October may be ending, but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week focused on the alignment of the security awareness function within the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source: https://www.isc2.org/Research/Workforce-Study

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities2, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep It Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should be your security awareness programs.

Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started. Another great place to get access to free resources is the National Cybersecurity Alliance at https://staysafeonline.org/resources/. There are plenty of resources that can also be leveraged to allow your employees to share with their friends and family, especially in this remote work environment.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

References:

1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018
2Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here.

Last week we examined the importance of setting a strategy and goals for your security awareness program.

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors.

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point.

Simulations Are the Best Way to Teach the Right Behaviors

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method.

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is how the recipient learns.

Running a simulated phishing attack IS the learning moment. It is not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate.

The data also supports the reduction in susceptibility as we look at the number of campaigns it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster. We first published the chart in our 2015 annual report. In 2019, we ran the numbers again to see if this trend was still the same. Sure enough, the graph still has the same curve.

Chart Description automatically generated

Source: Phishing Report 2019

Focus Your Training on Real Threats

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident.

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages.

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.).

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).

https://cofense.com/awareness-resources

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior!

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Emotet is Back for the Holidays with Updated Tactics

By Brad Haas

After a lull of nearly two months, the Emotet botnet has returned with updated payloads. The changes are likely meant to help Emotet avoid detection both by victims and network defenders. Apart from these updates, the campaigns’ targeting, tactics and secondary payloads remain consistent with previous active periods. Cofense Intelligence™ released a flash alert on the newest Emotet activity to customers with details about its new features. 

Emotet Background and 2020 Activity 

The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time. This year, one such hiatus lasted from February through mid-July, the longest break we’ve seen in the last few years. Since then, we observed regular Emotet activity through the end of October, but nothing from that point until today. 

Figure 1: This is an invoice-themed Emotet email with a malicious document attached. 

Emotet has a few primary functions. It acts as an information stealer, harvesting credentials, contact lists and email content from an infected machine. It adds the contacts to its target list, and builds and sends authentic-looking emails using the stolen email content. Finally, it can deliver other malware as a secondary payload, often leading to separate attacks such as ransomware. In October the most common secondary payloads were TrickBot, Qakbot and ZLoader; today we observed TrickBot. 

Emotet targets a wide variety of users spanning dozens of countries and many languages. Email themes are also varied–some are created from victims’ stolen data, while others use generic templates, which can be adapted to current topics. For example, today’s campaigns include some emails using a holiday theme. Each email uses one of a few different delivery mechanisms: embedded links, attached documents, or attached password-protected zip files. All techniques attempt to deliver a malicious Microsoft Office document (maldoc). 

Updates Make Infection Less Obvious 

The new Emotet maldoc includes a noticeable change, likely meant to keep victims from noticing they’ve just been infected. The document still contains malicious macro code to install Emotet, and still claims to be a “protected” document that requires users to enable macros in order to open it. The old version would not give any visible response after macros were enabled, which may make the victim suspicious. The new version creates a dialog box saying that “Word experienced an error trying to open the file.” This gives the user an explanation why they don’t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background. 

Figure 2: A fake error message is created when macros are run in a new Emotet maldoc. 

The Emotet malware itself, which is installed if a user does run the malicious macros, also had a few updates. The malware was previously a standalone executable file with a “.exe” filename, but is now a DLL file initialized using the built-in Windows program rundll32.exe. This makes the presence of the malware a little more difficult to detect. Emotet’s command-and-control (C2) communication has also been changed to use binary data rather than plain text, which will likely make it more difficult to detect at the network level. Finally, the authors changed the binary to thwart extraction of C2 details and other indicators of compromise (IOCs). 

Conclusion 

Emotet’s active periods have been unpredictable, and its authors have made an effort to adapt both the email campaigns and the malware to spread more effectively. Cofense Intelligence customers have received relevant IOCs and Active Threat Reports (ATRs) as these campaigns are identified and analyzed. Customers can access the most up to date list of all relevant Cofense Intelligence IOCs and ATRs tied to Emotet via our API and on ThreatHQ. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Phish Found in Proofpoint-Protected Environments – Week ending December 18, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Credential Phish 

DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint, Microsoft ATP and Symantec deliver credential phishing via an embedded link. 

TYPE: Trojan 

DESCRIPTION: FedEx-spoofed emails found in environments protected by Proofpoint and Microsoft ATP deliver Async RAT via a OneDrive embedded link. 

TYPE: Ransomware 

DESCRIPTION: Copyright violation-themed emails found in environments protected by Proofpoint and Microsoft ATP deliver Makop ransomware via an ALZ attachment. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Now has Automated Phishing Detection and Response Capability

Auto Quarantine can identify and automatically remove malicious emails from recipients’ inboxes – often before users see or have a chance to open them. Auto Quarantine is powered by the Cofense Intelligence network of Cofense researchers, the Phishing Defense Center (PDC) team of analysts, and millions of people around the world identifying and reporting suspected phish. This high degree of automation significantly reduces the time to identify and resolve attacks, provides protection from threats that bypassed the secure email gateways (SEGs) every day, and lessens a security analyst’s time spent hunting malicious email.  

