Cofense and Eze Castle Integration Partner to Strengthen Security Awareness in the Investment Industry

LEESBURG, Va. – October 16, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today announced it has entered a strategic Managed Security Services Provider (MSSP) partnership with Eze Castle Integration, a leading provider of managed services and complete cloud solutions for the investment industry. Cofense will provide world-class security awareness and phishing simulation solutions to Eze Castle, enhancing their cybersecurity services portfolio to offer an end-to-end managed awareness and phishing simulation service for their financial customers.

Cyber-attacks and data breaches remain at the top of risks facing organizations today, and the majority of breaches begin with phishing. Effective employee education, training and conditioning is a critical element of a robust cyber defense strategy, allowing enterprises to bolster their resiliency to attacks. Eze Castle customers can take advantage of Cofense’s award-winning, human-driven training tools through Eze Castle’s managed service expertise, including more than 50 cyber-related and compliance-based training modules and insight into the latest phishing campaigns affecting the financial industry.

Eze Castle will also receive hands-on training from Cofense to help identify the right cadence of phishing simulations—from basic to more nuanced scenarios—along with tips for measuring results and communicating program success to an organization’s executives.

“We are proud to partner with Eze Castle Integration as part of our elite group of service providers that are enabling more organizations with the resources needed to thwart phishing attacks across the globe,” said Robert Iannicello, vice president of global channel sales, Cofense. “Together, we look forward to empowering employees in the investment industry to proactively report suspicious emails and generate actionable intelligence that gives their organization the upper hand in stopping phishing attacks in their tracks.”

“In today’s technology-driven world, cybersecurity threats are one of the greatest risks facing the investment industry,’ said Steve Schoener, chief technology officer, Eze Castle Integration. “We follow a security first approach to IT and deliver fully managed security solutions, such as Cofense PhishMe and Security Awareness Modules, to help our customers bolster the security of their environments – whether they reside in a public, private or hybrid cloud, or on-premises.”

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services 

Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin.

Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity.

Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began writing detection rules to block those emails, threat actors modified the text by replacing it with an image, which prevented key words from being identified by Secure Email Gateways (SEGs). The bitcoin address was left as a plain text string in the email, so it could be easily copied. As enterprises began checking for bitcoin addresses, threat actors removed text and images and switched to attaching PDF documents containing the threats. Most recently, threat actors began encrypting PDF attachments and including the password in the email body to foil any further SEG detection rules.

This latest sextortion version is using a Litecoin wallet address instead of bitcoin to evade detection. Previous iterations showed a gradual shift away from identifiable patterns and to alternative crypto currencies, in an attempt to foil SEG bitcoin-detection rules. The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.

As this latest twist shows, threat actors can switch to the next crypto currency and attempt to iterate through all the scam’s previous versions. While there are thousands of crypto currencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.

Avoiding this scam is simple. Your users can safely ignore the emails—if threat actors actually had such access and data, they would include stronger proof. Also educate users about sites such as haveibeenpwned.com, so they can know if their email address is likely to become a target.

Cofense will also be publishing a rule to detect attacks we’ve seen so far using this new method.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMe offers a phishing simulation template, “Fear Driven Phishing Scams Involving Embarrassing Situations,” to educate users on sextortion and similar scams.

Cofense Labs has published a database of over 300 million compromised email accounts for use in sextortion campaigns. Find out if your organization’s accounts are at risk.

Reports of sextortion and other ransom scams to the Cofense Phishing Defense Center are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon

The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation.

In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the victim machine, mainly depending on geography and organization. TrickBot is known to siphon information from a host and has shown to result in Ryuk ransomware making its way to the victim after some time. Current statistics show that Emotet is targeting over 66,000 unique emails on more than 30,000 domains. The origin emails—of which credentials had likely been stolen—span over 1,900 unique domains from 3,400 different senders. This extensive reach makes it tricky to combat the Emotet threat.

User awareness and technical safeguards such as email defense capabilities and endpoint protection solutions are vital in thwarting Emotet. Users should be increasingly wary of reply chain emails that contain unexpected documents, especially ones that ask to ‘Enable Content’ for editing or to ‘Accept the license agreement.’

Security teams should maintain a heightened awareness of Emotet trends and leverage the analysis to deny or hunt down malicious activity. Through active monitoring of the Emotet botnet and malware, Cofense IntelligenceTM continues to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.  In the Technical Findings section below, Cofense Intelligence has chosen a random example of the most common email and macro as seen today for analysis.

