Cofense Secures Additional Investment from Funds Managed by BlackRock

Company Reaffirms Commitment to Deliver Reliable Phishing Technology and Awareness Training to the Global Market

Leesburg, VA Cofense™, the global leader in intelligent phishing defense solutions, today announced that funds managed by BlackRock Private Equity Partners have taken an additional ownership position in Cofense, having acquired the equity of former investor Pamplona. Cofense is pleased to expand the partnership, initially inked in 2018, which will continue to support the company’s mission to help organizations stop phishing attacks in their tracks.  Private Equity Partners is BlackRock’s fund of private equity funds platform that sources and evaluates the full spectrum of private markets investing, including partnerships, direct co-investments, and secondary transactions.

“We met with dozens of world-class financial institutions who were keen to invest. We’re delighted that BlackRock was the winning bidder, as they are familiar with our business and already have a strong relationship with Cofense,” said Rohyt Belani, Co-Founder and CEO, Cofense. “BlackRock’s expanded investment is a direct reflection of their confidence in our company and the growing market opportunity. Cofense has a history of successfully uncovering and reporting threats from all corners of the globe, but we are particularly proud of our track record for taking all possible measures to protect our customers, partners and prospects from phishing attacks.”

In the previous 12 months, Cofense has accelerated its efforts to bring reliable, best-in-class phishing defense solutions to the global market, and as a result the fourth quarter (2018) and first quarter (2019) were the two most successful in company history. The company has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high-technology. Since July 2018, Cofense has expanded its product suite to deliver turnkey solutions for employee education and awareness to phishing response. The company will continue investing in R&D to provide their customers with peak phishing protection across the organization.

In addition to technical accolades, including being positioned as a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training for the fourth consecutive year, Cofense has been recognized for its culture and team leadership. The company was named a 2018 Best Place to Work by the Washington Post and Washington Business Journal and included on the Inc. 5000 list of fastest growing companies. Most notably, Cofense has been honored multiple times in 2019 for raising the standards of excellent customer service, as a finalist for the 2019 SC Awards and HDI Team Awards, and as a winner of the ISPG Global Excellence Awards. The company also successfully completed a Service Organization Controls (SOC) 2 Type II examination for Cofense PhishMe™ and Hosted Cofense Triage™.

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

Cofense and CNA Strengthen Security Awareness Within Cyber Insurance Industry

Leesburg, Va. – August 15, 2019 –Cofense™, the global leader in intelligent phishing defense solutions, announced its strategic relationship with CNA, one of the largest commercial property and casualty insurance companies in the United States. Cofense will provide security awareness training as part of CNA CyberPrep, the latest addition to CNA’s suite of cyber liability insurance products designed to help companies take a holistic approach to cyber threats.

Phishing attacks remain the top attack risk facing organizations. As a result, educating and training employees is a critical part of a robust cybersecurity platform. CNA policyholders can take advantage of Cofense’s world-class, human-driven training tools to include a fully functional-learning management system and more than 20 cyber-related computer-based training modules. Cofense’s Learning Management System (LMS) helps administrators manage content and ongoing education about cyber security risks, meanwhile the company’s Computer Based Training (CBT) educates users on today’s biggest threats with interactive modules. This two-pronged approach empowers users to input their own lessons and manage Cofense and non-Cofense learning materials all in the same place.

CNA policyholders will get access to all Cofense solutions at a preferred rate, and will be eligible for a Cofense Managed Phishing Assessment to provide a benchmark of their current phishing risk and resiliency. This assessment helps companies to improve their threat identification, mitigation and response operations.

“Our relationship with CNA brings together multiple types of risk management services. We are helping to create a comprehensive solution for businesses to remain prepared and competitive,” said Rohyt Belani, CEO and Co-Founder of Cofense. “Working together seamlessly with the other components of CNA CyberPrep, we are confident that our security awareness solutions can help CNA’s policyholders fight phishing threats.”

“In today’s technology-driven world, it is clear that cyber threats represent a critical and growing risk,” said Brian Robb, Underwriting Director and Cyber Industry Leader, CNA. “Businesses must stay ahead of emerging cyber risks and the security threats they pose, and we want to make sure CNA policyholders have access to the best services and technology available. Cofense is an industry leader in phishing defense solutions and security awareness training, which will deliver great value to our policyholders.”

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

 

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

By Tej Tulachan

The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works.

