Bundle Up and Build an End-to-End Phishing Defense

By David Mount, Product Marketing

Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways that were out in place to protect the end user.

It’s Time to Shift Your Focus

If traditional approaches to phishing defense aren’t working, then what can we do?

Like many areas of cybersecurity, we need to shift our focus. We need to stop believing that the optimal approach is to stop all the bad stuff from breaching our defenses. Rather, we have to accept that stuff is going to get through, so we need greater focus on our ability to detect and respond to the threats that are inside our networks, including the phish lurking inside our user inboxes.

Now, I’m not saying that we ignore our defensive controls – absolutely not. However, we must optimize them. We need to understand the threat landscape to be able to effectively defend and ensure that we’re blocking as much known bad as possible. Consumption of phishing-specific threat intelligence enables us to do this and so much more. By understanding the phishing threat landscape, including current campaigns and emerging trends, we can fine tune our controls and refine awareness programs so that they’re focused on the right threats, at the right time.

But no control is 100% effective, and when technology fails and a phishing threat is delivered to the inbox, the only sensor you have in the environment that can alert you to it is the users themselves – but you must enable and empower them to do this. Here, phishing simulation earns its stripes. Rather than using phishing simulation to ‘test’ your users, use it to keep the risks of phishing front and center and condition them to recognize evolving phishing threats. But don’t stop there. Don’t get hung up on click rates on your simulations. Instead focus on reporting rates – a far more valuable indicator of behavioral change and improvement in defensive posture. When you encourage your users to report in simulations, they’re rehearsing the behavior that’s needed in a real attack situation.

When that attack happens (and it is a when, not an if), security teams need to be able to turn the emails reported by users into actionable intelligence – fast. They need to cut through the noise of spam and other non-malicious emails to find the bad stuff quickly. And when bad is found, the clock is ticking. The longer it takes security teams to take decisive action like searching for all users who have received the threat, and removing it from all inboxes, the greater the chance of significant compromise or data breach.

We’ve Got a Bundled Solution for You

Intelligent phishing defense is a fusion of the human with technology, and it shouldn’t be complicated. We’ve made it easier to for organizations to obtain essential phishing defense capabilities through our solution bundles.

Depending upon your specific needs, choose a bundle from the following flavors:

Awareness, Detection, Defense, Defense with Threat Intelligence, and Managed Phishing Defense. For more information, you can check out our solutions bundles here. You can also review pricing and a breakdown of capabilities included in each bundle.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

By Max Gannon and Alan Rainer, Cofense IntelligenceTM

Threat actors continue to exploit legitimate services to trick users, as seen in the latest campaign using Raccoon Stealer malware, aimed at a financial organization and delivered by a Dropbox-hosted .IMG file. A rather unsophisticated malware, Raccoon Stealer came to light around April 2019, bypassing Symantec Email Security and Microsoft EOP gateways. The malware is sold on underground forums in both Russian and English, features an easy-to-use interface, around-the-clock customer support, and highly active development. Users of the malware can distribute it in any way they deem fit. In this campaign, the actors chose to host the malicious .IMG file on a Dropbox share, which upon execution, drops Raccoon Stealer onto the victim machine.

The email used in this campaign was delivered to the inbox of an employee of a financial institution. Figure 1 shows the email signature and originator address which probably belong to a compromised user. Using the familiar theme of a wire transfer—closely akin to those often seen in Business Email Compromise (BEC) scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file.

Educating users on spotting these types of scams and carefully scrutinizing emails that originate outside the organization are great ways to thwart this threat. Cofense IntelligenceTM Indicators of Compromise (IOCs) provided via our feed and noted in the appendix below can be used to fortify network defense and endpoint protection solutions.

Technical Findings

In the past, CofenseTM has seen Raccoon Stealer delivered by direct attachments and via RTF documents leveraging CVE-2017-8570 that targeted sectors such as utilities. In this most recent campaign, a potentially compromised email account was used to send the email shown in Figure 1, which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.

Figure 1: Email delivering Dropbox URL

Raccoon Stealer is a relatively new malware that first appeared on the market around April 2019. Due to Raccoon Stealer’s ease of use and range of capabilities that allow for quick monetization of infected users, it is becoming increasingly popular. Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads.

Initial contact with the command and control center (C2) is made when the malware does an HTTP POST that includes the “bot ID” and “configuration ID”. The C2 location responds with a JSON object explicitly including C2 data and payload locations for libraries and additional files, as shown in Figure 2.