Figure 1: Original Email

Technical Findings

Emotet delivers malicious documents as either part of a reply chain or as a finance-themed (such as invoice, new document, bank transfer, and quotation) phishing email. The languages used for each email body differ widely and have been seen to include English, Italian, Polish, or German, among others. These phishing emails contain a Microsoft Word document with a .doc extension and an Office macro that downloads Emotet executables.

Historically, Emotet utilized malicious links as well, but current indications show this is not the preferred method of malware delivery. The attached Office documents with macros store payload information in embedded object data, rather than in the macro itself, which makes analysis more difficult.

While similar to a delivery mechanism discussed in a previous blog, this version of the dropper is more advanced than before. When the document is opened, it displays a lure stating that to continue to use Microsoft Word after September 20, 2019, the user must accept the license agreement and enable editing. The lure shown in Figure 2 does not appear to be significantly different from the typical Office message that asks to enable macros; however, a requirement to accept a new license agreement makes the lure seem so routine that this new trap may be more effective.

Figure 2: Macro Request

After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations. When run, these executables launch a service, shown in Figure 3, that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if (currently undetermined) criteria of geographical location and organization are met.

Figure 3: Service Launched by Emotet

The macros used in this case are relatively small even with the garbage code included, totaling approximately 150 to 300 lines. Removing the garbage code reveals only 10 lines of actual code. This code extracts metadata from embedded objects in the Word document; specifically, the “caption” data of these objects as seen in Figure 4.

Figure 4: Object content

While the attached documents all have a .doc extension, they are in fact .dotm, .docx, and other document file types, which enables them to successfully hide the embedded objects as ActiveX objects rather than typical “Form” objects whose metadata can be easily accessed in an opened document.

In each case, the result is the attempted download of an Emotet binary from a set of five payload locations using both HTTP and HTTPS. Emotet has been seen downloading TrickBot and other malware historically, with no noteworthy modifications to the present-day TrickBot sample.

 

How Cofense Can Help

Cofense Resources

Cofense PhishMeTM  offers a phishing simulation, “Service Report – Emotet,” to educate users on the phishing attack described in today’s blog.

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

This summer, phishing attacks continued to hammer healthcare.

Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1

Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2

New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3

Need Phishing Defense Resources? Start Here.

To help healthcare companies better defend against phishing, CofenseTM maintains a healthcare hub with information and solutions including:

Case Study: Getting Creative to Stop Attacks

After getting targeted by a credential phishing attack, one healthcare company got serious about phishing awareness and response. They turned to Cofense to help educate users to report suspicious emails.

Now the reporting rate is 3-7 times higher than the susceptibility rate. Even better: employees are reporting real phish that security teams are stopping faster, including credential harvesting phish, malicious URLs, and malware campaigns.

Read the full case study.

Infographic: 5 Ways Healthcare Can Beat Phishing

At the heart of these 5 tips: educate users to report phishing and benchmark your success.

Our infographic shows that healthcare companies have made progress in email reporting, but still lag behind other industries. View exclusive Cofense data that shows where healthcare stands, plus best practices and some newer phishing tactics to watch for.

See the infographic.

More Healthcare Content + Cofense Solutions

Watch a short video of a healthcare executive discussing how he trains users to spot phishing. Read blogs on healthcare security awareness, incident response, and how another healthcare company stopped a phishing attack in 19 minutes.

Plus, learn how Cofense solutions can protect your healthcare company from the inbox to the SOC.

Check out our healthcare hub now.

 

Sources

  1. HIPAA Journal, September 2, 2019
  2. Healthcare IT Security, August 15, 2019
  3. Ibid, July 23, 2019

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues

Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works.

Email Body
The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient to click on the button to listen to the full message.

Figure 1: Email Body

This button is in fact an embedded hyperlink that will redirect the recipient to a page that contains a Captcha code to prove the victim is a human and not an automated analysis tool or, as Google puts it, “a robot.” It’s at this point that the SEG validation would fail. The SEG cannot proceed to and scan the malicious page, only the Captcha code site. This webpage doesn’t contain any malicious items, thus leading the SEG to mark it as safe and allow the user through.

Figure 2: Captcha Page

Once the human verification process is complete, the recipient is redirected to the real phishing page. In this example, it imitates the Microsoft account selector and login page. When unwitting victims login, their credentials are captured.