Email Body

At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the absence of the recipient’s name, just “Good day.” If we look deeper into the message body, we can see that there is an embedded hyperlink which directs to hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

Figure.1

Email Header

From the email header we can see that the threat source originates from the domain narndeo-tech[.]com. Further investigation reveals it belongs to Hetzner Online GmbH which is a well-known hosting company based in Germany. We noted that there is no sign of proof this came from a genuine DocuSign domain.

From: Lxxxx Mxxx <xxxxxx22@narndeo-tech[.]com>

To: R______ L_______ <unsuspecting.victim@example.com>

Message-ID: <20190716055127.3AEBF4689BD125B3[@]narndeo-tech[.]com>

Subject: New Docu-Sign

X-Env-Sender: lesliemason22[@]narndeo-tech[.]com

Phishing Page

When users click on the embedded link, it redirects to a phishing page as shown below in figure 2. Here the attacker gives six separate options for users to enter their credentials to access the DocuSign document, increasing the likelihood this phisher gets a bite.

Figure.2

Once the user clicks on the given option, it redirects to the main phishing page as shown below in three versions, Office 365, Gmail, and iCloud.

Figure.3

Email Gateway: This threat was found in an environment running Symantec EmailSecurity.Cloud.

Conclusion:  

IOC

hxxps://ori8aspzxoas[.]appspot[.]com/gfi8we/

108[.]177[.]111[.]153

Recommendation:

Cofense™ cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that instruct users to provide their credentials. If your organization uses DocuSign as part of its business processes, remind users how they should expect legitimate notifications according to your internal standards. Cofense PhishMe™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template is available as “Completed Document,” which is based on a real phishing campaign. We also have existing newsletter (Announcement) content available to send to your users.

Reference: https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082017.pdf

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense CenterTM are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.

Over 91% of credential harvesting attacks bypassed secure email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user-reported emails into actionable intelligence with Cofense TriageTM.

Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekerTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than  Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Labs Publishes Database of Over 200 Million Compromised Accounts Targeted by Sextortion Email Campaigns

Leesburg, Va. – August 5, 2019 – CofenseTM, the global leader in intelligent phishing defense solutions, today published a database of over 200 million compromised accounts being targeted by a large sextortion scam to ensure potential victims and their employers can address the threat of sextortion and prevent lost wages and productivity. Cofense Labs, the newly formalized research and development arm of Cofense, discovered a “for rent” botnet in June 2019 used primarily to send sextortion emails. The research team is monitoring the botnet’s activity on a daily basis to observe changes in the malware it is spreading as well as tracking new email addresses being targeted for sextortion phishing emails.

Sextortion is an email-based scam that relies on emotion-driven motivators such as fear and urgency to extort a ransom payment in return for the scammer’s commitment not to leak sensitive information. The method has become an increasingly pervasive threat, with Cofense Labs analysing over 7 million email addresses impacted by sextortion in the first half of 2019 alone. Cofense also assessed that more than $1.5M in payments were made to bitcoin wallets associated with sextortion campaigns this year. Poor password hygiene, including infrequent changes and reuse across multiple sites, add further credibility to sextortion threats being made.

“This botnet is not infecting computers to acquire new data sets – it is a true “spray and pray” attack reusing credentials culled from past data breaches to fuel legitimacy and panic through sextortion scams,” said Aaron Higbee, Cofense Co-Founder and CTO. “If your email address is found in a target list used by the botnet, it’s highly likely you will receive a sextortion email – if you haven’t already. We felt it was critical to get this information out. We hope that victims receiving a sextortion email will find our resource center so they can avoid the anxiety and stress of trying to figure out whether to pay a bitcoin ransom.”

Data breaches continue to headline the news, and as a result, massive sets of email addresses and passwords are making their way to the criminal corners of the internet. Cofense Labs’ research indicates that the hackers behind this sextortion campaign are recycling old email addresses and passwords – dating back at least 10 years – for new monetization purposes.

“Cofense Labs advises that owners of emails included in the database should change any passwords for accounts associated with that address. And most importantly, if a sextortion email is received, we do not recommend responding to the email or paying the ransom,” added Higbee. “The release of this sextortion database is just one example of the pioneering work Cofense Labs is conducting. Our team is committed to expanding visibility into the evolving phishing threat landscape and sharing tools, techniques, and insight with the security community.”

There are several actions consumers and organizations can take to prevent sextortion and deal with the threat, including: employing a password manager to keep passwords strong and unique; enabling two-factor authentication whenever this is an option for online accounts; and covering all computer cameras. To view the full database provided by Cofense Labs, as well as a guide for employers and employees, click here.