Figure 2: Configuration Data From C2

The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Racoon Stealer as a loader for other malware to generate additional income.

The use of several distinct delivery methods in a relatively short time, including via the Fallout Exploit Kit, may indicate increased usage by numerous threat actors as predicted in prior Cofense research. Given the variety of delivery options, Racoon Stealer could be a problem for organizations that focus too much on one infection vector.

Table 1: Indicators of Compromise

Description

Indicator

Dropbox URL

hXXp://www[.]dropbox[.]com/s/g6pz8dm4051rs0o/SCAN%20DOC[.]IMG?dl=1

Raccoon Stealer C2 Locations

34[.]89[.]185[.]248

hXXp://34[.]89[.]185[.]248/file_handler/file[.]php hXXp://34[.]89[.]185[.]248/gate/libs[.]zip hXXp://34[.]89[.]185[.]248/gate/log[.]php hXXp://34[.]89[.]185[.]248/gate/sqlite3[.]dll

Raccoon Stealer Hashes

SCAN DOC.exe             f7bcb18e5814db9fd51d0ab05f2d7ee9

SCAN DOC.IMG            0c8158e2a4267eea51e12b6890e68da8

HOW COFENSE CAN HELP

Cofense PhishMeTM Offers a simulation template, “Dropbox Wire Transfer – Raccoon Stealer,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR IDs 32407, 31881, 31977

Cofense TriageTM: PM_Intel_Raccoon_31881, PM_Intel_Raccoon_31977

100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense CenterTM were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence TM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

By Tej Tulachan

The Cofense Phishing Defense CenterTM (PDC) has prevented a phishing attack that attempts to steal users’ Office365 credentials by luring them with a fake payment order attachment. Hiding a malicious re-direct within a html file, threat actors bypassed the Proofpoint secure email gateway to try and steal users’ credentials.

Here’s how it works:

At first glance, the email appears to be a genuine communication originating from the accounts team of a relatively well-known company. The message body informs the recipient there is a payment order that requires processing. The message simply says, “Please find attached copies of our P.O#9000, dated 05/11/2019,” with the attachment to the email as a html file labelled “P.O#9000.” The email doesn’t specifically ask the user to open the attachment, however it does instruct the user to acknowledge receipt of the email. Any vigilant accountant would be inclined to check the contents of the bill as part of their workflow or processing procedures.

Malicious Attachment

If we take a deeper look into the source code of the html file, we can see that it only contains three lines of html code. The code takes advantage of the http-equiv attribute, used to trigger a page refresh of the user’s web browser and then load new content, which in this case is a URL to a phishing page. This happens almost instantly when the user opens the attachment.

Fig 2: Malicious URL

Phishing Page

Once the attachment is opened the user is redirected to the phishing page as seen below in fig.3. The malicious page attempts to disguise itself as a genuine Microsoft Online Excel document, which most users would expect to see if they are editing documents on SharePoint. In the background we can see a blurred-out Excel spreadsheet with an authentication box obscuring the file contents. The user’s email address is auto populated in the dialog box, which asks the user to authenticate with his or her password.

Fig 3: Phishing Page

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Quit Faking It—Train Your Users to Stop Real Phish

By Tonia Dudley

CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic.

When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end. This starts with how we provide simulation training, teaching users how to identify phish and react, and then how Security Operations teams mitigate the potential incident. Training against real phish, the ones your organization actually faces, is essential.

Let’s look at data to tell the story. It comes from our recently published Annual Phishing Report 2019. Looking at the data in Figure 1, which specifically related to “real phish,” we can see organizations that use templates based on real phishing emails (active threats) have far better results. Not only is the report rate higher, but we see the susceptibility rate also lower, ultimately affecting the overall resiliency rate.

Figure 1

When an organization has been running their program for a few years, they begin to wonder how much is enough and whether they should keep sending scenarios. We point to the phishing emails reported by our customers in our Cofense Phishing Defense CenterTM (PDC). More than 90% of emails reported came from environments that use a SEG. While the SEG is absolutely necessary to protect an organization, like any other defense it’s not infallible against threat actors who continually adjust their tactics to make their way into the inbox. This is why it’s vital to align your training scenarios to what gets past your SEG.

Taking another view, we see what happens with two common templates available for simulation campaigns. The first one is made to look similar to a social media message users might receive if they associate their work email with this site. You can see the click rate is fairly low. Are the threat actors really spending that much time making a phishing email look this fancy?

