Phish Fryday – URL Scanners as Part of Phishing Defense

URL Scanners are a great way to investigate potentially malicious websites in a low-risk way. Attackers, however, are adapting to these tools to escape detection and keep the pressure on defenders. In this episode, we speak with Cofense Security Consultant Chris Hall to discuss the usefulness of these scanners, how attackers are adapting, and what these scanner services may need to do to stay useful.

For more information on topics mentioned in this episode, please visit:

Are URL Scanning Services Accurate for Phishing Analysis?

VirusTotal

URLScan.io

REMnux

Questions or comments? Reach us at phishfryday@cofense.com

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

By Alan Rainer

The fourth quarter of 2019 showed a strong start but a dull finish, as the world eased into the holiday season. Although the end of Q3 2019 saw a resurgence in Emotet, Q4 witnessed a higher degree of phishing from the Trojan and its botnet. Read all about it, alongside other malware trends and campaigns, in the Cofense Intelligence Q4 2019 Malware Trends Report.

Continuing from Q3, Emotet picked up momentum in distributing malicious emails. From email reply chain compromises to crafty phishing templates with macro-laden documents, user inboxes found no solace. Emotet delivered financial invoices, “invites” to a Christmas party, and other phish baits to trick recipients into infecting their systems. Other malware families were not as prolific, decreasing in volume as the quarter went on.

The new year, however, is likely to hold greater wickedness. On the malware front, Windows 7’s End of Life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats. And to round it off, Emotet will keep on churning.

Figure 1: Varenyky Spambot Phishing Email Sample

Our Q4 report outlines key trends, statistics, breakdowns of specific campaigns, and insights on what to expect in Q1 2020 and beyond, all of which you can use to defend your organization. Cofense Intelligence provides phishing campaign updates throughout the year, which includes comprehensive threat reports and bi-weekly trend digests.

View the Q4 2019 Malware Trends Report at: https://go.cofense.com/malware-trends-2019-q4/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Helps 2020 Presidential Candidates Secure Their Campaigns from Pervasive Phishing Attacks

Leesburg, Va. – Jan. 23, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced its partnership with Defending Digital Campaigns (DDC), a nonprofit and nonpartisan organization committed to bringing cybersecurity tools and resources to federal election campaigns. Under the new partnership, DDC qualified campaigns can leverage Cofense’s experience, expertise and managed phishing defense service to strengthen their resilience against email-based cyberattacks during the 2020 election cycle.

“There is not a single anti-phishing technology on the market that will stop phishing emails from hitting campaigners’ inboxes.” said Aaron Higbee, chief technology officer and co-founder, Cofense.  “No candidate wants to relive the successful phishing attacks that have plagued elections across the globe these past several years. Every day, we find hundreds of malicious threats in supposedly ‘protected’ email environments. Our methods have prevented sophisticated APT29 email phishing attacks that make the Podesta phish look childish. As most attacks target specific individuals, it’s critical campaign managers prepare their teams to react quickly to what is about to come. We’re proud to partner with the DDC to provide candidates and campaign workers the support they need to better defend against malicious actors.”

“Protecting campaigns from cybersecurity threats is essential to our democratic process, and Cofense understands the critical importance this plays,” said Michael Kaiser DDC President and CEO. “We are excited to partner with Cofense, who pioneered phishing defense, so campaigns can more quickly and easily implement better cybersecurity practices.”

Cofense’s new managed Election Phishing Defense Service is now available to eligible campaigns, a special permission granted to DDC by the Federal Election Commission, to bolster their phishing resilience in a single, managed service at minimal cost, allowing them to stay focused on what they do best – campaigning:

  • Phishing simulation training to prepare staff to identify and report phishing incidents
  • Cofense Reporter, a one-click embedded email button, to enable staff to quickly report suspicious messages
  • Phishing analysis provided by Cofense to quickly identify and mitigate a phishing incident

Additionally, Cofense has launched an educational site that will be updated with resources such as threat intelligence, best practices, and expert perspectives. To learn more, visit: https://cofense.com/election-security/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

About Defending Digital Campaigns

Defending Digital Campaigns (DDC), a 501(C)4, is a nonpartisan and non-aligned organization focused on increasing campaign cybersecurity by making available free and low-cost cybersecurity products.  DDC operates under a Federal Election Commission administrative opinion allowing for the provision of in-kind cybersecurity services to eligible campaigns.