How it Works 

The Cofense team closely monitors the threat landscape and is able to leverage a global network of over 25 million human sensors identifying and reporting on suspicious emails, and a team of advanced researchers and intelligence analysts to create an unparalleled view of threats happening in real time around the world. The moment a threat is identified, Cofense analysts generate an Indicator of Compromise (IOC) tuned to stopping that threat. With Vision’s Auto Quarantine feature, these IOCs are used to identify malicious emails that have bypassed the SEG seconds after they are received. When a match is found, the email is auto quarantined where it can then be examined and, if appropriate, removed permanently. Current Cofense Vision users are observing several such threats being automatically addressed every day, thus significantly reducing the window of vulnerability to active email-borne threats like ransomware, business email compromise (BEC), malware attacks and credential theft.  

Here are some real customer stories: 

Fortune 500 Retail Organization: 

A large retail customer was an early adopter of Cofense Vision with Auto Quarantine. The account team provided an email to the customer with a recently identified public malicious phishing link. The email completely bypassed all the existing email security controls.  But within seconds, and before the recipient could open the email, Vision identified the email as a threat and auto quarantined it. This happened without any human intervention. 

Large, Full-service Mortgage Provider: 

This enterprise organization deployed Vision with the new Auto Quarantine feature across its organization.  During the first week, Vision identified six separate phishing campaigns. Each of these campaigns contained approximately 500 phishing emails that had bypassed existing email security technology and made it to recipient inboxes. The Vision Auto Quarantine functionality immediately quarantined the thousands of emails without analyst interaction and, before a recipient could open the email, quickly and effectively reduced risk to the organization. Prior to Vision, the team did not have visibility into the extent of phishing campaigns, nor any systematic way to identify and remove them.  

Global Construction Company: 

When this global construction company enabled Auto Quarantine, they saw an immediate impact.  A phishing campaign disguised as a Microsoft Teams invitation to a holiday party appeared shortly after Auto Quarantine was configured. The email was immediately identified as a phishing campaign and more than 200 emails were auto quarantined.  After the initial detection, the company continued to be targeted with the same phishing campaign and the auto quarantine functionality in Vision has continued to detect and remove several dozen more attacks. 

 In addition to the Auto Quarantine feature, Vision, a key component of the Cofense PDR platform, has additional enhancements that include:  

  • Reduced remediation time:Cofense Vision actively scans new and existing emails and automatically quarantines malicious emails in near real time. Updates to the user interface enabling Approve and Reject actions in more places in the UI, thus saving valuable time spent on threat remediation and IOC management, and reducing risk to the organization.   
  • Flexibility: Cofense Vision can be set to quarantine emails containing IOC matches automatically or, for more control, operator approval can be required. Cofense Vision also lets teams define an allowed IOCs list – a list of indicators that an organization knows to be safe.   
  • Visibility: Complete visibility into all events associated with Auto Quarantine. The Cofense Vision Audit page contains entries for configuration changes, creation of quarantine jobs, operator approvals, changes to the allowed IOCs list, and any updates to IOCs.   
  • Network effect: The power of Cofense Intelligence services provides IOCs in real time – the moment they are vetted and released by Cofense.  

 Andfor customers of the Managed Phishing Detection and Response (PDR) service, if a threat is found in one customer’s environment, that intelligence is used to detect and quarantine attacks in other customer environments. 

Phishing threats are human-developed, which is why Cofense is helping organizations out-human the phishing threat. By continuously updating our solutions with capabilities to remove real-world threats before anyone in the organization even sees them, Cofense is greatly reducing the risk of a phishing attack. 

Learn more about Cofense Vision and Auto Quarantine, here. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

 

Cofense Unveils Automated Phishing Detection and Response Capability

Leesburg, Va. – Dec. 21, 2020Cofense, the leading provider of phishing detection and response (PDR) solutions, today announced new product innovations to Cofense Vision. Most notably, the addition of an Auto Quarantine feature that identifies and automatically removes malicious emails from recipients’ inboxes – often before users see or have a chance to open them, based on our knowledge of similar threats in other customer environments. This high degree of automation significantly reduces the time to identify and resolve attacks, provides protection from threats that bypass Secure Email Gateways (SEGs) every day, and lessens a security analyst’s time spent hunting malicious email. Auto Quarantine is powered by the Cofense Intelligence™ network of Cofense researchers, the Phishing Defense Center® (PDC) team of analysts, and millions of people around the world identifying and reporting suspected phish. 