The mission of Cofense Labs is to provide leading edge, innovative research and subject matter expertise to address real-world cyber security challenges. The research and development team’s insights aim to provide actionable intelligence to assist with proactive defense. Where appropriate, Cofense Labs will make the output of its research freely available to encourage and enable collaborative defense. Projects will be made available at cofenselabs.com.

About Cofense

CofenseTM, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact

press@cofense.com

 

Cofense Named a Leader in the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training for the Fourth Consecutive Year*

Company continues to positively impact employee behavior with effective solutions for phishing protection.

Leesburg, Va. – July 31, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, today announced their position in the Leaders quadrant of the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training*. This is the fourth consecutive year that Cofense has achieved this position. Cofense believes being positioned as a leader in the quadrant is a testament to the company’s continued ability to deliver innovative solutions backed by superior customer experience.

“We are proud to be designated a leader in Gartner’s Security Awareness Computer-Based Training report,” said Rohyt Belani, CEO, Cofense. “We feel this industry recognition validates and reinforces that Cofense solutions, especially Cofense PhishMe™, offer the enterprise an effective security awareness solution that positively impacts employee behavior.”

Cofense provides a turnkey phishing defense solution that helps our customers leverage their conditioned employees to rapidly identify phishing attacks bypassing their email gateways and most importantly, give the security operations teams the products to streamline the detection and response cycle that ensues. In essence, Cofense customers are able to operationalize the training provided by Cofense PhishMe to demonstrably stop phishing attacks in their tracks.

Despite billions of dollars invested in perimeter controls, 90% of the emails reported with Cofense have bypassed at least one secure email gateway. In June, the company released its 2019 Phishing Threats and Malware Review which highlights the latest evolutions to threat actor campaigns and enhanced capacity for malware to evade perimeter controls and penetrate user inboxes. The trends further emphasize the need for all organizations to focus more on embracing the human element of cyber security.

In addition to Cofense receiving recognition for Security Education, Incident Response, Cyber Threat Intelligence and Managed Security Service in the Cyber Security Excellence Awards, the company has also received customer recognition and was also named a January 2019 Gartner Peer Insights Customers Choice for Security Awareness Computer-based Training Software.

To connect with the Cofense team at Black Hat USA in Las Vegas from August 6-8, please click here.

*Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019. Cofense previously positioned as PhishMe.
Gartner Disclaimers
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

 

About Cofense
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact
press@cofense.com

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

By Karen Kokiko

The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response.

Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here.

Fast and Flexible Searching

Traditional email search and quarantine tools are slow and inflexible, offering limited search scope like ‘Sender’ and ‘Subject.’ It’s difficult to find the entire attack fast enough and account for the way tactics, techniques, and procedures morph.

The Cofense Vision user interface allows SOC analysts to search by combinations of fields, grouping emails together by selected criteria. You can search for recipients, senders, MIME type, attachments, a specific time, and more, essentially creating your own cluster. Then quarantine one or hundreds of malicious emails with a simple click. If you later determine that emails are harmless, you can “un-quarantine” them just as easily.

Built for Companies of All Sizes

The new Cofense Vision UI supports smaller customers who don’t have engineering teams or power users to write scripts and code. You can simply search natively and quarantine quickly. An hour after installation, analysts are ready to defend.

For example, an end-user at a small business sends a suspicious email to IT for investigation. IT determines it is malicious and wants to find out if anyone else received it. With the new Cofense Vision UI, they can search on key criteria found in the malicious email to determine if more than one instance of the message is in their environment, then quarantine it in seconds.

If your company is larger, the interface improves the experience of power users and operators who are writing scripts or otherwise programmatically interacting with Cofense Vision. Proactive analysts, those with some information about where and how the bad guys are likely to attack, can use the UI to identify and quarantine malicious actors before any damage is done. SOC analysts can write rules to look for signs of malicious activity, searching criteria such as To, From, Subject, Attachment Hash, and the content of the message.

All of this shortens “dwell time” and the amount of damage an attacker can cause in your email environment. According to a SANS Institute survey, 75 percent of respondents say they reduced their attack surface by through more threat hunting. Fifty-nine percent believed that threat-hunting enhanced the speed and accuracy of their company’s incident response.1

The new Cofense Vision UI makes threat-hunting faster, easier, and more effective. Learn more or sign up for a demo now!

More Ways Cofense Can Help

90% of phishing threats observed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Then reduce exposure time by rapidly quarantining threats with Cofense Vision.

Be proactive against evolving phishing threats. Easily consume high-fidelity phishing-specific threat intelligence to defend your organisation with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threat than Cofense. Understand the current phishing threat – read the 2019 Phishing Threat & Malware Review.

