Phish Fryday – 2019 Q4 Malware Trends – Part 2

Cofense Intelligence recently released their strategic analysis of malware trends of the last quarter of 2019, along with some predictions for the coming year. In our previous episode, we looked at some of the trends seen at the end of last year. In this second part, we speak with two key contributors on the report, Cofense Cyber Threat Intelligence Analyst Max Gannon and Senior Intelligence Specialist Alan Rainer as they look ahead as to what organizations should be anticipating in the threat landscape and how to prepare for them.

For more information on topics mentioned in this episode, please visit:

Q4 2019 Malware Trends Report

Questions or comments? Reach us at [email protected]

Learn more about how phishing awareness training can help your organization defend against changing phishing threats.

Cofense to Host Fifth Annual Phishing Defense and User Conference

LEESBURG, Va. – Feb. 12, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced registration is open for the fifth annual Submerge phishing defense and user summit. Taking place at the JW Marriott Orlando, Grande Lakes on November 16-17, Submerge 2020 is the premier showcase for phishing defense and incident response professionals, providing two full days of training, technical deep dives and educational sessions led by industry leaders and cyber security experts.

This year’s conference promises more engaging hands-on content including dozens of sessions covering the latest phishing defense strategies and tactics, case studies presented by the industry’s leading experts and ample networking opportunities with peers from across the world. As with previous years, there will also be a wealth of speaker tracks, truly plunging attendees into the latest anti-phishing best practices and how they can unlock the power of collective human intelligence to defend against advanced cyber threats.

Those interested in sharing their knowledge and expertise at the event can submit a presentation abstract for consideration through the Call for Speakers submission form, focusing on one of four topics: Innovation in Phishing Awareness; Aligning Phishing Defense to the Business; Phishing Incident Response; or the Phishing Threat Landscape.

“The threat landscape continues to shift rapidly, with attackers innovating their way past Secure Email Gateways every day,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “Cyber security professionals need to stay ahead of the latest attack vectors and be prepared for threats heading their way. With overwhelmingly positive feedback from previous attendees, we’re thrilled to bring organizations, partners and industry leaders the tools and knowledge they need to ramp up their phishing defense programs once again this year.”

Ideally suited for cyber security professionals, operators, and decision makers who focus on email security and phishing defense, Submerge 2020 is open to existing Cofense customers and non-customers alike. Attendees can also make Submerge 2020 an extraordinary business trip by relaxing in the Florida sunshine at the impressive outdoor pool complex or by playing a challenging 18-hole golf course designed by PGA great Greg Norman.

Early bird pricing of $249 for Submerge 2020 is available until August 1, 2020. Those interested in attending can register here and find further information on the event and venue.

###

About Cofense

Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

[email protected]

Phishers Are Using Google Forms to Bypass Popular Email Gateways

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as

hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform.

Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.

 

Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – 2019 Q4 Malware Trends – Part 1

Cofense Intelligence recently released their strategic analysis of malware trends of the last quarter of 2019, along with some predictions for the coming year. In this 2-part episode, we speak with two key contributors on the report, Cofense Cyber Threat Intelligence Analyst Max Gannon and Senior Intelligence Specialist Alan Rainer. In part 1, we’ll discuss the evolutionary nature of attacks at the end of 2019, including 4 key pieces of malware of note. In part 2, we’ll look ahead as to what organizations should be anticipating in the threat landscape and how to prepare for them.

For more information on topics mentioned in this episode, please visit:

Q4 2019 Malware Trends Report

Questions or comments? Reach us at [email protected]

Phish Fryday – Agent Tesla

Agent Tesla appeared on the malware scene in 2014 as a simple keylogger. We’ve seen this malware expand capabilities over the years, making it still one of the more popular types of malware distributed in phishing attacks. In this episode, we speak with Cofense Cyber Threat Intelligence Analyst Aaron Riley about the history of Agent Tesla, how it evolved, and how to defend against it.

For more information on topics mentioned in this episode, please visit:

Agent Tesla is a Top Phishing Threat

Krebs on Security – Who Is Agent Tesla?

CVE-2017-11882 – Microsoft Equation Editor Vulnerability

Questions or comments? Reach us at [email protected]

Learn more about how phishing awareness training can help your organization defend against changing phishing threats.

Phish Fryday – Phishing with the Microsoft Equation Editor Vulnerability

Back in 2017, Microsoft announced a vulnerability in their Equation Editor, dubbed CVE-2017-11882. This memory corruption vulnerability allowed attackers to execute malicious code in the context of the exploited user. Here we are in 2020 and the vulnerability is still be exploited in phishing attacks. In this episode we speak with Cofense Cyber Threat Intelligence Analyst Max Gannon about what the vulnerability is, why it’s still being exploited, and what organizations can do to better defend against these attacks.

For more information on topics mentioned in this episode, please visit:

NIST CVE Details

Cofense “Patch or Pass” blog post

Questions or comments? Reach us at [email protected]

Discover how phishing awareness training can help your organization defend against changing phishing threats.

Cofense Uniting Humanity Against Phishing at 2020 RSA Conference

LEESBURG, Va. – February 6, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced the company’s presence at RSA Conference 2020, taking place February 24-28 in San Francisco. This year’s RSAC theme will focus on the most powerful asset in protecting against cyberattacks – the “Human Element”, the beating heart of Cofense’s mission. As threat actors continuously innovate to slip past technologies put into place to protect both organizations and consumers alike, the security community is increasingly aware that artificial intelligence and machine learning alone are not silver bullets to protect against today’s emerging and sophisticated attacks; empowering humans to act as the last line of defense is critical for a truly multi-layered and integrated cyber defense posture.