How it Works

The Cofense team closely monitors the threat landscape and is able to leverage a global network of over 25 million human sensors identifying and reporting on suspicious emails, and a team of advanced researchers and intelligence analysts to create an unparalleled view of threats happening in real time around the world. The moment a threat is identified, Cofense analysts generate an Indicator of Compromise (IOC) tuned to stopping that threat. With Vision’s Auto Quarantine feature, these IOCs are used to identify malicious emails that have bypassed the SEG seconds after they are received. When a match is found, the email is auto quarantined where it can then be examined and if appropriate, removed permanently. Current Cofense Vision users are observing several such threats as being automatically addressed every day, thus significantly reducing the window of vulnerability to active email-borne threats like ransomware, business email compromise (BEC), malware attacks, and credential theft. 

Cofense Vision with Auto Quarantine Proven Effective in Enterprise Organizations  

Fortune 500 Retail Organization:

A large retail customer was an early adopter of Cofense Vision with Auto Quarantine. The account team provided an email to the customer with a recently identified public malicious phishing link. The email completely bypassed all of the existing email security controls. But within seconds, and before the recipient could open the email, Vision identified the email as a threat and auto quarantined it. This happened without any human intervention.

Large, Full-service Mortgage Provider:

This enterprise organization deployed Vision with the new Auto Quarantine feature across its organization. During the first week, Vision identified six separate phishing campaigns. Each of these campaigns contained approximately 500 phishing emails that had bypassed existing email security technology and made it to recipient inboxes. The Vision Auto Quarantine functionality immediately quarantined the thousands of emails without analyst interaction and before a recipient could open the email, quickly and effectively reducing risk to the organization. Prior to Vision, the team did not have visibility into the extent of phishing campaigns nor any systematic way to identify and remove them.  

Global Construction Company:

When this global construction company enabled Auto Quarantine, they saw an immediate impact. A phishing campaign disguised as a Microsoft Teams invite to a holiday party appeared shortly after Auto Quarantine was configured. The email was immediately identified as a phishing campaign and over 200 emails were auto quarantined. After the initial detection, the company continued to be targeted with the same phishing campaign and the auto quarantine functionality in Vision has continued to detect and remove several dozen more attacks.  

“Phishing threats are human-developed, which is why Cofense is helping organizations ‘out-human’ the phishing threat. By continuously updating our solutions with capabilities to remove real-world threats before anyone in the organization even sees them, Cofense is greatly reducing the risk of a phishing attack,” says Aaron Higbee, Co-Founder and CTO of Cofense. “With the newest version of Cofense Vision, organizations can immediately operationalize Cofense’s indicators of compromise and automatically remove malicious email from an environment even before a team member tags them as suspicious. Customers are quickly adopting Auto Quarantine for its effectiveness in stopping threats that bypass SEGs, and for delivering immense productivity gains for SOC and IR teams.”

To learn more about Cofense’s PDR platform, designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC), please visit www.cofense.com/.

About Cofense
Cofense® is the leading provider of phishing detection and response solutions. Designed for enterprise organizations, the Cofense Phishing Detection and Response (PDR) platform leverages a global network of over 25 million people actively reporting suspected phish, combined with advanced automation to stop phishing attacks faster and stay ahead of breaches. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. With seamless integration into most major TIPs, SIEMs, and SOARs, Cofense solutions easily align with existing security ecosystems. Across a broad set of Global 1000 enterprise customers, including defense, energy, financial services, healthcare and manufacturing sectors, Cofense understands how to improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact

[email protected]

Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities

A new iteration of the Agent Tesla keylogger has expanded on its data harvesting capabilities and exfiltration efforts in phishing campaigns primarily targeting India and ISPs. Cofense Intelligence recently alerted customers to Agent Tesla’s high volume compared to other keylogger families from January to August this year. The newest iteration of the keylogger added to that volume, likely as threat actors moved to adopt the updated version.

Threat actors who transition to this version of Agent Tesla gain the capability to target a wider range of stored credentials, including those for web browser, email, VPN and other services. This may indicate an increased interest in stolen credentials for a more specialized segment of the market or a particular kind of product or service. The update also includes networking capabilities that create a more robust set of exfiltration methods, including the use of the Telegram messaging service—adding to an overall trend of abusing trusted platforms to evade network-based detection. For Cofense Intelligence customers, technical details of these and other updates are available in the full report in ThreatHQ.

Figure 1: Top regions targeted by the different versions of Agent Tesla.

Figure 2: Top industries targeted by the different versions of Agent Tesla.

From August to December of this year, the newest iteration of Agent Tesla largely followed the same pattern as the older version in terms of targeted industries and regions. Figure 1 shows that both versions preferred to target email accounts in India more than any other region. The United States and Brazil were also among the top three most targeted regions. Figure 2 shows that Agent Tesla overwhelmingly targeted internet service providers (ISPs) over other industries. Utilities and financial services rounded out the top three targeted industries.

