Cofense Announces Additional Investment by BlackRock and Appointment of Tom McDonough to Board of Directors

LEESBURG, Va. – April 28, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced the appointment of Tom McDonough to its Board of Directors as well as an additional investment from funds managed by BlackRock Private Equity Partners to support Cofense’s growth strategies. Initially inked in 2018 and expanded in 2019, Cofense’s continued partnership with BlackRock provides additional growth capital to advance research and development as well as further the company’s global expansion.

“We are pleased to build upon our relationship with BlackRock following one of our strongest quarters in company history,” said Rohyt Belani, Cofense co-founder and chief executive officer. “Combined with recent enhancements to Cofense’s leadership structure and the addition of Tom to our board of directors, the company is well positioned to meet growth and profitability targets in the coming year.”

Cofense’s security operations offerings, Cofense Triage and Cofense Vision, help organizations stop phishing attacks in their tracks by detecting, identifying, and rapidly quarantining malicious emails that evade secure email gateways (SEGs) every day. Cofense has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high technology. Since January 2020, Cofense has achieved the Federal Risk and Authorization Management Program (FedRAMP) In Process designation, launched a COVID-19 phishing resource center to help protect organizations and end users during this public health emergency, and expanded its leadership team with key executive additions from organizations such as Proofpoint. Poised for its next phase of growth, Cofense will continue investing in R&D to provide their customers with peak phishing defense across the organization.

As the newest member of Cofense’s board of directors, McDonough brings a proven track record of building and optimizing the performance of highly motivated teams that generate predictable revenue and profitable growth. During his career as an experienced board member and operating executive, including roles with Cisco and Sourcefire, he has managed private, early stage and public companies through international expansion, venture financing, IPOs, acquisitions and integration. McDonough’s extensive experience leading cyber security companies through hyper growth and major market transitions has contributed to the creation of more than $5B in shareholder wealth through two IPOs and four acquisitions at four different companies.

“It is truly an honor to join Cofense’s team as a board member,” said McDonough. “By putting the customer and innovation front and center, Cofense has developed and sustained a strong portfolio of solutions and established its position as a global leader in intelligent phishing defense. Looking ahead, I am very confident that Cofense’s vision, focused execution, expert team and robust product pipeline will enable the company to add to its history of growth and development.”

###

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
[email protected]

Phish Fryday – Phishing Defense

Phishing attacks are different than other attacks – they tend to be technology light and social manipulation heavy. Defending against these attacks requires a unique set of skills and tools. In this episode we speak with Cofense Director of Product Management Pete Smith to discuss the tools and skills needed for effective phishing defense.

Questions or comments? Reach us at [email protected]

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time-based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

By Mollie MacDougall, Cofense Intelligence

Today, Cofense Intelligence released its Q1 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts, who spend every day analyzing current phishing campaigns and producing actionable phishing intelligence. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.

Report Highlights

The first quarter of 2020 began with a continued seasonal lull in malware volume and ended with a drastic spike in the quarter’s last six weeks, as the COVID-19 virus evolved from emerging crisis to global pandemic. While Emotet volume overall was lower than expected, phishing campaigns leveraging COVID-19 and remote work themes surged in March 2020.

Figure 1: Credential phishing campaign that leveraged COVID-19

While the widespread use of ransomware has not returned to its peak, Cofense Intelligence analyzed targeted ransomware campaigns using themes that leveraged the global pandemic. Ransomware operators have also upped the ante on several campaigns, combining ransomware infection with a data breach and releasing sensitive data if ransom is not paid. This strategy has garnered a great deal of attention in recent headlines, as it further extorts organizations who are prepared to recover from ransomware campaigns and otherwise would not pay off their attackers.

Several campaigns discovered by Cofense Intelligence last quarter used trusted sources to evade perimeter defenses. Organizations rely on trusted platforms and services to conduct efficient business operations, and threat actors are eager to abuse these trusted services to compromise users. Cofense Intelligence has analyzed multiple campaigns that have used trusted sources as a part of the infection chain. These sources include, but are not limited to, cloud services, customer/employee engagement surveys, and third-party connections.

