Cofense Uniting Humanity Against Phishing at 2020 RSA Conference

LEESBURG, Va. – February 6, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced the company’s presence at RSA Conference 2020, taking place February 24-28 in San Francisco. This year’s RSAC theme will focus on the most powerful asset in protecting against cyberattacks – the “Human Element”, the beating heart of Cofense’s mission. As threat actors continuously innovate to slip past technologies put into place to protect both organizations and consumers alike, the security community is increasingly aware that artificial intelligence and machine learning alone are not silver bullets to protect against today’s emerging and sophisticated attacks; empowering humans to act as the last line of defense is critical for a truly multi-layered and integrated cyber defense posture.

“Phishing is a uniquely human and global problem, and our long-standing stated purpose is to unite humanity against phishing,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “Our 21 million plus end users act as human sensors, reporting thousands of suspicious emails to security operations teams daily. The collective human intelligence of the Cofense customer base provides SOC teams with visibility into threats that evade security controls every single day.”

To shed light on how humans are integral to organizational defense, Cofense Security Solutions Advisor, Tonia Dudley, will present an interactive workshop as part of RSA’s Learning Labs. Dudley’s session, “Hearts and Minds: Shaping a Successful Awareness Program”, will take place on Wednesday, Feb. 26 at 9:20 a.m. PT, addressing why changing humans is more art than science. The workshop will explore psychological challenges we all face – apathy, fatigue and denial – as well as the inherent benefits in human physiology, such as how our brain chemistry responds to stories. In addition to focusing on phishing defense advocacy and demonstrating how Cofense solutions help organizations across the globe minimize the impact of attacks and reduce costs, Dudley also holds a seat on the National Cybersecurity Society board to provide support and resources for the small business community to improve online safety and security.

RSA Conference attendees can learn more about Cofense by visiting the company’s two booths, located in the South Expo hall at booth #1235, and the North Expo hall at booth #4436. During expo hall hours, Cofense will have six live demo stations where visitors can interact with technology experts and see Cofense’s market-leading intelligent phishing defense solutions, including:

Cofense Vision®

  • Equips SOC teams with the tools they need to find and remove the phishing threats sitting unreported in recipients’ mailboxes, providing remediation in minutes rather than hours or days
  • Provides a privacy-first phish threat hunting platform that supports an organization’s compliance needs without sacrificing search performance
  • *NEW* Auto-quarantine: When combined with Cofense Triage®, enables organizations to auto-quarantine any new email threats received that match a previous Cofense Vision search, reducing analyst overhead and risk exposure

Cofense Triage

  • Leverages a large library of powerful rules, driven by human intelligence, to cut through the noise of suspicious email reports and focus analyst attention on the threats that matter
  • Accelerates phishing qualification, investigation and response by automating standard responses to suspicious emails to make analysts more efficient, driving actionable intelligence faster
  • Provides a full-featured API to integrate with SIEM, SOAR, and other enterprise systems to maximize an organization’s security investment and reduce response time and analyst effort in finding and remediating phishing threats

Cofense Intelligence®

  • Using a global, proprietary network of sensors and sources, provides unrivalled insights into the rapidly evolving threat landscape, including tools, techniques and procedures that are not only observed in the wild, but verified to bypass existing enterprise security controls such as Secure Email Gateways (SEGs)
  • Delivers actionable intelligence that supports organizational defense initiatives

Cofense PhishMe®

  • Educates enterprise end users on the real attacks facing organizations – including those that evade SEGs – transforming them into the last line of active defense against cyber attacks
  • Responsive Delivery: Improves user engagement and optimizes simulation program effectiveness for enterprises of all sizes by delivering email simulations only when the recipient is active in their inbox, eliminating whitelisting and global scheduling issues and reducing false positives caused by changes in email security tools
  • *NEW* Recipient Sync
    • Automates provisioning, updates and deprovisioning of Cofense PhishMe recipients from Azure AD using standards based SCIM 2.0 without the need for an additional tool
    • Allows operators to fully control which information gets shared and synced

In addition, booth visitors can enjoy giveaways and daily activities at the South Expo Hall Booth #1235, allowing them to:

  • Unwind after a long day at happy hour on Tuesday from 4 – 6 p.m.
  • Cool down with ice cream and meet Cofense experts on Wednesday from 2 – 4 p.m.
  • Fuel up on the final day with espressos and cappuccinos on Thursday from 10 a.m. – 3 p.m.