The second template looks very simplistic and our security awareness operator is less likely to select this template. It appears too basic, nobody would actually click the message, right? Yet, there is a much higher click rate on this template that mimics a real phishing message.

So are you preparing your organization to detect and report real phishing emails? Are you preparing them to defend against the actual messages that make it past your SEG? Our data shows that keeping it real makes a real difference.

View our report to learn other ways to double your resiliency to phishing.

 

HOW ELSE COFENSE CAN HELP

Most phishing threats observed by the Cofense Phishing Defense Center  bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

By Tonia Dudley, Cofense Security Solutions

Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here.

That database has since grown to over 330 million email addresses.

We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains.

To be clear, this threat is not a breach of any Cofense data or systems. Rather, it’s a botnet that our research team discovered out in the wild. The botnet uses email addresses and credentials which we believe were acquired via a series of breaches over the past decade. Visit our info center for additional resources.

Fig. Sample containing text as images to deceive automated analysis

Cofense LabsTM has created a sextortion lookup tool to check impacted accounts and domains as well as a resource center with helpful tips on how to protect your organization and your personal accounts from falling victim to these types of threats as well as the steps you can take should you receive a sextortion scam.

Cofense Labs will continue to monitor the botnet and share updates on our Twitter handles @Cofense and @CofenseLabs.

HOW COFENSE SOLUTIONS CAN HELP

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley

Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware.

Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect chain that eventually leads to a malicious macro-laden Microsoft Word file. The macro, upon execution, downloads the malware via PowerShell, which is a sample of the Predator the Thief information stealer.

The email body, shown in Figure 1 below, contains a warning that the recipient has 14 days to comply with the subpoena notice, a scare tactic designed to panic users into clicking. The link within the email leads to a Google Docs page and is benign, unlike the embedded URL within the Docs page that features a tailored redirection link pointing to a direct Microsoft OneDrive download. The Google Docs page is themed to fool a user into thinking the service is conducting security checks.


Figure 1: Sample Phishing Campaign Delivering Predator the Thief

Organizations defending against this multi-faceted threat have four options.

  • While a basic email security stack would likely misread the Google Docs URL as legitimate and allow the email to pass inspection—in fact, this campaign has passed through FireEye’s Secure Email Gateway (SEG) solution and may be overlooked by others—scanning the ensuing links at the network security level should reveal nefarious intent, at which point the security solutions should block further traversal.
  • Disabling Microsoft macros by default and monitoring PowerShell execution alongside educating users on the dangers of enabling macros is a safeguard against this threat.
  • Employing endpoint protection solutions that conduct memory analysis can spot the payload execution, thwarting an intrusion at the last step of the infection chain.
  • Having a highly tuned network security stack that monitors for exfiltrated data and suspicious HTTP POST packets can help spot an intrusion or block its exfiltration route.

Technical Findings

The email contains a link that leads to a trusted source, in which another link leads to yet another trusted source through a tailored redirecting URL in the middle. A macro-laden document is retrieved and used as a first stage downloader to execute a sample of Predator the Thief. The malware then infects the endpoint and attempts to exfiltrate sensitive data. At each step of this infection chain (outlined in Figure 2), correctly configured technology could have prevented successful execution, and a properly educated end user could have negated the entire scenario.


Figure 2: Infection Chain

Predator the Thief has all the basic capabilities of most information stealers. One of the unique things about this malware is its range of web browsers targeted, meaning a less popular web browser may still be affected. The authors disseminate their product via a Telegram channel that is also used as a customer support channel. Although Predator the Thief claims to have Anti-VM capabilities, older versions can be easily detected by automated AV scanning. A newer version can be quickly spotted in a sandbox once the binary has unpacked itself into memory. The execution of the binary on the endpoint is an additional focal point for defense within the endpoint protection program or product.

Predator the Thief targets cryptocurrency wallets, browser information, FTP, and email credentials. It can also take a screenshot of the infected machine. The information is stored in a file named “information.log” and sent to the Command and Control (C2) server via an HTTP POST to a network endpoint “gate.get” by default. The data in this file contains machine and user fingerprint data, stolen credentials, and network configurations. Once the information is gathered and the sample has successfully exfiltrated the data to the C2, the binary then cleans up parts of the infection and self-terminates. This infection clean-up process makes it much harder for endpoint forensic investigations that do not leverage verbose event logs and an endpoint detection system.