ISPs could be considered a major target for threat actors because of the other industry verticals that rely on them for essential functions. A compromised ISP could give threat actors access to organizations that have integrations and downstream permissions with the ISP. Subscribers would also be at risk, as ISPs often hold emails or other critical personal data that could be used to gain access to other accounts and services. In at least one incident, attackers reportedly targeted subscriber data of a compromised ISP in Austria.

Agent Tesla has been a major force within the phishing-threat landscape for years and has steadily evolved, likely in response to threat actors’ demands and improvements in network defenses. The variety of infection chains that use this keylogger family as its final payload are too numerous to list, which shows the versatility of this particular family. The fact that older versions of Agent Tesla keylogger are still successful today likely indicates that threat actors will be slow to adopt the newest version. However, once threat actors realize the benefits gained from updating to the newest version, they may transition more quickly as the new features might be necessary. Despite the dangerous capabilities of both versions of Agent Tesla, organizations can protect themselves by educating their employees and keeping proper mitigations in place.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Emails Found in Proofpoint-Protected Environments

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by secure email gateways (SEGs), were reported by humans, and analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint secure email gateway? The following are examples of phishing emails recently seen by the PDC in environments protected by Proofpoint.

TYPE: Trojan

DESCRIPTION: Finance-themed emails found in environments protected by Ironport, O365-ATP, Mimecast, Proofpoint and Symantec deliver the Dridex banking trojan via Microsoft Office macro-laden documents downloaded from embedded links.

TYPE: Agent Tesla Keylogger 

DESCRIPTION: Bank-spoofing emails found in environments protected by Proofpoint deliver an Agent Tesla Keylogger binary in an attached .iso archive.
Note: these are in the German language. 

TYPE: Credential Phish 

DESCRIPTION: Finance-themed emails found in environments protected by Proofpoint and Ironport deliver credential phishing via an attached HTM file. 

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

2020 Phishing Email Attacks: 5 Predictions. 1 Pandemic. What Really Happened?

Last year, right about this time, we thought about the upcoming year and what we could expect to see from threat actors. We also had great hopes for leveraging the 20/20 Vision theme as we looked forward.  (I mean, how could we not tap into this theme with the launch of our own product appropriately named, Cofense Vision™ ?)  

And yet, here we are, looking back to determine how well we did with our predictions.  

 #1 Surgical Ransomware Attacks. Attackers will continue to choose their targets carefully to reap big payouts. Last year, we saw ransomware targeting state and local governments, with ransom payments escalating. This year, we saw a shift in tactics used by threat actors, sifting out data to ensure payment. In late October, we saw the U.S. authorities warn the healthcare industry with an alert of threat actors targeting the sector. Cofense quickly dug into the threat only to find the tactics were being used across multiple industry sectors. Read the Flash Alert post here. 

😐 #2 Healthcare and Genetic Testing Companies Will be Rich Targets for Monetizing Data. Genetic testing companies will be the healthcare industry’s bullseye. While we missed the mark with this prediction, we did see some healthcare entities targeted in data breaches, along with genetic testing facilities. Perhaps this would’ve been different if the focus hadn’t shifted to another world health concern. 

 #3 Elite Attacks on Cryptocurrency. Protecting cryptocurrency will require humans and technology. With greater focus on the cryptocurrency market and increasing value, we anticipated this would be a rich target for threat actors looking to rob the virtual bank – either targeting the exchanges or the individuals. As recently as November, we heard about Liquid confirming their exchange had suffered an attack. 

❌ #4 Info-Warfare that Tests Human Intuition. Whether fraud-for-profit or fake news, expect info to be more weaponized than ever. Heading into the U.S. presidential election, there was much anticipation of a repeat of the 2016 chain of events, beginning with a phishing email. With a greater focus from many entities within the public sector, as well as social media sites being more diligent and exacting tighter controls, we didn’t see an impact this year – which is a positive!

 #5 SIM-Jacking Aimed at Cryptocurrency and More. These inside jobs are another way to jack consumers, including you. Near the end of last year, we started to learn of incidents where telecom employees were making a quick buck to perform a simple task of swapping out a SIM card in order to gain access to an individual’s cryptocurrency account. Without fail, with the value of cryptocurrency continuing to climb, we did indeed see more of this threat.

But we can’t talk about 2020 without a mention of this year’s black swanthe coronavirus pandemic. While nobody could’ve predicted the pandemic, it was certainly a theme that threat actors didn’t shy away from in their lures and tactics. When it came to phish related to COVID, threat actors elevated their confidence by spoofing many of the legit authorities the world trusted for news from WHO to the CDC, while also targeting economic relief backing such as the U.S. Paycheck Protection Program (PPP) or UK HMRC.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.