You Can Respond to Phishing Threats in Seconds with Cofense and Cyware: Here’s How

Targeted and relentless. Threat actors pinpoint organizations to steal credentials, infect endpoints, encrypt data for ransom, or exfiltrate intellectual property or non-public information.

All organizations will be phished, but they don’t have to experience a reputation-damaging breach. The best defense is a combination of aware employees, purpose-built phishing solutions, automated incident analysis and response playbooks, and a repeatable process that scales as fast as attackers innovate.

Cofense and Cyware have partnered to provide organizations with the resources to collect phish that evade secure email gateways (SEGs), automate the analysis, and determine threat severity in seconds.

The security workflow is preceded by conditioning employees to recognize suspicious email and report to their security team. What happens next is a blend of technology and intelligent analysts who have the right information to make an informed decision without negatively impacting the business.

The use case is simple, and the process is effective:

  • Phish evade the SEG
  • Employees report the suspicious email
  • Cofense TriageTM ingests and analyzes one or more email clusters with similar tactics
  • Cyware CSOL (security orchestration platform) ingests indicators from Cofense Triage
  • Cyware CTIX (threat intelligence platform) enriches indicators from Cofense Triage with Cofense IntelligenceTM and other premium intelligence sources
  • Cyware CSOL runs a complete response playbook which may include blocking a URL at the network gateway to protect employees from reaching the external phishing site

Let’s look at the sequence of events and how the response is carried out.

  1. Phisher crafts their email (figure 1) and in this case is attempting to direct the employee to a malicious site where a payload could infect the endpoint.

Figure 1. Malicious link within a company-wide email portraying to be from HR

2. A conditioned employee reports the email that evaded the SEG to a predetermined abuse mailbox monitored by the SOC. Purpose-built Cofense Triage ingests all emails from the abuse mailbox and automatically analyzes to quickly remove benign reports while at the same time highlight real threats.

Figure 2. Reported email ingested into Cofense Triage for automated analysis

3. Upon ingestion into Cofense Triage, out-of-box phishing rules are applied, and automated analysis categorizes the email as ‘advanced threats’, matching Emotet indicators and tactics. Benign emails are not impairing the view and the SOC can focus on credible phishing threats from a highly reputable reporter (in this case, a VP within the company).

Figure 3. Processed email matching advanced threats Emotet rules

4. Knowing this email is dangerous, the URL is designated malicious by an analyst

Figure 4. SOC analyst verifying malicious threat indicator

5. Additional validation within Cofense Intelligence further confirms the URL is malicious and delivers analysts related phishing indicators that, in this example, are part of the Emotet malware family. Other domains, files, and URLs are returned from knowing just one threat indicator.

Figure 5. Cofense Intelligence JSON output snippet with additional threat indicators

6. Once Cofense has confirmed that the URL is malicious, the analyst can leverage the orchestration capabilities of the Cyware Security Orchestration Layer (CSOL) to take action and begin remediation and triage efforts. CSOL gives users the ability to create automated, customizable workflows that easily integrate with the other tools in their security stack.

In this example, the analyst initiated the Cofense Triage Playbook to ingest the data it received from the Cofense Triage API. The playbook parsed the available data from Cofense to find the associated indicators, and then leveraged integrations with their other enrichment tools to fully enrich all associated indicators.

Figure 6. CSOL ingests Cofense Triage phishing data

7. Once enriched, the CSOL Playbook automated the mitigative action. The sender of the malicious email was automatically blocked at the email gateway and a confirmation notification was sent to the analyst.

Figure 7. CSOL runs through remediation to block sender at the email gateway

8. In addition, the malicious IOCs were sent to the SIEM to perform a historical lookup. If any of the malicious IOCs were previously seen in the organization’s environment, a SIEM alert was created and sent to the SOC team.

Figure 8. CSOL runs through additional steps from data received from Cofense

9. Finally, proactive defensive action was taken. The malicious URL was automatically blocked at the firewall, and all associated indicators were added to CTIX, Cyware’s Threat Intelligence Platform. Adding these indicators to CTIX ensures that this intelligence is memorialized and can be used at a later time for analytics, enrichment, and further correlation by the threat intel team.

