Cofense Debuts Phishing Defense Podcast

 

Leesburg, Va. – Jan. 17, 2020 – Cofense, the global leader in intelligent phishing defense solutions, today announced the debut of its phishing defense podcast, Phish Fryday. Gathering leading experts and threat researchers across Cofense’s security intelligence groups including Cofense Labs, Cofense Intelligence and the Cofense Phishing Defense Center, the new podcast provides security teams and analysts with weekly insights into the latest phishing threats, trends and news so they can stay ahead of the latest attacks.

With most data breaches occurring as a result of a successful phishing attack, defenders are constantly seeking to understand the latest evolving threats and tactics used by phishers to bypass popular security technologies. Cofense analyzes millions of emails and malware samples every day—both in the wild and within organizations’ environments – to identify new and emerging malware, providing organizations recommendations so they can quickly and proactively defend their organization.

“The key differentiator between Cofense and our competitors is the actionable intelligence that underpins all of our solutions,” said Rohyt Belani, chief executive officer, Cofense. “Our unique view of the cyber-threat landscape allows us to provide valuable and timely insights into active phishing threats that consistently bypass email gateways. We’re thrilled to further extend and share our expertise through Phish Fryday as we strive to unite humanity against phishing.”

The debut season includes the following episodes:

  • Episode 1: Cofense Labs’ Jason Meurer discusses Emotet’s recent evolutions, including modifications to its URI structure, new templates used and new information targeted by the botnet.
  • Episode 2: As tensions escalate between the U.S. and Iran, Mollie MacDougall of Cofense Labs, an expert on cyber and international security, explains Iran’s cyber capabilities and its history of cyberattacks.
  • Episode 3: Alan Rainer from Cofense Intelligence discusses how attackers are using trusted cloud services to evade security technologies and compromise corporate networks.
  • Episode 4: Max Gannon of Cofense Intelligence shines a light on Office macro attacks, how they are leveraged by attackers and why it’s challenging for organizations to defend against them.

To listen and subscribe to the Phish Fryday podcast, visit: https://cofense.com/category/podcast/phish-fryday/

###

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

Media Contact

[email protected]

Phish Fryday – Office Macros in Phishing Attacks

Automation with macros in Microsoft Office documents has been with us for decades. The abuse of these macros has been with us for almost as long, as attackers leverage the functionality  – and the common permissions needed to run them – to cause considerable harm to organizations. In this episode, we speak with Cofense Cyber Threat Intelligence Analyst Max Gannon to discuss the latest phishing threats and how they leverage macros to compromise organizations.

For more information on topics mentioned in this episode, please visit:

Complimentary Threat Alerts

PowerShell Scripts Delivered by Office Macros

Geodo Malware Campaigns

Questions or comments? Reach us at [email protected]

Jeopardy GOATs Buzz In, Security World Groans

By Tonia Dudley

When Jeopardy invited its top players ever to battle it out, the winner would be crowned the Greatest of All Time (GOAT). Not the Pretty Goodest or the Gosh, Nice Try-est. And certainly not the Wow, You Very Nearly Failed-est.

But when three acclaimed geniuses hit the buzzers last week, those were the titles they earned in the cybersecurity category. The contestants missed two out of five. No big deal? Normally not, but these guys were the best of the best—and their combined score of correct answers equaled 60 percent. In most grading systems, that’s one point shy of an ‘F.’

I mean, shouldn’t a Jeopardy GOAT be good at almost everything?

Really? They missed ‘BYOD’?

Yes, they did. And it was worth $600, a pretty generous sum for a pretty easy answer.

It was exciting to see cybersecurity included in this highly watched episode. To be fair, I thought the show came up with an interesting selection of topics. Ransomware. Keylogger. Whitehats. And sigh, BYOD. Again, if this were a normal episode (or a normal game show) you’d expect easier questions. But hey, this is Jeopardy, GOAT Edition.

Here’s the dagger: current GOAT tournament leader Ken Jennings is in IT. Ken, you let us down, man! Okay, “keylogger.” Not everybody knows what it means.

But, sorry to say this, a real genius would. To claim GOAT status, you need to go beyond the basics. And not wait until the other categories are nearly exhausted before summoning the courage to tackle cybersecurity. Call me biased, but it’s a pretty important subject these days.