###

About Cofense
Cofense, formerly PhishMe, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines phishing awareness training and timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For more information, please visit www.cofense.com.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos included in this press release are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Media Contact
press@cofense.com

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

By Marcel Feller

The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device.

The campaign seeks to deliver Anubis, a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan. Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files. With mobile devices increasingly used in the corporate environment, thanks to the popularity of BYOD policies, this malware has the potential to cause serious harm, mostly to consumers, and businesses that allow the installation of unsigned applications.

Here’s how it works:

At first glance, the email shown in Figure 1 looks like any other phishing email that asks the user to download an invoice. However, this particular email downloads an Android Package Kit (APK), which is the common format used by Android to distribute and install applications. Let’s take a closer look at the suspicious file.

Figure 1 – Phishing Email

When the email link is opened from an Android device, an APK file (Fattura002873.apk), is downloaded. Upon opening the file, the user is asked to enable “Google Play Protect” as shown in Figure 2. However, this is not a genuine “Google Play Protect” screen; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect.

Figure 2 – Granting Permissions

The following permissions are granted to the app:

Figure 3 – Permissions Granted to App

A closer look at the code reveals the application gathers a list of installed applications to compare the results against a list of targeted applications (Figure 4). The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon. A full list of targeted applications is included in the IOC section at the end of this post. Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user’s credentials.

Figure 4 – Checking for installed apps

Based on a thorough analysis of the code, the most interesting technical capabilities include:

  • Capturing screenshots
  • Enabling or changing administration settings
  • Opening and visiting any URL
  • Disabling Play Protect
  • Recording audio
  • Making phone calls
  • Stealing the contact list
  • Controlling the device via VNC
  • Sending, receiving and deleting SMS
  • Locking the device
  • Encrypting files on the device and external drives
  • Searching for files
  • Retrieving the GPS location
  • Capturing remote control commands from Twitter and Telegram
  • Pushing overlays
  • Reading the device ID

The malware includes a keylogger that works in every app installed on the Android device. However, the keylogger needs to be specifically enabled by a command sent from the C2 server. The keylogger can track three different events (Figure 5):

 

TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button, CompoundButton, etc.
TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View.
TYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText.

Figure 5 – Keylogger component

Figure 6 shows one of the most noteworthy functions of Anubis: its ransomware module. The malware searches both internal and external storage and encrypts them using RC4. It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2.

Figure 6 – Ransomware component

Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception (Figure 7).

Figure 7 – C2

As seen in Figure 8, this version of Anubis is built to run on several iterations of the Android operating system, dating back to version 4.0.3, which was released in 2012.

Figure 8 – Android requirements

Android malware has been around for many years and will be with us for the foreseeable future. Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise. APK files will not natively open in an environment other than an Android device.  With the increased use of Android phones in business environments, it is important to defend against these threats by ensuring devices are kept current with the latest updates. Limiting app installations on corporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces, can help in reducing the risk of infection as well.

Indicators of Compromise

File Name: Fattura002873.apk

MD5: c027ec0f9855529877bc0d57453c5e86

SHA256: c38c675a4342052a18e969e839cce797fef842b9d53032882966a3731ced0a70

File Size: 575,236 bytes (561K)

hXXp://g28zjbmuc[.]pathareshubhmangalkaryalay[.]com
hXXp://73mw001b0[.]pragatienterprises[.]in[.]net/
hXXp://hrlny7si9[.]pathareshubhmangalkaryalay[.]com/
hXXp://w0puz47[.]arozasehijos[.]cl/
hXXp://hovermop[.]com/Fattura002873[.]apk
hXXps://twitter[.]com/qweqweqwe
hXXp://ktosdelaetskrintotpidor[.]com
hXXp://sositehuypidarasi[.]com
hXXp://cdnjs[.]su/fafa[.]php?f=
hXXp://cdnjs[.]su/o1o/a1[.]php
hXXp://cdnjs[.]su/o1o/a10[.]php
hXXp://cdnjs[.]su/o1o/a11[.]php
hXXp://cdnjs[.]su/o1o/a12[.]php
hXXp://cdnjs[.]su/o1o/a13[.]php
hXXp://cdnjs[.]su/o1o/a14[.]php
hXXp://cdnjs[.]su/o1o/a15[.]php
hXXp://cdnjs[.]su/o1o/a16[.]php
hXXp://cdnjs[.]su/o1o/a2[.]php
hXXp://cdnjs[.]su/o1o/a3[.]php
hXXp://cdnjs[.]su/o1o/a4[.]php
hXXp://cdnjs[.]su/o1o/a5[.]php
hXXp://cdnjs[.]su/o1o/a6[.]php
hXXp://cdnjs[.]su/o1o/a7[.]php
hXXp://cdnjs[.]su/o1o/a8[.]php
hXXp://cdnjs[.]su/o1o/a9[.]php