Figure 9. CSOL blocks URL at the firewall and ingests other indicators into CTIX

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns

By Kaleb Kirk, Cofense Phishing Defense Center  

Over the last few years, businesses have been getting serious about updating their corporate desktop images. For quite some time, Windows 7 has been the predominant operating system (OS) for many workplaces and environmentsWindows 10 was released in 2015yet many companies are just now making the transition. With that comes the pains of upgrading end users machines. Standardizing a corporate desktop image is arduous with complicated edge cases that must be considered for all the hardware variants. The job is further complicated when thirdparty software has yet to officially support a new OS. This explains why enterprises wait, sometimes for years, before taking the plunge. Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.  

The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the baitWill we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.   

Figure 1-2: Email Body

The subject references a Windows upgrade, but there is also something else manipulative: the inclusion of the “RE:” before the rest of the subject. Internal email about company meetings, news and IT upgrades are common. Prefixing the “RE:” may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

We look at phishing emails that bypass commercial gateways all day, every day. Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful. We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc. It applies a good sense-of-urgency ploy using the highlighted “Today,” and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.

How can this attacker upgrade this lure from a C- to a B+? This email would be more believable if the sender were more generic. “Helpdesk,” for example. We obfuscated the From: line of the compromised account  “Genadiy” which was not from the intended victim’s company domain, and certainly not from their IT department. The intended victim unfortunately doesn’t have a clean way to easily know the true underlying URL because it’s annoyingly masked by Proofpoint’s URL Defense (which, ironically, would not have defended the user because, once clicked, the phishing page loaded instantly).

Figure 3: Credential Phishing Page

Figure 3, above, shows the loaded credential phishing page. This page gets a D- for lack of effort. They wasted a valid SSL certificate on a terrible version of an OWA login page.

This phish closes out cleanly by redirecting the intended victim to a Microsoft page about the discontinued support of Windows 7 (but still leaves the target worried about their OS upgrade).

Figure 4: Final Redirect

Attackers have been using the “time to upgrade your out-of-date software” ploy for years. With Windows 7 ending official support, it won’t be surprising if we see a flurry of better versions of this phish in the future. Hopefully your vigilant users know that “Genadiy” (from a company that isn’t yours) doesn’t upgrade an operating system “Today,” and via email. Cheers.

Network IOC IP
hXXps://app[.]getresponse[.]com/site2/ken23456789765?u=w3DxF&webforms_id=hlvzr 104[.]160[.]64[.]9
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Virtual Submerge – excitement and a consensus:

We‘ve closed the curtain on Virtual Submerge 2020, but our collective work is nowhere near done. The engagement in our breakout sessions and solutions center demos, as well as the feedback we receivedclearly conveyed that enterprises are continuing to struggle identifying and removing phish from their environments. 

During the event we received questions from, and chatted with, security experts from around the globe, including representatives of governments, security firms, nonprofits and enterprises. Take a look at a sampling of the comments, below, and in the social images in the sidebar.

  •  “I just wanted to pass along my compliments to Rohyt Belani and Aaron for the Keynotes…the Keynotes were both awesome! Great information and great styles from both.”
  • “I really liked the presentation on ‘How to Reach a 0% click rate.’…top notch job.”
  • “I am interested in catching phish that get by our secure email gateway, especially those leveraging O365 framework…tell me what we need…”

Virtual Submerge 2020 on Social

The Virtual Submerge sessions will be available for the next 30 days. If you’d like to view sessions again, or know others that might be interested, you can register here.

Thanks to everyone who joined. We look forward to the next time!

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
sample phish spoofs sharepoint with a fax notification that will lead to a credential harvesting site

Phish Found in Proofpoint-Protected Environments – Week Ending September 20, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week we see examples that are part of complex polymorphic campaigns. They use varying tactics to confuse perimeter defenses and increase the workload on security teams. Without a powerful phishing analysis platform, chances are high that at least one of these attacks will succeed.

sample phish uses a document theme with either link or xls attachment to deliver trickbot

TYPE: Malware – TrickBot

DESCRIPTION: This first example comes in a couple of flavors – links and attachments. Both use a project theme to lure the recipient into accessing a macro-laden Microsoft Office spreadsheet to deliver TrickBot first and then BazarBackdoor.

sample phish uses invoice theme to deliver a link to hentai onichan ransomware

TYPE: Malware – Hentai OniChan

DESCRIPTION: Another example highlights the variations an attacker will use within the same campaign. This finance-themed phish delivers links to either directly, or via a .html file, download the Hentai OniChan ransomware.

sample phish uses a link to install a reconnaissance tool

TYPE: Malware – Reconnaissance Tool

DESCRIPTION: This campaign uses a mix of themes to deliver a reconnaissance tool. The example shown uses an illness theme, while others use a report theme. Either way, the result leaves us feeling a bit sickened.