Figure 3: Phishing Page

As we can see, both the Captcha application page and the main phishing page are hosted on MSFT infrastructure. Both pages are legitimate Microsoft top level domains, so when checking these against domain reputation databases we receive a false negative and the pages come back as safe. SEGs frequently check URLS against reputation databases as part of a layered defense.

Table 1: Network IOCs

hxxp://t[.]mid[.]accor-mail[.]com/r/?id=
hxxps://osnm[.]azurewebsites[.]net/?b=
hxxps://phospate02[.]blob[.]core[.]windows[.]net/vric/112-vml[.]html?sp=r&st=2019-09-03T19:01:36Z&se=2019-09-28T03:01:36Z&spr=hxxps&sv=2018-03-28&sig=q4OWNkGXIlBtE99JknDZ047J94uFFCc%2BoNaZmtHOt2k%3D&sr=
52[.]239[.]224[.]36
66[.]117[.]16[.]17
52[.]173[.]84[.]157

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation template, “New Voice Message,” to educate users on the attack described in this blog.

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

By Tej Tulachan

The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer.

Email Body

The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.

Fig 1. Email body

When the recipient clicks on the link it directs to a genuine Google Docs page as shown below, which contains a fake 404 error message and another embedded link. The threat actor baits the recipient into downloading the document: “Downloading the document manually via the link”. This link hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL downloads the malicious payload.

Fig 2. Google doc page

Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF.

Fig 3. Pdf Icon

If we look at the file in a hex editor, we see that in fact it’s an executable file and not a PDF.

Take a look below in the editor, indicated by the magic bytes MZ which denotes a windows executable.

Fig 4. Magic Number

Once the payload is executed it creates a copy of itself (egолаСывЯыФЙ) in C:\ProgramData, where it  undertakes control over execution of the malware.

Fig 5. egолаСывЯыФЙ.exe

Furthermore, it creates another copy in “C:\Users\REM\AppData\Roaming\speedLan” that also includes the config file for Trickbot (settings.ini) (The directory depends on the Trickbot version.)

Fig 6. speedlan

If we look inside the settings.ini we see a lot of the “obfuscated” text.

Fig 7. Obfuscated text

Additionally, if we open up the Task Scheduler, we can see it also sets a task that starts the malicious file from the “Speedlan” folder.

Fig 8. Start Task Scheduler

Looking at the Triggers tab, we can see it has been set to repeat itself every 11 minutes for 596843 minutes (414 days) for this particular version of Trickbot. The scheduled task checks to see if the binary is running in memory every 11 minutes over a 1-year period. This means that the binary will stay persistent on the system if the process is terminated. The 414 day counter just insures that the scheduled task stays running for as long as the system is online (generally, people will reboot their computer at least once a year).

 

 

 

 

 

 

 

 

 

Fig 9. Trigger

This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.

Fig 10. Hollows Svchost

Indicators of Compromise (IOCs):

Malicious File(s):

 

Filename: Review_ Rep.19.PDF.exe

MD5: ab2a8fc10e8c1a39ae816734db9480de

SHA-256: 20328b1f169b1edeef38853dafbbacfdac53c66f7f1dd62f387091bedebfd497

File Size: 404,320 Bytes

Extension: exe

 

Malicious URL(s):

 

hxxps://docs[.]google[.]com/document/d/1fgSfd4DwReVKbcLI3ISO2jhX1Yn8WOqbXnmU_bg00_A/edit?usp=sharing_eip&ts=5d5accb1
hxxps://docs[.]google[.]com/uc?id=112QLCdDtd4y-mAzr8hobCs0TP5mQmKfL
hxxps://jaquetas01[.]cordenadorltda[.]org
hxxps://services[.]halapar[.]org

 

Associated IP(s):

200[.]119[.]45[.]140

107[.]181[.]175[.]122

79[.]143[.]31[.]94

198[.]27[.]74[.]146

186[.]47[.]40[.]234

181[.]129[.]93[.]226

190[.]152[.]4[.]210

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. Cofense PhishMe offers a phishing scenario, “Shared Google Doc – TrickBot,” to help users identify the attack described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense™. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Secures Additional Investment from Funds Managed by BlackRock

Company Reaffirms Commitment to Deliver Reliable Phishing Technology and Awareness Training to the Global Market

Leesburg, VA Cofense™, the global leader in intelligent phishing defense solutions, today announced that funds managed by BlackRock Private Equity Partners have taken an additional ownership position in Cofense, having acquired the equity of former investor Pamplona. Cofense is pleased to expand the partnership, initially inked in 2018, which will continue to support the company’s mission to help organizations stop phishing attacks in their tracks.  Private Equity Partners is BlackRock’s fund of private equity funds platform that sources and evaluates the full spectrum of private markets investing, including partnerships, direct co-investments, and secondary transactions.