“Phishing is a uniquely human and global problem, and our long-standing stated purpose is to unite humanity against phishing,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “Our 21 million plus end users act as human sensors, reporting thousands of suspicious emails to security operations teams daily. The collective human intelligence of the Cofense customer base provides SOC teams with visibility into threats that evade security controls every single day.”

To shed light on how humans are integral to organizational defense, Cofense Security Solutions Advisor, Tonia Dudley, will present an interactive workshop as part of RSA’s Learning Labs. Dudley’s session, “Hearts and Minds: Shaping a Successful Awareness Program”, will take place on Wednesday, Feb. 26 at 9:20 a.m. PT, addressing why changing humans is more art than science. The workshop will explore psychological challenges we all face – apathy, fatigue and denial – as well as the inherent benefits in human physiology, such as how our brain chemistry responds to stories. In addition to focusing on phishing defense advocacy and demonstrating how Cofense solutions help organizations across the globe minimize the impact of attacks and reduce costs, Dudley also holds a seat on the National Cybersecurity Society board to provide support and resources for the small business community to improve online safety and security.

RSA Conference attendees can learn more about Cofense by visiting the company’s two booths, located in the South Expo hall at booth #1235, and the North Expo hall at booth #4436. During expo hall hours, Cofense will have six live demo stations where visitors can interact with technology experts and see Cofense’s market-leading intelligent phishing defense solutions, including:

Cofense Vision®

  • Equips SOC teams with the tools they need to find and remove the phishing threats sitting unreported in recipients’ mailboxes, providing remediation in minutes rather than hours or days
  • Provides a privacy-first phish threat hunting platform that supports an organization’s compliance needs without sacrificing search performance
  • *NEW* Auto-quarantine: When combined with Cofense Triage®, enables organizations to auto-quarantine any new email threats received that match a previous Cofense Vision search, reducing analyst overhead and risk exposure

Cofense Triage

  • Leverages a large library of powerful rules, driven by human intelligence, to cut through the noise of suspicious email reports and focus analyst attention on the threats that matter
  • Accelerates phishing qualification, investigation and response by automating standard responses to suspicious emails to make analysts more efficient, driving actionable intelligence faster
  • Provides a full-featured API to integrate with SIEM, SOAR, and other enterprise systems to maximize an organization’s security investment and reduce response time and analyst effort in finding and remediating phishing threats

Cofense Intelligence®

  • Using a global, proprietary network of sensors and sources, provides unrivalled insights into the rapidly evolving threat landscape, including tools, techniques and procedures that are not only observed in the wild, but verified to bypass existing enterprise security controls such as Secure Email Gateways (SEGs)
  • Delivers actionable intelligence that supports organizational defense initiatives

Cofense PhishMe®

  • Educates enterprise end users on the real attacks facing organizations – including those that evade SEGs – transforming them into the last line of active defense against cyber attacks
  • Responsive Delivery: Improves user engagement and optimizes simulation program effectiveness for enterprises of all sizes by delivering email simulations only when the recipient is active in their inbox, eliminating whitelisting and global scheduling issues and reducing false positives caused by changes in email security tools
  • *NEW* Recipient Sync
    • Automates provisioning, updates and deprovisioning of Cofense PhishMe recipients from Azure AD using standards based SCIM 2.0 without the need for an additional tool
    • Allows operators to fully control which information gets shared and synced

In addition, booth visitors can enjoy giveaways and daily activities at the South Expo Hall Booth #1235, allowing them to:

  • Unwind after a long day at happy hour on Tuesday from 4 – 6 p.m.
  • Cool down with ice cream and meet Cofense experts on Wednesday from 2 – 4 p.m.
  • Fuel up on the final day with espressos and cappuccinos on Thursday from 10 a.m. – 3 p.m.

###

About Cofense
Cofense, formerly PhishMe, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines phishing awareness training and timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For more information, please visit www.cofense.com.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos included in this press release are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Media Contact
[email protected]

Emotet Gears Up to File (Your) Taxes

By Tonia Dudley, Cofense Security Solutions

What’s the first form you need to file in order to collect US taxes? Why a W-9 of course! So, what have we been seeing from Emotet as it gears up for filing taxes on your behalf? A W-9 phish of course!

As with any other trend we’ve seen from this threat actor, the email messages are not sophisticated – in  fact, these are quite basic. We are seeing both an attachment (figure 1) and a simple link (figure 2) to  download this document. And look, the attachment (figure 3) isn’t anything fancy either. While this tax season is just getting started, with many tax filing forms due to taxpayers last week, by Jan 31st, we anticipate these campaigns will likely evolve and get better as we move towards the annual filing date of April 15th.

Figure 1 – Emotet using W9 attachment 

Figure 2 – Emotet with URL link to attachment 

Figure 3  Emotet W9 Attachment 

FYI, this week has been declared Tax Identity Theft Awareness Week by the Federal Trade Commission (FTC). It’s a great time of the year to remind your organization, friends, and family to be vigilant in protecting their tax forms. Below are some tips from the FTC to better protect your identity during this tax season:

  • Protect your SSN throughout the year. Don’t give it out unless there’s a good reason and you’re sure who you’re giving it to.
  • File your tax return as early in the tax season as you can.
  • Use a secure internet connection if you file electronically, or mail your tax return directly from the post office.
  • Research a tax preparer thoroughly before you hand over personal information.
  • Check your credit report at least once a year for free at annualcreditreport.com. Make sure no one has opened a new account in your name.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.