Kudos to the players for knowing what bitcoin is.

And for nailing HTTPS and whitehats. But millions of people watched this episode. Ken, Brad, and James could have shown America that any self-respecting GOAT knows cybersecurity as well as The Oscars or American Idols.

And couldn’t there have been one measly phishing awareness question? “Who is John Podesta, Alex?” Or “What is a fraudulent email?” The FBI published two alerts last year on business email compromise alone.

All right, enough griping. At least our industry got some recognition. But if Jeopardy ever includes us again, I want the players to do better than a D+.

Discover how phishing awareness training can help your organization defend against changing phishing threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

In 2020, Resolve Not to Simulate Last Year’s Phish

By Tonia Dudley

As you start off the new year, it’s a good time to recalibrate your phishing simulation program. Things change—business objectives, mergers, acquisitions or divestitures. The threat landscape is constantly changing too and may require a complete shift in your security awareness efforts. This is why you should focus on one quarter at a time—we’d all be millionaires if we could predict the future 12 months from now.

Align Your Simulations to Phish Your Users See.

As you prepare to launch simulations this quarter, ensure you align these to the threats actually hitting your users’ inbox. By keeping your campaigns aligned, you are better preparing your users to defend your organization against a phishing incident that could lead to a data breach or ransomware attack.

How do you achieve this? Start by reaching out to your Security Operations Center (SOC), the experts on the threats facing your organization. Also, many organizations are now standing up a Cyber Threat Intelligence team to proactively hunt for threats—these analysts are another great source of anti-phishing recommendations.

Planning a Credential Phish? Attackers Probably Are.

If you don’t have access to either of these resources, check out our most recent Cofense Annual Phishing Report. For example, we continue to see phishing emails that target credentials. Whenever I visit customers or talk to security teams, I ask if they are seeing credential phishing as a major threat to their organization. Without skipping a beat, the response is typically an immediate “yes” followed up with a real phishing incident story.

Figure 1: Sample credential phish

Running a credential phishing campaign can sometimes be complex, but compared to the time spent remediating a phishing incident, it is time well spent. Chances are a credential simulation will pay off. Consider this nugget from our Annual Phishing Report:

74% of Real Phish Are Credential Phish

But Credential Phish Are Only 17.2% of Simulations

That’s a gap in your phishing awareness program you don’t want to see.

Don’t Forget Tax Season, Plus Data Privacy and Valentine’s Days.

Beyond credential threats, the first quarter of the calendar year offers seasonal themes. I’ve seen some awareness programs use a topics calendar, and the following topics are good bets for the first few months of the year.

  • Data Privacy Day – January 28th.
  • Tax season – anything related to tax topics and W2’s pique interest.
  • Valentine’s Day
    • I know some of you are right now thinking about that Valentine’s e-Card you want to send out. We recently covered holiday themed campaigns used by the Emotet botnet in our December blog post. If Emotet comes back online, we’ll most likely see them leverage a similar holiday theme again. If you want to align a Valentine’s theme to a real threat, focus on an attachment that leverages a macro enabled MS Word document. Speaking of Emotet, because it’s one of the biggest botnets out there, Cofense led off our new podcast series, Phish Fryday, with an Emotet deep-dive. Check it out here.

Whatever topics or themes you choose, just be sure they reflect the email threats your users will likely see. Whether your program is mature (and needs a jolt) or you’re just getting started, good luck! The Cofense resources below can help you move from awareness to full-strength phishing defense.

HOW COFENSE CAN HELP

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – Cloud Services in Phishing Attacks

Cloud platforms, such as Google Docs, Microsoft OneDrive, and Dropbox provide tremendous value to organizations looking to collaborate. Unfortunately, there are plenty of attackers willing to leverage our trust in these platforms for their own gain. On this week’s episode, we speak with Cofense Senior Intelligence Specialist Alan Rainer about the various ways attackers are using these technologies to bypass defenses and distribute malware and execute phishing campaigns.