sample phish uses a proposal theme to deliver links to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Finally someone cares about security! This email promises a secure invitation and a business proposal. How can you resist? We recommend you keep from clicking the embedded links, since they lead to a credential harvesting site.

sample phish spoofs sharepoint with a fax notification that will lead to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: That’s an awfully legit-looking SharePoint logo you got there. That must mean the linked fax document is also legit. It’s not, of course, as the link will take the recipient to a site designed to steal credentials.

sample phish uses an invoice theme to deliver an encrypted doc attachment that will install trickbot

TYPE: Malware – TrickBot

DESCRIPTION: Shipping an invoice with a password is a sure sign it can be trusted, right? Must be really important. In this case, the most important thing is not to fall for the phish, as the attached Microsoft Office document uses macros to deliver a set of VBS scripts to install TrickBot.

sample phish with a purchase order theme uses a linked image to install nanocore remote access trojan

TYPE: Malware – NanoCore RAT

DESCRIPTION: This phish comes with all the charm of a truck stop breakfast diner. A friendly greeting and a nasty ending thanks to a link that leads to a NanoCore Remote Access Trojan installer. Better get the biscuit to go.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Virtual Submerge is off to a roaring start.

We just wrapped up the first day of our annual phishing event, Submerge, and to say it was a huge success is an understatement. Our shift to a virtual event enabled thousands of attendees to join from around the world, engaging in the sessions and demos with Cofense experts who were standing by to help answer questions, provide direction and assist through interactive chat.

Judging from attendee feedback, it was a very good day one. And it’s not too late to join us for day two.

Here are a few quick highlights from day one.

  • Keynote presentations. We were impressed – but not surprised – by the quantity and caliber of questions and comments we fielded as a result of the thought-provoking keynote sessions from our co-founders, Rohyt Belani, CEO, and Aaron Higbee, CTO. Thank you to our audience for your engagement throughout the day; we’re already looking forward to what day two has in store.
  • Breakout sessions. We sought to offer a well-rounded program, and many people enjoyed the added benefit of earning CPE credits as a result of our partnership with ICS2. Across all attendees, there were thousands of views for the breakout sessions. Our sincere thanks go out to all of our talented industry experts who put so much effort into the Virtual Submerge lineup. The quality was above and beyond.
  • Solutions Center demos. Cofense Triage and Cofense Vision, two of our innovative solutions for detecting and removing phish when they bypass your secure email gateway (SEG), were the Solutions Center darlings. SEGs, we see once again, are nowhere near as reliable, or promptly patched, as they should be. The demand remains intense for fast and effective incident response, with near-immediate quarantine capability.
  • Registrations. We were blown away by the number and range of registrants. They came from around the world and across industries from healthcare, government and financial to hospitality, transportation, manufacturing and more. It seems everyone – from the cybersecurity leaders to the threat intelligence analysts, awareness experts and incident responders – has experienced the pain of dealing with a phish that makes it into their environment.

Be sure to join us tomorrow to hear the keynote fireside chat with Dmitri Alperovitch, co-founder and former CTO of Crowdstrike, and Aaron Higbee. The session will be followed by a product keynote from Keith Ibarguen, Cofense chief product officer.

If you weren’t able to join us today, or haven’t registered, it’s not too late. Register now to view the exclusive Cofense Submerge content while it’s still available.

We are excited to have you with us for this first-ever virtual Submerge event.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

sample phish uses a quote theme to deliver a pdf attachment with a link to azorult stealer

Phish Found in Proofpoint-Protected Environments – Week Ending September 13, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Attackers continue to find ways to hide their intentions from technical controls using encrypted attachments and malware hosted on trusted platforms.

sample phish uses a quote theme to deliver a pdf attachment with a link to azorult stealer

TYPE: Malware – AZORult Stealer

DESCRIPTION: This quotation-themed phish has all the pressure of a high stakes auction. It’s a lot of words – many of them impactful – in a short amount of space. Rather than raising their hand for an unintended bid, the recipient of this email clicked the Cofense Reporter button so our PDC could identify a malicious link in the attached PDF that led to the AZORult Stealer malware. Going once. Going twice. Gone!

sample phish uses a document theme to deliver a password-protected zip to install iced-id

TYPE: Malware – Iced-ID

DESCRIPTION: This phishing threat isn’t just cryptic, it’s encrypted! This response-themed attack delivers a password-protected .zip archive containing a macro-laden Microsoft Office document with a .hta downloader for Iced-ID. Opening this chilly attachment would have been a grave mistake.