DDC’s was founded and lead by former presidential campaign managers for Hillary Clinton and Mitt Romney, tech and cybersecurity industry leaders, and former senior officials at the NSA and DHS.

 

Media Contact

press@cofense.com

Cofense to Host Third Annual Phishing Defence and User Conference in London

LONDON, United Kingdom – 22 January, 2020 – Cofense, the global leader in intelligent phishing defence solutions, today announced registration is open for Submerge London, its international user conference and phishing defence summit. Taking place at the Hilton Canary Wharf from 5-6 May 2020, Submerge London is Europe’s premier event for phishing defence and incident response, providing two full days of technical and educational sessions led by industry leaders and security experts.

The third annual conference promises even deeper hands-on content than ever before including more than 20 sessions covering the latest phishing defense strategies and tactics, case studies presented by leading industry professionals and ample networking opportunities with peers from across the world. As with previous years, there will also be a wealth of speaker tracks over the two days, truly submerging attendees into the latest anti-phishing best practices and how they can unlock the power of collective human intelligence to defend against advanced cyber threats.

Those interested in sharing their knowledge and expertise at the event can submit a presentation abstract for consideration through the Call for Speakers submission form, focusing on one of four topics: Innovation in Phishing Awareness; Aligning Phishing Defence to the Business; Phishing Incident Response; or the Phishing Threat Landscape.

“The email security threat landscape is constantly evolving with attackers innovating their way past security controls on a daily basis,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “That’s why it’s important cybersecurity professionals stay ahead of the latest attack vectors and be prepared for threats heading their way. With a 95% recommendation rate from previous attendees, we’re thrilled to bring organizations, partners and industry leaders the tools and knowledge they need to ramp up their phishing defence programs.”

Submerge London 2020 is open to existing Cofense customers and non-customers. The event is ideally suited for cybersecurity professionals, operators, and decision makers who focus on email security and phishing defence. Early bird registration discounts for Submerge London 2020 are available until 1st March, where tickets are available for £49 – half the regular rate. Those interested in attending can register here and find further information on the event and venue.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

press@cofense.com

Ransomware in 2020: Not Just More, But Different

By Aaron Riley, Cofense Intelligence

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge this year.

In the second half of 2019, ransomware campaigns targeted different types of organizations, including schools, governments, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

We are now seeing ransomware campaigns that include data breaches and exfiltration. Last year, a number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as can be seen in the latter half of 2019. These payments are typically made with a type of cryptocurrency chosen by the ransomware operators. Jackson County, Georgia paid $400,000 after a Ryuk ransomware attack majorly disrupted workflow to all county agencies, including the 911 dispatch center. Jackson County did not have cybersecurity insurance and had to pay the ransom outright, which means the citizens of the county had to subsidize the payment.

Cybersecurity insurance firms are increasingly encouraging their customers to pay the ransom, instead of rebuilding or outright losing resources that are encrypted. Ryuk ransomware impacted Lake City, Florida in late June 2019, during which authorities found that restoring the systems would exceed a million dollars compared to the $700,000 ransom. The Lake City authorities then negotiated through a third-party to pay the attackers $460,000, of which the city’s cybersecurity insurance firm reportedly funded $450,000. In this scenario, Lake City authorities were able to pay $10,000 and have their systems back up within two weeks. This proves, yet again, that targeted enterprise ransomware attacks are increasingly profitable.

With their profits rising, ransomware operators will likely increase their campaign volume in 2020. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture. With the End of Life of Microsoft’s Windows 7, organizations that are slow in their transition to supported operating systems become more susceptible to such attacks.