“We met with dozens of world-class financial institutions who were keen to invest. We’re delighted that BlackRock was the winning bidder, as they are familiar with our business and already have a strong relationship with Cofense,” said Rohyt Belani, Co-Founder and CEO, Cofense. “BlackRock’s expanded investment is a direct reflection of their confidence in our company and the growing market opportunity. Cofense has a history of successfully uncovering and reporting threats from all corners of the globe, but we are particularly proud of our track record for taking all possible measures to protect our customers, partners and prospects from phishing attacks.”

In the previous 12 months, Cofense has accelerated its efforts to bring reliable, best-in-class phishing defense solutions to the global market, and as a result the fourth quarter (2018) and first quarter (2019) were the two most successful in company history. The company has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high-technology. Since July 2018, Cofense has expanded its product suite to deliver turnkey solutions for employee education and awareness to phishing response. The company will continue investing in R&D to provide their customers with peak phishing protection across the organization.

In addition to technical accolades, including being positioned as a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training for the fourth consecutive year, Cofense has been recognized for its culture and team leadership. The company was named a 2018 Best Place to Work by the Washington Post and Washington Business Journal and included on the Inc. 5000 list of fastest growing companies. Most notably, Cofense has been honored multiple times in 2019 for raising the standards of excellent customer service, as a finalist for the 2019 SC Awards and HDI Team Awards, and as a winner of the ISPG Global Excellence Awards. The company also successfully completed a Service Organization Controls (SOC) 2 Type II examination for Cofense PhishMe™ and Hosted Cofense Triage™.

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

Cofense and CNA Strengthen Security Awareness Within Cyber Insurance Industry

Leesburg, Va. – August 15, 2019 –Cofense™, the global leader in intelligent phishing defense solutions, announced its strategic relationship with CNA, one of the largest commercial property and casualty insurance companies in the United States. Cofense will provide security awareness training as part of CNA CyberPrep, the latest addition to CNA’s suite of cyber liability insurance products designed to help companies take a holistic approach to cyber threats.

Phishing attacks remain the top attack risk facing organizations. As a result, educating and training employees is a critical part of a robust cybersecurity platform. CNA policyholders can take advantage of Cofense’s world-class, human-driven training tools to include a fully functional-learning management system and more than 20 cyber-related computer-based training modules. Cofense’s Learning Management System (LMS) helps administrators manage content and ongoing education about cyber security risks, meanwhile the company’s Computer Based Training (CBT) educates users on today’s biggest threats with interactive modules. This two-pronged approach empowers users to input their own lessons and manage Cofense and non-Cofense learning materials all in the same place.

CNA policyholders will get access to all Cofense solutions at a preferred rate, and will be eligible for a Cofense Managed Phishing Assessment to provide a benchmark of their current phishing risk and resiliency. This assessment helps companies to improve their threat identification, mitigation and response operations.

“Our relationship with CNA brings together multiple types of risk management services. We are helping to create a comprehensive solution for businesses to remain prepared and competitive,” said Rohyt Belani, CEO and Co-Founder of Cofense. “Working together seamlessly with the other components of CNA CyberPrep, we are confident that our security awareness solutions can help CNA’s policyholders fight phishing threats.”

“In today’s technology-driven world, it is clear that cyber threats represent a critical and growing risk,” said Brian Robb, Underwriting Director and Cyber Industry Leader, CNA. “Businesses must stay ahead of emerging cyber risks and the security threats they pose, and we want to make sure CNA policyholders have access to the best services and technology available. Cofense is an industry leader in phishing defense solutions and security awareness training, which will deliver great value to our policyholders.”

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

 

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan

The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works.

Email Body

At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the absence of the recipient’s name, just “Good day.” If we look deeper into the message body, we can see that there is an embedded hyperlink which directs to hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

Figure.1

Email Header

From the email header we can see that the threat source originates from the domain narndeo-tech[.]com. Further investigation reveals it belongs to Hetzner Online GmbH which is a well-known hosting company based in Germany. We noted that there is no sign of proof this came from a genuine DocuSign domain.