Read our Q1 2020 Phishing Review for more detailed trends identified by Cofense Intelligence and to see our phishing predictions for the  months ahead. Spoiler alert: phishing campaigns are likely to increasingly focus on the upcoming United States general election as well as the global pandemic and the work and lifestyle shifts it has precipitated. We also assess that ransomware campaigns will very likely continue to increase. Finally, we predict that Emotet will again resume phishing campaigns in Q2.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Remote Work Security

The current COVID-19 pandemic has organizations scrambling to setup remote work options for their employees. As technology is hastily rolled out and policies are updated, anxious users are looking for guidance and support. Threat actors, taking advantage of the situation, are using this gap in information to execute successful phishing campaigns. In this episode, we speak with Cofense Co-founder and CTO Aaron Higbee and Cofense Security Solutions Advisor Tonia Dudley to discuss attacks we’re seeing as well as some tips to protect your workforce.

Mentioned in this episode:

WebEx Phishing Campaign

Remote Work Infocenter

Questions or comments? Reach us at [email protected]

Discover how phishing awareness training can help your organization defend against changing phishing threats.

Phish Fryday – Phishing Trends from the Front Lines

Phishing threat actors constantly tweak and tune their attacks to evade secure email gateways to reach user inboxes. When that happens, your best users will report those attacks to security, giving you a jump on neutralizing the threat. In this episode, we speak with Ashley Tran, Threat Analyst in Cofense’s Phishing Defense Center, about the threats she and her team have been seeing lately as customers report the latest attacks.

Mentioned in this episode:

YouTube Phishing Redirects

Coronavirus Infocenter

Questions or comments? Reach us at [email protected]

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

Cofense Announces Key Additions to Leadership Team Including Former Proofpoint Executive

Brandi Moore Appointed as Chief Operating Officer
Mark Small Joins as Senior Vice President of Worldwide Sales
Carolyn Merritt Joins as Vice President of Customer Experience

LEESBURG, Va. – April 9, 2020 – On the heels of one of the strongest quarters in company history, Cofense® , the global leader in intelligent phishing defense solutions, today announced enhancements to its leadership structure to further position the business for its next phase of growth. Brandi Moore, previously Chief of Staff at Cofense, has been appointed Chief Operating Officer (COO), reporting directly to Chief Executive Officer, Rohyt Belani. Former Proofpoint executive Mark Small joins the company as SVP of Worldwide Sales, and Carolyn Merritt joins as VP of Customer Experience, both reporting to Moore.

“During the first quarter of 2020, strong demand for Cofense’s phishing defense solutions drove the highest gross margins and EBITDA[1] since reaching scale in 2015,” said Belani. “With more than 22 million people across the globe actively flagging potential attacks, and record-breaking adoption of our security operations offerings – Cofense Triage and Cofense Vision – we empower thousands of organizations to stop phishing attacks in their tracks by detecting, identifying, and rapidly quarantining the malicious emails that continue to slip past email gateways. As we position Cofense for its next phase in market leadership, our streamlined organizational structure will help further advance our strong go-to-market strategy and global adoption of our portfolio of products and services.”

Moore brings more than 20 years of industry experience managing technical, strategic and sales teams in cybersecurity. As COO, Moore is responsible for driving further operational excellence across the company’s sales, marketing, customer experience and professional services functions, as well as the Cofense Phishing Defense Center. She began her career in cybersecurity at America Online (AOL) in the 1990’s as it brought the internet into the fabric of everyday life, working in a variety of technical and privacy roles to secure networks and customer financial information. After leaving AOL, she took her cyber background to the revenue generating side of the business, driving sales at Mandiant (acquired by FireEye), Ounce Labs (acquired by IBM) and Trustwave (acquired by Singtel).

As SVP of Worldwide Sales, Small leads the company’s global sales, sales engineering, sales operations and enablement, and channel teams to equip organizations across the globe with Cofense’s innovative phishing defense solutions. Bringing a strong pedigree of sales management and business acumen with more than two decades of cybersecurity leadership experience, Small most recently led Proofpoint’s Digital Risk Worldwide Sales and Technical teams where he played a pivotal role in steering the company’s sales teams to continued growth. Small’s background also includes senior sales and management roles at Websense, McAfee, and Oracle.