at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
com.tmob.denizbank
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
ru.sberbankmobile
ru.alfabank.mobile.android
ru.mw
com.idamob.tinkoff.android
com.ebay.mobile
ru.vtb24.mobilebanking.android
com.akbank.android.apps.akbank_direkt
com.ykb.android
com.softtech.iscek
com.finansbank.mobile.cepsube
com.garanti.cepsubesi
com.tmobtech.halkbank
com.ziraat.ziraatmobil
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.konylabs.capitalone
com.chase.sig.android
com.infonow.bofa
com.wf.wellsfargomobile
uk.co.bankofscotland.businessbank
com.rbs.mobile.android.natwestoffshore
uk.co.santander.santanderUK
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.clairmail.fth
com.ifs.banking.fiid4202
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
sk.sporoapps.accounts
com.cleverlance.csas.servis24
com.unionbank.ecommerce.mobile.android
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
cz.sberbankcz
org.westpac.bank,nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
com.imb.banking2
com.commbank.netbank
com.citibank.mobile.au
com.fusion.ATMLocator
org.bom.bank
au.com.cua.mb
com.anz.android.gomoney
com.bendigobank.mobile
com.bbva.bbvacontigo
com.bbva.netcash
au.com.bankwest.mobile
com.cm_prod.bad
mobi.societegenerale.mobile.lappli
at.bawag.mbanking
com.pozitron.iscep
com.bankofqueensland.boq
com.starfinanz.smob.android.sfinanzstatus
fr.laposte.lapostemobile
com.starfinanz.smob.android.sbanking
at.easybank.mbanking
com.palatine.android.mobilebanking.prod
at.volksbank.volksbankmobile
com.isis_papyrus.raiffeisen_pay_eyewdg
es.cm.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
finansbank.enpara
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
ru.alfabank.mobile.ua.android
ua.aval.dbo.client.android
ua.com.cs.ifobs.mobile.android.otp
ua.com.cs.ifobs.mobile.android.pivd
ua.oschadbank.online
ua.privatbank.ap24
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads found in protected email environments. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter. Cofense PhishMe offers a simulation template, “Electricity Bill Invoice – Anubis – Italian,” to educate users on the phishing tactic described in this blog.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 33675 and the YARA Rule PM_Intel_Anubis_33675.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Gears Up to File (Your) Taxes

By Tonia Dudley, Cofense Security Solutions

What’s the first form you need to file in order to collect US taxes? Why a W-9 of course! So, what have we been seeing from Emotet as it gears up for filing taxes on your behalf? A W-9 phish of course!

As with any other trend we’ve seen from this threat actor, the email messages are not sophisticated – in  fact, these are quite basic. We are seeing both an attachment (figure 1) and a simple link (figure 2) to  download this document. And look, the attachment (figure 3) isn’t anything fancy either. While this tax season is just getting started, with many tax filing forms due to taxpayers last week, by Jan 31st, we anticipate these campaigns will likely evolve and get better as we move towards the annual filing date of April 15th.

Figure 1 – Emotet using W9 attachment 

Figure 2 – Emotet with URL link to attachment 

Figure 3  Emotet W9 Attachment 

FYI, this week has been declared Tax Identity Theft Awareness Week by the Federal Trade Commission (FTC). It’s a great time of the year to remind your organization, friends, and family to be vigilant in protecting their tax forms. Below are some tips from the FTC to better protect your identity during this tax season:

  • Protect your SSN throughout the year. Don’t give it out unless there’s a good reason and you’re sure who you’re giving it to.
  • File your tax return as early in the tax season as you can.
  • Use a secure internet connection if you file electronically, or mail your tax return directly from the post office.
  • Research a tax preparer thoroughly before you hand over personal information.
  • Check your credit report at least once a year for free at annualcreditreport.com. Make sure no one has opened a new account in your name.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – Ransomware Trends

2019 saw an increase in ransomware attacks against public organizations, as we witnessed numerous headlines reporting outages and ransom demands. With ransom payments being made, should we expect to see these attacks increase? In this episode we speak with Cofense Cyber Threat Intelligence Analyst Aaron Riley about phishing prevention what we saw and what we should be planning for in the coming year.

