiated. The protocols all have thread and socket parameters that are adjustable. A threat actor can select to have the attack come from an individual protocol or all of the protocols available. Once this command is sent to a single host, the operator can easily replicate the command to the other infected hosts, effectively creating a larger Distributed Denial of Service (DDoS) attack. Figure 6 shows the configuration for the DoS attack and Figure 7 shows the machines status change to DoS. 

Figure 6: The parameters available for the DoS attack

Figure 7: The administration panel and the multiple infected hosts carrying out a DDoS attack 

In the End 

Babylon RAT is an open-source platform that allows for various misdeeds. The encrypted traffic and the ability to create SOCKS proxies can help negate network security measures. The client builder allows for Anti-Virus bypassing which helps the binary get to the endpoint safely. The processes allowing for network propagation means an infection is not limited to one endpoint. Combined with the ability to perform a DoS attack, Babylon RAT can be highly effective in the proper environment. Babylon RAT campaigns can be avoided with proper technology in place and by educating end users to recognize and report suspicious emails.  

To stay ahead of emerging phishing and malware threats, sign up for free Cofense Threat Alerts. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

The Cofense Phishing Defense Center Sees Threats That Most Don’t

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see.

Here’s a Real Example Involving Compromised Email Accounts

A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization.

In fact, they utilized a technique known as the Zombie Phish, so called because it revives a dormant email conversation the user had had to disarm the user and lure him into clicking. We provided the indicators of compromise to the customer’s point of contact, plus included a link to a Cofense blog about the Zombie Phish.

We Found Over 2000 Malicious Emails—in Just 3 Days

A couple of weeks passed uneventfully. Then, we saw a new batch of reported emails from compromised accounts, followed the next day by a spike in similar messages. In a 3-day period, we found 2053 malicious emails sent through 77 internal accounts. Subject lines varied, but every one of these emails contained a link to “Display Message,” which redirected to a login page spoofing the customer’s actual page. It asked users to enter the password for their company account.

The techniques in these emails seemed to be part of a global phishing campaign targeting UK organizations. The target’s email address was encoded in the link. When someone clicked, the login page displayed the organization’s logo. The links’ behavior varied, sometimes redirecting to a fake site instead of the spoofed login page, other times displaying a message that the URL was unavailable.

The team in the Cofense Phishing Defense Center was glad to be of assistance. Learn more about our phishing defense services.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Partners with NINJIO to Bring Hollywood-Style Storytelling to Security Awareness Offering

Leesburg, Va. – May 8, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, announced a partnership with NINJIO, a leading creator of cyber security awareness training. NINJIO’S cyber security content will be accessible by customers using the Cofense PhishMe™ platform, an award-winning phishing simulation and training solution. Cofense PhishMe administrators can leverage NINJIO videos, or “episodes” as NINJIO refers to them, as part of their on-going security awareness training and phishing defense programs.

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.