Merritt oversees the company’s technical support, client success and PhishMe professional service teams as VP of Customer Experience. With the amalgamation of these teams, Merritt’s leadership serves customers with a proactive and unified experience post-purchase. Merritt brings decades of experience in similar executive leadership roles at various technology companies including Dataprise, Metalogix Software and Cision.

“Brandi, Mark and Carolyn’s respective track records of success and combined entrepreneurial mindsets make them critical assets to Cofense’s executive leadership team,” added Belani. “We are thrilled to foster their insights and demonstrated strategic approach to continue to build high-performance teams to support our strong growth and near-term profitability targets.”

###

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
[email protected]

 

[1] Earnings before interest, tax, depreciation and amortization

New Phishing Campaign Spoofs WebEx to Target Remote Workers

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. In the midst of the COVID-19 pandemic, millions of people are working from home using a multitude of online platforms and software. Attackers, of course, know this and are exploiting trusted brands like WebEx to deliver malicious emails to users.

Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.

Here’s how this campaign works:

Figure 1: Email Body

For this attack, the threat actor sends an email with varying subject lines such as “Critical Update” or “Alert!” from the spoofed address “meetings[@]webex[.]com”. With the subject and mail content combined, this may gauge users’ curiosity enough to entice them click in order to take the requested action.

The email then explains there is a vulnerability the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system.” In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further. The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The linked article uses the same words as the email, lending further credibility.

The only thing for a responsible user to do next is follow the instructions in the email and update their Desktop App, right?

Even if more cautious users hover over the ‘Join’ button before clicking, they could still very well believe it’s legitimate. The URL embedded behind it is:

hxxps://globalpagee-prod-webex[.]com/signin

While the legitimate Cisco WebEx URL is:

hxxps://globalpage-prod[.]webex[.]com/signin

At a first glance, both URLs look eerily similar. A closer look, however, reveals an extra ‘e’ is added to ‘globalpage.’ Likewise, instead of ‘prod.webex’, the malicious link is ‘prod-webex’.

To carry out this attack, the threat actor registered a fraudulent domain through Public Domain Registry just days before sending out the credential phishing email.

The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users. While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.

Figure 2:  Initial Phishing Page

The phishing page to which users are redirected is identical to the legitimate Cisco WebEx login page; visually there is no difference. Behavior-wise, there is a deviation between the real site and the fraudulent page. When email addresses are typed into the real Cisco page, the entries are checked to verify if there are associated accounts. With this phishing page, however, any email formatted entry takes the recipient to the next page where they then requested to enter their password.

Figure 3: Secondary Phishing Page

Once credentials are provided, users are redirected to the official Cisco website to download WebEx, which may be enough to convince most users it is a legitimate login process to update their WebEx app.

Figure 4: Legitimate Redirect Page – Official Cisco WebEx Download Page

At the time of writing, this fraudulent domain is still live and active. In fact, when navigating to the main domain, there is an open directory showing files the threat actor has utilized with this attack.

Figure 5: Open Directory

Files of interest include ‘sign-in%3fsurl=https%[…]’ and ‘out.php’.

The file ‘sign-in%3fsurl=https%[…]’ is the phishing page itself. When users click from this directory, they are redirected to the fraudulent WebEx login (Figure 3).

Figure 6: ‘out.php’ File

The ‘out.php’ file, seen in Figure 6, is the mailer the threat actor appears to have used to send this attack to users’ inboxes. The threat actor can manually input any subject they want – in this case, they chose “Critical Update!!”, adding the HTML for the email to the box below and designating an email list to which they wish to mass send this campaign.

With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions. Learn more how phishing awareness training can help your organization defend against changing phishing threats.

Indicators of Compromise:

Network IOC IP
hxxps://globalpagee-prod-webex[.]com/signin 192[.]185[.]214[.]109

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolves. Our site is updated with screenshots and YARA rules as we continue to track campaigns.

Every day, the Cofense Phishing Defense Center (PDC) analyzes phishing emails that bypassed email gateways, 75% of which are credential phish.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 37308 and received YARA rule PM_Intel_CredPhish_37308. Cofense Intelligence customers who would like to keep up with the Active Threat Reports and indicators being published, all COVID-19 campaigns are tagged with the “Pandemic” search tag.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.