Indicators of Compromise

IOC Appendix Description
PM_Intel_PredatorThief_31571 Cofense Intelligence YARA Rule
hxxp://comrade696[.]xyz/api/gate[.]get C2 Network Endpoint
hxxp://bit[.]do/fcMEx “Legitimate” URL Shortener Service For Payload
hxxp://193[.]0[.]178[.]46/m2Dj5W Tailored Redirector
31[.]184[.]196[.]176 Macro Payload Host
comrade696[.]xyz C2 Address
hxxp://comrade696[.]xyz/api/check[.]get C2 Network Endpoint
hxxp://31[.]184[.]196[.]176/file8[.]exe Predator the Thief Payload
193[.]0[.]178[.]46 Tailored Redirector
hxxps://de5qqw[.]sn[.]files[.]1drv[.]com/details[.]doc Microsoft OneDrive Direct Word Document Download
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vR2ShicgBwEhJsMeJF-ho3xmeGvs4h3lpp33DGuVYXa0J7nDHSayHNnUqAuy8RgE1V6DN3rgEamM_l6/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTJwmMgl4cycKB1H3DLqE6hO7hBtIZV_R8vetvNk2hoHNvQrOQu6guqESe4ongHOe2qeuZl_hcwtpFi/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSC7TE8Jw2rj5mFmdo7SNhhVhYI5_chETx0Um8phyExpH2ok1_BYqbFBCmvu5SNE8USRHFQxAAdSUbe/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRHdNziiJLKswksr50gCvUFKGZPoB7aJ2X_u09dUvpXauv5zqPi6BRxmNlhpdQ3VoJnyDd-7UWe0eq4/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTDBKHYpJMHsTmAPu8Q3q41G3Sfq0398Mwe1bUth_4gbi9Q9X1uvjJ8Qpt1jfiDjkOvlrV3EGbn4pIH/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vQYPpaggmpXxbXvzYbcuCFnVbVGFiprq8WT3U0cackWI9z6ECOKGQ75Zxi38IIAcR6U2mWRN-I91RJs/pub Google Docs Lure
hxxps://www[.]google[.]com/url?q=hxxp://193[.]0[.]178[.]46/m2Dj5W&sa=D&ust=1572032929507000 Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSpWb2Y8awd5BhJGCiiscMOhddh3Pf53q_E76aMV-H4L1Sy50O8V7wXJG8lLILi_woj35v22P2o0GZo/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vSw-6rt5QaRo630a6nWVkraLUHH1HLP23pfkdYYxe3NS73ITrhzme_r_K0h67RQjrUjYgrVPDDNt9Yn/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vTMEq8o1xfYAGRQqTnV_YP4IpoYFLRV0x3yagV4J8TC2vPAevx5y6UobCv9Oa9d1W-KzWbintL_fj2w/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRJh78bDJcfBuwt_yV7nhNRuboEHUyfET1yhta2B-_toyEPBl7OwADQHm9t28gfVQymkltq69smXgYw/pub Google Docs Lure
hxxp://docs[.]google[.]com/document/d/e/2PACX-1vRZG0aGBmvWRzXhT-a68tBJcy1PSPA4blZ51daX_-OqtXwj-GeuEp-0RBbhazOBKi_Z2bE1AO8ejfTP/pub Google Docs Lure

 

HOW COFENSE CAN HELP

The Cofense Phishing Defense CenterTM finds that 89% of phishing threats that deliver malware have bypassed email gateways. Condition users to be resilient to phishing with Cofense PhishMeTM and remove the blind spot with Cofense Reporter TM. Cofense PhishMe offers a simulation template, “UK Ministry of Justice Subpoena – Office Macro”,” to educate users on the campaign described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Teams Up with AwareGO to Expand Security Awareness Training

LEESBURG, Va. – Nov. 5, 2019 – CofenseTM, the global leader in intelligent phishing defense solutions, and AwareGO (awarego.com), creators of succinct, high-quality security awareness training videos, today announced their partnership to empower organizations across the globe to tackle today’s top security issues head-on. Cofense’s security awareness training library now includes AwareGO’s security awareness videos covering critical topics facing today’s employees such as business email compromise, privacy, and insider threats.

Fifteen modules are currently available to customers of Cofense’s PhishMe solution. Since releasing Cofense CBFree as part of National Cybersecurity Awareness Month (#BeCyberSmart) in October 2015, Cofense has recognized that creative, accurate content and training materials are important to security awareness professionals to keep their programs engaging and interesting to maximize success with employees.