For more information on topics mentioned in this episode, please visit:

EMSISoft State of Ransomware Report

Cofense – Ransomware in 2020

Questions or comments? Reach us at phishfryday@cofense.com

Phish Fryday – URL Scanners as Part of Phishing Defense

URL Scanners are a great way to investigate potentially malicious websites in a low-risk way. Attackers, however, are adapting to these tools to escape detection and keep the pressure on defenders. In this episode, we speak with Cofense Security Consultant Chris Hall to discuss the usefulness of these scanners, how attackers are adapting, and what these scanner services may need to do to stay useful as phishing prevention tools.

For more information on topics mentioned in this episode, please visit:

Are URL Scanning Services Accurate for Phishing Analysis?

VirusTotal

URLScan.io

REMnux

Questions or comments? Reach us at phishfryday@cofense.com

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

By Alan Rainer

The fourth quarter of 2019 showed a strong start but a dull finish, as the world eased into the holiday season. Although the end of Q3 2019 saw a resurgence in Emotet, Q4 witnessed a higher degree of phishing from the Trojan and its botnet. Read all about it, alongside other malware trends and campaigns, in the Cofense Intelligence Q4 2019 Malware Trends Report.

Continuing from Q3, Emotet picked up momentum in distributing malicious emails. From email reply chain compromises to crafty phishing templates with macro-laden documents, user inboxes found no solace. Emotet delivered financial invoices, “invites” to a Christmas party, and other phish baits to trick recipients into infecting their systems. Other malware families were not as prolific, decreasing in volume as the quarter went on.

The new year, however, is likely to hold greater wickedness. On the malware front, Windows 7’s End of Life will probably lead to the creation of new malware and look for targeted ransomware to continue growing. 2020’s election season may bring about more phishing, while geopolitical events can result in more cyber threats. And to round it off, Emotet will keep on churning.

Figure 1: Varenyky Spambot Phishing Email Sample

Our Q4 report outlines key trends, statistics, breakdowns of specific campaigns, and insights on what to expect in Q1 2020 and beyond, all of which you can use to defend your organization. Cofense Intelligence provides phishing campaign updates throughout the year, which includes comprehensive threat reports and bi-weekly trend digests.

View the Q4 2019 Malware Trends Report at: https://go.cofense.com/malware-trends-2019-q4/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Helps 2020 Presidential Candidates Secure Their Campaigns from Pervasive Phishing Attacks

Leesburg, Va. – Jan. 23, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced its partnership with Defending Digital Campaigns (DDC), a nonprofit and nonpartisan organization committed to bringing cybersecurity tools and resources to federal election campaigns. Under the new partnership, DDC qualified campaigns can leverage Cofense’s experience, expertise and managed phishing defense service to strengthen their resilience against email-based cyberattacks during the 2020 election cycle.

“There is not a single anti-phishing technology on the market that will stop phishing emails from hitting campaigners’ inboxes.” said Aaron Higbee, chief technology officer and co-founder, Cofense.  “No candidate wants to relive the successful phishing attacks that have plagued elections across the globe these past several years. Every day, we find hundreds of malicious threats in supposedly ‘protected’ email environments. Our methods have prevented sophisticated APT29 email phishing attacks that make the Podesta phish look childish. As most attacks target specific individuals, it’s critical campaign managers prepare their teams to react quickly to what is about to come. We’re proud to partner with the DDC to provide candidates and campaign workers the support they need to better defend against malicious actors.”

“Protecting campaigns from cybersecurity threats is essential to our democratic process, and Cofense understands the critical importance this plays,” said Michael Kaiser DDC President and CEO. “We are excited to partner with Cofense, who pioneered phishing defense, so campaigns can more quickly and easily implement better cybersecurity practices.”