For more information on topics mentioned in the discussion, please check out the following articles:

Raccoon Stealer

The UK Ministry of Justice Campaign

Agent Tesla

Organization of Post-Soviet States Spoofed in Phishing Email

By Julie Hall and Dylan Duncan,

Cofense IntelligenceTM has detected a Russian language credential phishing campaign, spoofing a well-known financial organization, that delivers a malicious PDF to end users. The phishing campaign spoofs the Commonwealth of Independent States (CIS), a legitimate post-Soviet nations organization portal, and claims to offer ruble compensation. The is delivered with a blank phishing email containing a PDF file that includes a redirect link to a Russian language phishing site. Cofense has observed the phish making its way through Microsoft’s EOP Secure Email Gateway and it may have bypassed others.

Notably, all domains that Cofense Intelligence has recorded in this campaign contain valid certificates and were recently registered between November 19th and December 1st, 2019. Figure 1 presents the phishing email that contains no context, just a PDF attachment.

Figure 1: Phishing Email

Using a simplistic and blank email generally results in only curious, unsuspecting recipients being automatically directed to the phishing portal. However, in this phishing scenario, once the PDF is opened, the recipient is presented with an image and a link, as shown in Figure 2.

Figure 2: PDF File

Clicking the hyperlink, which requests the end user to review a document, redirects to a phishing site, as shown in Figure 3. The phishing attack consists of multiple steps. The spoofed financial service claims to offer eligible citizens monetary compensation; however, they are only given a limited time frame to register their claim. To claim the compensation, visitors must submit a bank card number and a Voila (cryptocurrency token). After providing the information, users are prompted to pay a randomly generated fee before receiving the compensation.

Figure 3: Landing Page of Phishing Attack

As a false sense of authenticity, every 30 to 60 seconds the site generates one of 10 pop-ups claiming that a user has received compensation (see Figure 4). Also, the site accepts all inputs and does not conduct any validation; therefore, all visitors are at risk of navigating their way through all of the steps. This combination of techniques—the limited time frame, spoofing of a legitimate organization, a large compensation offer, and the registered domains with valid certifications—create a sense of legitimacy and builds excitement and urgency for recipients. These Tactics, Techniques, and Procedures (TTPs) cloud judgment and lower the victim’s guard.

Figure 4: Received Compensation Pop-Up

The domains contain an open directory with an accessible phishing kit, FKG.zip. The kit contains multiple HTML, JavaScript, and JavaScript Object Notation files. The .html files link to the web pages of the phishing attack while the JS and JSON files control the functionality of the phish.

In the file upssels.js, the domain clickpay24[.]tv is used as an API to accept the direct payments from the users. After completing each step of the phish, recipients are redirected to a payment site generated by clickpay24. The generated URLs follow the path az-payout.com[.]com/buy/<16 Integers> with random integers.

Preventing certain email-borne intrusions involves security awareness as the first line of defense. Alongside automated anti-phishing tools, educating company personnel on new phishing trends is the best way of countering a campaign such as this.

Table 1: Domains associated with the campaign

Domain Registration Date
h-formpay-a[.]top November 19, 2019
x-a[.]top December 1, 2019
Luckyclick[.]best November 24, 2019
m-f1[.]top December 1, 2019
c3p-cl[.]club November 29, 2019
o-k-f.aadfk[.]top November 28, 2019
m-go[.]top November 11, 2019

 

Every day, the Cofense Phishing Defense Center analyzes phishing emails that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 34008.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Phish Fryday – Tension between Iran and the US Increases Cyber Threat

As the situation between Iran and the United States escalates, there has been considerable speculation as to how Iran might respond to the recent actions of the US. In this episode, we speak with Mollie MacDougall, an expert on cyber and international security and the Product Manager for Cofense Threat Intelligence, to learn more about Iran’s cyber capabilities and their history in the use of cyberattacks.

Phish Fryday – The Latest on Emotet

The Emotet botnet has undergone quite a few changes in 2019 and Cofense Senior Research Engineer Jason Meurer joins us to discuss the latest variations. What has changed and how can organizations continue to detect and protect themselves from Emotet? Tune in to find out.

For more background on Emotet and the latest Cofense Research, help yourself to our blog posts:

Want to simulate a holiday phish? This one’s from your friends at Emotet.

Emotet Modifies Command & Control URI Structure

Emotet Malicious Phishing Campaigns Return in Force