From: Lxxxx Mxxx <xxxxxx22@narndeo-tech[.]com>

To: R______ L_______ <unsuspecting.victim@example.com>

Message-ID: <20190716055127.3AEBF4689BD125B3[@]narndeo-tech[.]com>

Subject: New Docu-Sign

X-Env-Sender: lesliemason22[@]narndeo-tech[.]com

Phishing Page

When users click on the embedded link, it redirects to a phishing page as shown below in figure 2. Here the attacker gives six separate options for users to enter their credentials to access the DocuSign document, increasing the likelihood this phisher gets a bite.

Figure.2

Once the user clicks on the given option, it redirects to the main phishing page as shown below in three versions, Office 365, Gmail, and iCloud.

Figure.3

Email Gateway: This threat was found in an environment running Symantec EmailSecurity.Cloud.

Conclusion:  

IOC

hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

108[.]177[.]111[.]153

Recommendation:

Cofense™ cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that instruct users to provide their credentials. If your organization uses DocuSign as part of its business processes, remind users how they should expect legitimate notifications according to your internal standards. Cofense PhishMe™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template is available as “Completed Document,” which is based on a real phishing campaign. We also have existing newsletter (Announcement) content available to send to your users.

Reference: https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082017.pdf

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM.

Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than  Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Labs Publishes Database of Over 200 Million Compromised Accounts Targeted by Sextortion Email Campaigns

Leesburg, Va. – August 5, 2019 – CofenseTM, the global leader in intelligent phishing defense solutions, today published a database of over 200 million compromised accounts being targeted by a large sextortion scam to ensure potential victims and their employers can address the threat of sextortion and prevent lost wages and productivity. Cofense Labs, the newly formalized research and development arm of Cofense, discovered a “for rent” botnet in June 2019 used primarily to send sextortion emails. The research team is monitoring the botnet’s activity on a daily basis to observe changes in the malware it is spreading as well as tracking new email addresses being targeted for sextortion phishing emails.

Sextortion is an email-based scam that relies on emotion-driven motivators such as fear and urgency to extort a ransom payment in return for the scammer’s commitment not to leak sensitive information. The method has become an increasingly pervasive threat, with Cofense Labs analysing over 7 million email addresses impacted by sextortion in the first half of 2019 alone. Cofense also assessed that more than $1.5M in payments were made to bitcoin wallets associated with sextortion campaigns this year. Poor password hygiene, including infrequent changes and reuse across multiple sites, add further credibility to sextortion threats being made.

“This botnet is not infecting computers to acquire new data sets – it is a true “spray and pray” attack reusing credentials culled from past data breaches to fuel legitimacy and panic through sextortion scams,” said Aaron Higbee, Cofense Co-Founder and CTO. “If your email address is found in a target list used by the botnet, it’s highly likely you will receive a sextortion email – if you haven’t already. We felt it was critical to get this information out. We hope that victims receiving a sextortion email will find our resource center so they can avoid the anxiety and stress of trying to figure out whether to pay a bitcoin ransom.”

Data breaches continue to headline the news, and as a result, massive sets of email addresses and passwords are making their way to the criminal corners of the internet. Cofense Labs’ research indicates that the hackers behind this sextortion campaign are recycling old email addresses and passwords – dating back at least 10 years – for new monetization purposes.

“Cofense Labs advises that owners of emails included in the database should change any passwords for accounts associated with that address. And most importantly, if a sextortion email is received, we do not recommend responding to the email or paying the ransom,” added Higbee. “The release of this sextortion database is just one example of the pioneering work Cofense Labs is conducting. Our team is committed to expanding visibility into the evolving phishing threat landscape and sharing tools, techniques, and insight with the security community.”

There are several actions consumers and organizations can take to prevent sextortion and deal with the threat, including: employing a password manager to keep passwords strong and unique; enabling two-factor authentication whenever this is an option for online accounts; and covering all computer cameras. To view the full database provided by Cofense Labs, as well as a guide for employers and employees, click here.

The mission of Cofense Labs is to provide leading edge, innovative research and subject matter expertise to address real-world cyber security challenges. The research and development team’s insights aim to provide actionable intelligence to assist with proactive defense. Where appropriate, Cofense Labs will make the output of its research freely available to encourage and enable collaborative defense. Projects will be made available at cofenselabs.com.

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com