Cofense’s new managed Election Phishing Defense Service is now available to eligible campaigns, a special permission granted to DDC by the Federal Election Commission, to bolster their phishing resilience in a single, managed service at minimal cost, allowing them to stay focused on what they do best – campaigning:

  • Phishing simulation training to prepare staff to identify and report phishing incidents
  • Cofense Reporter, a one-click embedded email button, to enable staff to quickly report suspicious messages
  • Phishing analysis provided by Cofense to quickly identify and mitigate a phishing incident

Additionally, Cofense has launched an educational site that will be updated with resources such as threat intelligence, best practices, and expert perspectives. To learn more, visit: https://cofense.com/election-security/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

About Defending Digital Campaigns

Defending Digital Campaigns (DDC), a 501(C)4, is a nonpartisan and non-aligned organization focused on increasing campaign cybersecurity by making available free and low-cost cybersecurity products.  DDC operates under a Federal Election Commission administrative opinion allowing for the provision of in-kind cybersecurity services to eligible campaigns.

DDC’s was founded and lead by former presidential campaign managers for Hillary Clinton and Mitt Romney, tech and cybersecurity industry leaders, and former senior officials at the NSA and DHS.

 

Media Contact

press@cofense.com

Cofense to Host Third Annual Phishing Defence and User Conference in London

LONDON, United Kingdom – 22 January, 2020 – Cofense, the global leader in intelligent phishing defence solutions, today announced registration is open for Submerge London, its international user conference and phishing defence summit. Taking place at the Hilton Canary Wharf from 5-6 May 2020, Submerge London is Europe’s premier event for phishing defence and incident response, providing two full days of technical and educational sessions led by industry leaders and security experts.

The third annual conference promises even deeper hands-on content than ever before including more than 20 sessions covering the latest phishing defense strategies and tactics, case studies presented by leading industry professionals and ample networking opportunities with peers from across the world. As with previous years, there will also be a wealth of speaker tracks over the two days, truly submerging attendees into the latest anti-phishing best practices and how they can unlock the power of collective human intelligence to defend against advanced cyber threats.

Those interested in sharing their knowledge and expertise at the event can submit a presentation abstract for consideration through the Call for Speakers submission form, focusing on one of four topics: Innovation in Phishing Awareness; Aligning Phishing Defence to the Business; Phishing Incident Response; or the Phishing Threat Landscape.

“The email security threat landscape is constantly evolving with attackers innovating their way past security controls on a daily basis,” said Rohyt Belani, chief executive officer and co-founder, Cofense. “That’s why it’s important cybersecurity professionals stay ahead of the latest attack vectors and be prepared for threats heading their way. With a 95% recommendation rate from previous attendees, we’re thrilled to bring organizations, partners and industry leaders the tools and knowledge they need to ramp up their phishing defence programs.”

Submerge London 2020 is open to existing Cofense customers and non-customers. The event is ideally suited for cybersecurity professionals, operators, and decision makers who focus on email security and phishing defence. Early bird registration discounts for Submerge London 2020 are available until 1st March, where tickets are available for £49 – half the regular rate. Those interested in attending can register here and find further information on the event and venue.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

press@cofense.com

Ransomware in 2020: Not Just More, But Different

By Aaron Riley, Cofense Intelligence

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge this year.

In the second half of 2019, ransomware campaigns targeted different types of organizations, including schools, governments, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

We are now seeing ransomware campaigns that include data breaches and exfiltration. Last year, a number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as can be seen in the latter half of 2019. These payments are typically made with a type of cryptocurrency chosen by the ransomware operators. Jackson County, Georgia paid $400,000 after a Ryuk ransomware attack majorly disrupted workflow to all county agencies, including the 911 dispatch center. Jackson County did not have cybersecurity insurance and had to pay the ransom outright, which means the citizens of the county had to subsidize the payment.

Cybersecurity insurance firms are increasingly encouraging their customers to pay the ransom, instead of rebuilding or outright losing resources that are encrypted. Ryuk ransomware impacted Lake City, Florida in late June 2019, during which authorities found that restoring the systems would exceed a million dollars compared to the $700,000 ransom. The Lake City authorities then negotiated through a third-party to pay the attackers $460,000, of which the city’s cybersecurity insurance firm reportedly funded $450,000. In this scenario, Lake City authorities were able to pay $10,000 and have their systems back up within two weeks. This proves, yet again, that targeted enterprise ransomware attacks are increasingly profitable.

With their profits rising, ransomware operators will likely increase their campaign volume in 2020. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture. With the End of Life of Microsoft’s Windows 7, organizations that are slow in their transition to supported operating systems become more susceptible to such attacks.

We expect other trends to follow in line with our ransomware predictions for 2020. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated. More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make big bucks.

 

HOW COFENSE CAN HELP

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.