“Our goal has always been to create high-quality security awareness training videos that users can relate to,” says Ragnar Sigurdsson, CEO and founder, AwareGO. “We are truly excited to work with Cofense and provide them with our content. Not only are we collaborating to make cyber security training better and more engaging, it’s also an effort to make businesses more cyber secure in the long run. It’s an honor to work with Cofense and we see it as an affirmation to the quality of our videos that they chose to work with us.”

“All organizations must educate their employees about cyber security risks,” said Allan Carey, vice president of business development, Cofense. “That’s why we’re proud to partner with AwareGO to bolster the fresh, engaging and relevant training content available to customers and their employees. Effective employee education, training and behavioral conditioning is a critical element of a robust cyber defense strategy, allowing organizations to enhance their resiliency to attacks.”

###

About AwareGO
Made in Iceland by cyber security experts, AwareGO offers world’s simplest security awareness training (SAT) platform and a unique and innovative way to reach a diverse audience with super-short videos. AwareGO has mastered the formula to get end users to buy into cyber security education.

 

About Cofense
CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions worldwide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

 

AwareGO Media Contact
Neil Butchart
neil.butchart@awarego.com

 

Cofense Media Contact
press@cofense.com

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases.

The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works:

Email Body

Figure 1: Email Body

The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the part of the from field that dictates the “nickname” displayed in the mail client to make it appear as if it originated within the company.

The email body is simple: recipients see the company name in bold at the top of the page. Greeted by only their first names, they are informed that “As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.” Recipients are then presented with what appears to be a hosted Excel document called “salary-increase-sheet-November-2019.xls.”

It is not uncommon, of course, for companies to increase salaries throughout the year. As a result, it wouldn’t be uncommon for an email like this to appear in an employee’s mailbox. Human curiosity compels users to click the embedded link.

The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.

Figure 2: Phishing Pages

Once users click on the link, they are presented with a common imitation of the Microsoft Office365 login page. The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company.

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a simulation template, “Salary Increase,” to educate users on the phishing tactic described in today’s blog.

Cofense IntelligenceTM: ATR ID 31510

Cofense TriageTM: YARA rule PM_Intel_CredPhish_31510

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM. Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Cofense Releases Annual Phishing Report; Flips Myth that Employees Are the Weakest Link in Cyber Defense

Record-breaking 20 million active phishing Reporters and 100+ million phishing simulations inform extensive study

Simulation frequency, relevance and employee reporting form resiliency trifecta

Leesburg, Va. – Oct. 30, 2019 – Armed with data generated by millions of real people, along with intelligence collected from more than 10 million phishing simulations delivered every month, the 2019 CofenseTM Annual Phishing Report, released today, sheds a light on employees’ susceptibility to fall for attacks and organizations’ phishing resiliency – a measure that tracks behavioral change from clicking phishing emails to active defense through reporting. Contrary to popular belief, employees are a powerful force that play a pivotal role in an enterprise’s phishing defense strategy. In fact, when properly conditioned to recognize and report attacks through regular and relevant phishing simulations, organizations are more likely to successfully defend against attacks designed to compromise customer information, steal intellectual property or destroy company data and IT infrastructure.

Cofense, the global leader in intelligent phishing defense solutions, has equipped more than twenty million people in organizations across the globe to report suspicious emails through Cofense ReporterTM, an easy to use, one-click email toolbar button.

“Security practitioners need to repudiate the common misconception that end users are the weakest link in organizational defense,” said Aaron Higbee, cofounder and chief technology officer, Cofense. “In fact, employees are the last and ultimate line of defense. With more than twenty million people across the globe empowered to flag potential attacks through Reporter, Cofense is helping thousands of organizations turn their workforce into highly tuned human sensors adept at reporting suspicious emails that frequently bypass security technologies.”

The research reveals three distinct best practices help organizations strengthen their resiliency and empower their users to become active defenders against attacks:

  1. Reporting: Organizations that arm their workforce with a straightforward and easy way to report suspicious emails exhibit strong phishing resiliency rates; in simulation exercises, their end users report phishing emails more than twice as often as they fall for the bait.
  2. Frequency: Regular phishing simulations significantly improve reporting rates and drive down users’ susceptibility to fall for phishing attacks. Organizations that run 12 or more simulations per year have twice as higher resiliency rates compared to those running fewer than 12.
  3. Relevance: Simulations that imitate real phish seen in the wild lead to markedly higher reporting rates and lower susceptibility rates amongst end users compared to organizations that randomly select phishing scenarios.