We expect other trends to follow in line with our ransomware predictions for 2020. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated. More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make big bucks.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Debuts Phishing Defense Podcast

 

Leesburg, Va. – Jan. 17, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced the debut of its phishing defense podcast, Phish Fryday. Gathering leading experts and threat researchers across Cofense’s security intelligence groups including Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center, the new podcast provides security teams and analysts with weekly insights into the latest phishing threats, trends and news so they can stay ahead of the latest attacks.

With most data breaches occurring as a result of a successful phishing attack, defenders are constantly seeking to understand the latest evolving threats and tactics used by phishers to bypass popular security technologies. Cofense analyzes millions of emails and malware samples every day—both in the wild and within organizations’ environments – to identify new and emerging malware, providing organizations recommendations so they can quickly and proactively defend their organization.

“The key differentiator between Cofense and our competitors is the actionable intelligence that underpins all of our solutions,” said Rohyt Belani, chief executive officer, Cofense. “Our unique view of the cyber-threat landscape allows us to provide valuable and timely insights into active phishing threats that consistently bypass email gateways. We’re thrilled to further extend and share our expertise through Phish Fryday as we strive to unite humanity against phishing.”

The debut season includes the following episodes:

  • Episode 1: Cofense Labs’ Jason Meurer discusses Emotet’s recent evolutions, including modifications to its URI structure, new templates used and new information targeted by the botnet.
  • Episode 2: As tensions escalate between the U.S. and Iran, Mollie MacDougall of Cofense Labs, an expert on cyber and international security, explains Iran’s cyber capabilities and its history of cyberattacks.
  • Episode 3: Alan Rainer from Cofense Intelligence discusses how attackers are using trusted cloud services to evade security technologies and compromise corporate networks.
  • Episode 4: Max Gannon of Cofense Intelligence shines a light on Office macro attacks, how they are leveraged by attackers and why it’s challenging for organizations to defend against them.

To listen and subscribe to the Phish Fryday podcast, visit: https://cofense.com/category/podcast/phish-fryday/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

press@cofense.com

Phish Fryday – Office Macros in Phishing Attacks

Automation with macros in Microsoft Office documents has been with us for decades. The abuse of these macros has been with us for almost as long, as attackers leverage the functionality  – and the common permissions needed to run them – to cause considerable harm to organizations. In this episode, we speak with Cofense Cyber Threat Intelligence Analyst Max Gannon to discuss the latest phishing threats and how they leverage macros to compromise organizations.

For more information on topics mentioned in this episode, please visit:

Complimentary Threat Alerts

PowerShell Scripts Delivered by Office Macros

Geodo Malware Campaigns

Questions or comments? Reach us at phishfryday@cofense.com

Jeopardy GOATs Buzz In, Security World Groans

By Tonia Dudley

When Jeopardy invited its top players ever to battle it out, the winner would be crowned the Greatest of All Time (GOAT). Not the Pretty Goodest or the Gosh, Nice Try-est. And certainly not the Wow, You Very Nearly Failed-est.

But when three acclaimed geniuses hit the buzzers last week, those were the titles they earned in the cybersecurity category. The contestants missed two out of five. No big deal? Normally not, but these guys were the best of the best—and their combined score of correct answers equaled 60 percent. In most grading systems, that’s one point shy of an ‘F.’

I mean, shouldn’t a Jeopardy GOAT be good at almost everything?

Really? They missed ‘BYOD’?

Yes, they did. And it was worth $600, a pretty generous sum for a pretty easy answer.

It was exciting to see cybersecurity included in this highly watched episode. To be fair, I thought the show came up with an interesting selection of topics. Ransomware. Keylogger. Whitehats. And sigh, BYOD. Again, if this were a normal episode (or a normal game show) you’d expect easier questions. But hey, this is Jeopardy, GOAT Edition.

Here’s the dagger: current GOAT tournament leader Ken Jennings is in IT. Ken, you let us down, man! Okay, “keylogger.” Not everybody knows what it means.

But, sorry to say this, a real genius would. To claim GOAT status, you need to go beyond the basics. And not wait until the other categories are nearly exhausted before summoning the courage to tackle cybersecurity. Call me biased, but it’s a pretty important subject these days.