sample phish uses an invoice-theme to deliver a malicious link leading to the wsh remote access trojan

TYPE: Malware – WSH Remote Access Trojan

DESCRIPTION: Many of us long for the days of unfettered travel and this email spoofs an aviation company with an invoice for a booked flight. It actually delivers a link to Google Drive that will download a VBS Loader to install the WSH Remote Access Trojan. Be careful what you wish for!

sample phish uses a response theme to deliver ursnif via embedded link on google docs

TYPE: Malware – Ursnif

DESCRIPTION: Skipping the friendly skies, there’s always the open road. And any decent road trip requires a sound insurance policy. This response-themed phish goes into considerable detail to convince the recipient to click the embedded links that will lead to a password-protected .zip archive containing VBS Droppers to run Ursnif. Our recipient appraised the offer and reported it to the security team.

sample phish uses a document theme to deliver a link to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Un autre phish! Using a document theme, this simple attack uses Microsoft OneDrive links to host credential stealing web pages. Incroyable!

example phish with a bonus theme uses a .html attachment to install a reconnaissance tool

TYPE: Malware – Reconnaissance

DESCRIPTION: Just like the attackers, we’re throwing in this last phish as a bonus. A promise of money is often enough to lure a recipient into clicking. Had they opened the attached .html file, they would have been led to a macro-laden Microsoft Office document delivering a reconnaissance tool.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Spoofed Training Email from Phishing Simulator Company

By Max Gannon and Brad Haas, Cofense Intelligence

Cofense Intelligence has analyzed a security awareness training-themed campaign that spoofs a training reminder email from KnowBe4. Embedded links in the email direct victims to a credential phishing page targeting both Microsoft Outlook credentials and personal information. The phishing kit is hosted on compromised sites and has been used on at least 30 domains since mid-April 2020, as detailed below.

The emails used in this campaign attempt to pressure recipients into clicking the link by warning that the user only has one day left to complete a required training. They also discourage recipients from browsing directly to legitimate company training pages with the following statement: “Please note this training is not available on the employee training Portal. You need to use the link below to complete the training[.]”

Figure 1: Phishing email spoofing a KnowBe4 notification

The phishing kit used in this attack first collects Outlook credentials, then loads another page soliciting several pieces of personal information.

Figure 2: First page of the credential phishing kit

Figure 3: Second page of the credential phishing kit

As noted, the campaign’s credential phishing kit has been hosted on at least 30 other sites since mid-April 2020. The kits all used the same exfiltration methods and files as the spoofed KnowBe4 campaign, targeting Outlook credentials. Previous campaigns using this kit had a sexual harassment training theme rather than a security training theme. Those campaigns redirected to a legitimate page related to sexual harassment, shown in Figure 4, after the credentials requested in Figure 2 and Figure 3 were entered. The credential phishing kit linked in the spoofed KnowBe4 campaign has already been taken down, but it is very likely that the threat actors redirected from it to a security training-related page instead.

Figure 4: The credential phishing kit from previous campaigns redirected to this page

After additional analysis, we discovered that several of the compromised sites, many of which run WordPress, had recently been used to host a specific web shell, “CHips L MINI SHELL.” The shell has a relatively small feature set, allowing attackers to upload and edit files on a compromised site. It has already been removed from the sites in most instances. However, it was installed on some of them in a way that made it publicly visible, so cached Google search results show that it had been present, as shown in Figure 5.

Figure 5: Web shell on compromised site hosting the credential phishing kit

The indicator of compromise (IOC) table below includes the phishing kit URLs mentioned above.