The ultimate pay-off of high organizational resiliency materializes when SOCs transform reported emails they receive into actionable intelligence. When well-positioned to prioritize and analyze employee-reported emails, SOCs can quickly and efficiently cut through the noise and neutralize a threat in minutes.

Report Available Now

To download the Cofense Annual Phishing Report, visit: http://phish.me/4zMY30pNtFt. Additionally, Cofense will also host a free webinar on November 12, 2019 at 2:00 p.m. EST.

About Cofense

CofenseTM, formerly PhishMe®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence sourced from employees, with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, health care and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services

There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point.

But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites.

Phishing Sites Are Using Redirect Methods to Avoid Detection

Let start with this example:

An attacker can easily set up a new domain and host a phishing site with a legit SSL certificate from most established certificate authorities for free. The attacker then can configure the server or webpage to redirect all connections that are not from the organization’s IP to an external safe site such as google.com.

If a security analyst then submits the URL to a third-party lookup tool, for example VirusTotal, the tool will only detect the site google.com and not the actual phishing site. At this point, the analyst can submit the URL to another URL scanning tool, but the results will all come back the same.

In the Cofense PDC, we are seeing an increase of phishing sites that are using redirect methods to avoid detection from URL scanners and unaware security analysts.

Here is another example with browser detection phishing websites:

This phishing link below redirected users depending on which browser they used.  If users use Firefox as their default browser, they will get the actual payload, while a Chrome default browser will get a redirect to MSN.

Figure 1: Original Phishing Email

When recipients click the ‘Open Notification’ link in the email message above, they are directed to the website below.

URL: hxxp://web-mobile-mail.inboxinboxqjua[.]host/midspaces/pseudo-canadian.html?minor=nailer-[recipient’s Email Address]

When someone clicks the URL, the experience can vary depending on the default browser, Firefox vs. Chrome.

The real phish site using Firefox:

Figure 2: Actual Phishing Site

Using Chrome:

Figure 3: Redirected Site

Regardless of the user’s geolocation, the URL redirect will go to the UK page. URL: https://www.msn.com/en-gb/news/uknews

Now let’s put the same URL in a popular URL scanner and see the results:

Figure 4: Virus Total Results of the Reported URL

The search results show that one of the vendors has detected the phishing site as malware. However, this is not the case.  Let’s look at the Details tab.

Figure 5: VirusTotal Details of the Reported URL

In the results it states that the final URL is to msn.com. We still do not know what the actual phishing site looks like, what the site is doing, or even if the phishing site is active at all.

There’s a Better Way to Check for Malicious Links

Organizations must ask if these URL scanners are providing enough information to analysts so they can complete their investigations.  Is the scanner testing the suspicious link with multiple user agents or querying the site with different source IP addresses?  While the URL scanning services are useful, they lack the basic dynamic analysis that most analysts will perform on a malicious website.

What if I told you that it is quick, easy, and more accurate by far to analyze URL based phishing attacks manually, using various tools such as User-agent switcher or with a VPN and proxy servers while in a dedicated virtual machine? Remember that if a phishing email bypassed those same scanners to reach your users’ inboxes, it’s an undiscovered phishing attack and will require human analysis.

To better equip your analysts, we came up with a list that your security team can use to detect these types of attacks.

  1. Create an isolated proxy server that can reach out to the phishing site without restrictions.

– If your company has locations in different countries, use additional proxy servers in those countries or use proxy services like Tor or a third-party VPN service.

– Acquiring a VPN service with multiple locations is another option.

– Create a “dirty” network to browse malicious sites that can also be used to analyze malware samples.

 

  1. Create a VM for URL analysis.

– This VM should be isolated from the organization’s network.

– VMs such as Remnux will have tools built-in to assist in URL and file analysis.

 

  1. Use Firefox for visiting the site

– Based on the vast amounts of customization, Firefox may be the best browser suited to URL analysis

– Add-ons such as User-agent switcher, FoxyProxy, and HTTP Header Live are essential.

– You can also use the browser’s developer tools to track requests, detect redirects, and alter elements on the page.

URL scanning services are useful to a point. These tools will alert you to some suspicious URLs, but often lack the details need for escalations and blocking the threat. More often than not, the tools will be a point of failure for your organization’s security due to the high amount of risk they introduce. So take a couple of minutes to look at that suspicious URL in a safe environment and see what it really does. It may save you lots of money and time cleaning up an incident.

 

HOW COFENSE SOLUTIONS CAN HELP

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.