Kudos to the players for knowing what bitcoin is.

And for nailing HTTPS and whitehats. But millions of people watched this episode. Ken, Brad, and James could have shown America that any self-respecting GOAT knows cybersecurity as well as The Oscars or American Idols.

And couldn’t there have been one measly phishing question? “Who is John Podesta, Alex?” Or “What is a fraudulent email?” The FBI published two alerts last year on business email compromise alone.

All right, enough griping. At least our industry got some recognition. But if Jeopardy ever includes us again, I want the players to do better than a D+.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

In 2020, Resolve Not to Simulate Last Year’s Phish

By Tonia Dudley

As you start off the new year, it’s a good time to recalibrate your phishing simulation program. Things change—business objectives, mergers, acquisitions or divestitures. The threat landscape is constantly changing too and may require a complete shift in your security awareness efforts. This is why you should focus on one quarter at a time—we’d all be millionaires if we could predict the future 12 months from now.

Align Your Simulations to Phish Your Users See.

As you prepare to launch simulations this quarter, ensure you align these to the threats actually hitting your users’ inbox. By keeping your campaigns aligned, you are better preparing your users to defend your organization against a phishing incident that could lead to a data breach or ransomware attack.

How do you achieve this? Start by reaching out to your Security Operations Center (SOC), the experts on the threats facing your organization. Also, many organizations are now standing up a Cyber Threat Intelligence team to proactively hunt for threats—these analysts are another great source of anti-phishing recommendations.

Planning a Credential Phish? Attackers Probably Are.

If you don’t have access to either of these resources, check out our most recent Cofense Annual Phishing Report. For example, we continue to see phishing emails that target credentials. Whenever I visit customers or talk to security teams, I ask if they are seeing credential phishing as a major threat to their organization. Without skipping a beat, the response is typically an immediate “yes” followed up with a real phishing incident story.

Figure 1: Sample credential phish

Running a credential phishing campaign can sometimes be complex, but compared to the time spent remediating a phishing incident, it is time well spent. Chances are a credential simulation will pay off. Consider this nugget from our Annual Phishing Report:

74% of Real Phish Are Credential Phish

But Credential Phish Are Only 17.2% of Simulations

That’s a gap in your phishing awareness program you don’t want to see.

Don’t Forget Tax Season, Plus Data Privacy and Valentine’s Days.

Beyond credential threats, the first quarter of the calendar year offers seasonal themes. I’ve seen some awareness programs use a topics calendar, and the following topics are good bets for the first few months of the year.

  • Data Privacy Day – January 28th.
  • Tax season – anything related to tax topics and W2’s pique interest.
  • Valentine’s Day
    • I know some of you are right now thinking about that Valentine’s e-Card you want to send out. We recently covered holiday themed campaigns used by the Emotet botnet in our December blog post. If Emotet comes back online, we’ll most likely see them leverage a similar holiday theme again. If you want to align a Valentine’s theme to a real threat, focus on an attachment that leverages a macro enabled MS Word document. Speaking of Emotet, because it’s one of the biggest botnets out there, Cofense led off our new podcast series, Phish Fryday, with an Emotet deep-dive. Check it out here.

Whatever topics or themes you choose, just be sure they reflect the email threats your users will likely see. Whether your program is mature (and needs a jolt) or you’re just getting started, good luck! The Cofense resources below can help you move from awareness to full-strength phishing defense.

HOW COFENSE CAN HELP

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – Cloud Services in Phishing Attacks

Cloud platforms, such as Google Docs, Microsoft OneDrive, and Dropbox provide tremendous value to organizations looking to collaborate. Unfortunately, there are plenty of attackers willing to leverage our trust in these platforms for their own gain. On this week’s episode, we speak with Cofense Senior Intelligence Specialist Alan Rainer about the various ways attackers are using these technologies to bypass defenses and distribute malware and execute phishing campaigns.

For more information on topics mentioned in the discussion, please check out the following articles:

Raccoon Stealer

The UK Ministry of Justice Campaign

Agent Tesla