Table 1: IOCs

Associated Credential Phishing URLs
hxxps://2014[.]digitree[.]co[.]kr/samhwa/lib/bid/login[.]php
hxxps://acertijos[.]com[.]ar/Blog/wp-includes/bid/login[.]php
hxxps://avellanoeuropeo[.]ufro[.]cl/wp-content/plugins/bid/login[.]php
hxxps://breckinridgecounty[.]net/[.]well-known/acme-challenge/bid/login[.]php
hxxps://docentes[.]uto[.]edu[.]bo/dmoyaa/wp-includes/bid/login[.]php
hxxps://g5lab[.]com/aspera/uploads/bid/login[.]php
hxxps://greenup[.]co[.]in/wp-includes/bid/login[.]php
hxxps://kikihalekararlari[.]com/assets/plugins/flot/bid/login[.]php
hxxps://mobiletradesman[.]co[.]uk/wp-admin/bid/login[.]php
hxxps://modoou[.]net/wp-content/bid/login[.]php
hxxps://msk[.]turbolider[.]ru/wp-includes/bid/login[.]php
hxxps://niceoldtownapartment[.]com/wp-content/plugins/fusion-core/tinymce/bid/login[.]php
hxxps://otorrinosensantafe[.]com[.]mx/[.]well-known/pki-validation/bid/login[.]php
hxxps://pandeyize[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://plazaempresarial[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://propertyask[.]com/[.]well-known/pki-validation/bid/login[.]php
hxxps://rashifal[.]com/img/bid/login[.]php
hxxps://rotularltda[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://skinnyontherunapp[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://somelit[.]org/wp-content/plugins/bid/login[.]php
hxxps://tcvsat[.]com/tcvsat-respnov19/wp-includes/IXR/bid/login[.]php
hxxps://thegsmshop[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]aajtaknews[.]in/wp-content/cache/all/bid/login[.]php
hxxps://www[.]auntynise[.]com/[.]well-known/acme-challenge/bid/login[.]php
hxxps://www[.]happychappybrands[.]com/wp-includes/bid/login[.]php
hxxps://www[.]healthfavour[.]com/wp-includes/css/bid/login[.]php
hxxps://www[.]mvoguesalon[.]com/bootstrap/cache/bid/login[.]php
hxxps://www[.]samicultura[.]com[.]br/includes/bid/login[.]php
hxxps://www[.]search4blog[.]com/wp-content/plugins/bid/login[.]php
hxxps://digitalprakhar[.]com/wp-content/uploads/2016/08/bid/login[.]php

Recommendations

Educating your workforce to identify these threats is key. Organizations can also stay on top of today’s dynamic threat landscape using Cofense Intelligence. Phishing causes nine out of ten data breaches. With Cofense Intelligence, you’ll get access to preemptive phishing alerts you can act on before you’re attacked.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Phishing Finance

For many organizations, financial transactions are a quick, intricate dance of payments, receivables, and reporting. It’s high stakes and high pressure. Drop a phish into the midst of this environment and bad things can happen. To discuss the role of finance in an organization and how attackers target the processes and pressures to commit cyber theft are Cofense CFO Mel Wesley, Cofense Co-founder and CTO Aaron Higbee, and Cofense Security Solution Advisor Tonia Dudley.

Learn more:

Real Phishing Threat Examples

Cofense Submerge has gone Virtual

Questions or comments? Reach us at [email protected]

sample phish uses a document theme to deliver a linked image to an installer for nanocore remote access trojan

Phish Found in Proofpoint-Protected Environments – Week Ending September 6, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing attackers like saving money as much as they like making money, and they’re continuing to leverage trusted cloud providers to host their kits cheaply.

sample phish uses a proposal theme to deliver links to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: This RFP is Ripe For Phishing, with an attack chain that starts with embedded Microsoft OneDrive links leading to a Googleapis domain designed to perform credential harvesting. Request For Password, anyone?

sample phish uses quote theme to deliver a linked image that leads to an install of agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Another phish that uses those oh-so-trustworthy Microsoft OneDrive links. These links lead to a .iso file that Microsoft Windows will dutifully mount to deliver the Agent Tesla keylogger. Cofense has examined the use of .iso files in phishing attacks before.

sample phish uses a document theme to deliver a linked image to an installer for nanocore remote access trojan

TYPE: Malware – NanoCore RAT

DESCRIPTION: They say third time’s a charm. This phish is less than charming as it too uses Microsoft OneDrive links behind a finance-themed image to deliver a .ace archive containing the NanoCore Remote Access Trojan. If this had been a simulation, our well-trained human would have aced the test.

sample phish uses wetransfer to deliver links to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Would you believe that a phishing attack could spoof a popular file transfer service and yet deliver Microsoft OneDrive links? Well, seeing is believing as this attack links to hosted .htm files that harvest email login credentials.

sample phish with a finance theme delivers a linked image to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: Are you ready for a change? This phish uses an image of a PDF document to hide a link to a Pyrogenic Stealer download. I bet you thought I was going to mention Microsoft OneDrive?

sample phish uses invoice theme to deliver a linked image to a credential harvesting site

TYPE: Credential Theft

DESCRIPTION: Here’s another example of a PDF image being used to mask a link to something bad. In this case, the recipient will be taken to a credential harvesting site.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.