 

1SANS Institute, “2018 Threat Hunting Survey”: https://www.sans.org/media/analyst-program/Multi-Sponsor-Survey-2018-Threat-Hunting-Survey.pdf

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

By Jake Longden

The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.

Email Body:

The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.

WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.

Fig 1. Email body

Phishing Page:

When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.

Fig 2. WeTransfer Hosted file

In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.

Fig 3. Phishing Page

Gateway Evasion

As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links,  and Symantec.

Useful Resources for Customers

Description
Triage Yara rule: PM_WeTransfer_File_Download
PhishMe Templates: “File Transfer”
Cofense Intelligence: https://www.threathq.com/p42/search/default#m=26412&type=renderThreat 


Other Ways Cofense Can Help

The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM.  Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.

According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Phishing Attacks on High Street Target Major Retailer

By Jake Longden

The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year.

With the goal of stealing your store credit card and login information, here’s how it works:

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Fig 1. Email Body

Email Body:

The message itself follows a standard phishing template to inform the user that their account has been restricted and that user sign in is required for verification. The use of bad grammar and typos are a dead giveaway that this email communication is not genuine.

Message body in plain text:

In reviewing the body of the email, we see the hyperlink for “Sign into your account” which directs the potential victim to: hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/

The attacker repeatedly used the string of the legitimate Argos site in the URL, both as part of the subdomains, and as a subdirectory. This was an attempt to mask the true source, and to lure the victim into trusting the legitimacy of the website.

Upon examination, we see that the link is wrapped by a URL filtering service.

href="hxxps://clicktime[.]symantec[.]com/3AuyExDNpRSjkQbgT2gXygH6H2?u=hxxps://www[.]argos[.]co[.]uk[.]theninja[.]gknu[.]com/www[.]argos[.]co[.]uk/account-login/" target="_blank" rel="noopener"><span class="ox-dad7652f0e-m_609589041267919212link-blue ox-dad7652f0e-m_609589041267919212MsoHyperlink ox-dad7652f0e-m_609589041267919212MsoHyperlinkFollowed">SIGN
INTO YOUR ACCOUNT

Fig 2. Email Body in Plain Text

 

Email Headers:

Analysis of the headers indicates that the “from” address is spoofed; the “reply to” field contains the address ‘no-reply[@]creativenepal[.]org’, which does not match ‘no-replays[@]multitravel.wisata-islam[.]com’.

Research on the ‘multitravel.wisata-islam’ domain failed to produce relevant data and reinforces the suspicion that the address is spoofed. At the time of analysis, we were unable to resolve an IP address, or load the domain.

From: <no-replays[@]multitravel[.]wisata-islam[.]com>
To: <xxxx.xxxxxx@xxxxxx.com>
Subject: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make sure
 you complete the form correctly.
Thread-Topic: [WARNING SUSPECTED SPAM]  [WARNING SUSPECTED SPAM]  Please make
 sure you complete the form correctly.
Thread-Index: AQHVIXUk7CjiCOKjHEyntcvh4etMFg==
Date: Wed, 12 Jun 2019 23:18:17 +0000
Message-ID: <7d885f411da93272271ec8ad32e5064b@localhost.localdomain>
Reply-To: <“:no-reply”[@]creativenepal[.]org>

Fig 3. Email Headers

Phishing Page:

Once the user clicks on the “Sign into your account” hyperlink, they are redirected to a convincing imitation of the true Argos login page requesting the victims’ Username and Password.

This then leads the user to a second page, where the user is requested to supply details for their Argos store credit card account. This page follows the standard format for regular credit/debit cards with one key difference: the additional request for a ‘Card Amount’. This request is specific to the Argos Card as referenced in the copy: “The Argos Card lets you shop at Argos, with flexible payment plans that give you longer to pay” (see: https://www.argos.co.uk/help/argos-card/apply). This deviates from standard forms by asking the user for their credit limit.

 

 

Fig 4. Phishing Page

Gateway Evasion:

This campaign has been observed to pass through the ‘Symantec Messaging Gateway’.

We can see the influence of the Email gateway which injected ‘Warning Suspected Spam’ headers to the Subject Line and incorrectly presented this phish as a benign marketing email, and not a phishing attempt.

Conclusion:

To help protect against this type of credential phish, Cofense PhishMe™ offers a template called “Account Limitation.”

This credential phish eluded gateways and was actually mis-identified as harmless marketing spam. In fact 75% of threats reported to the Cofense Phishing Defense Center are Credential Phish. Protect the keys to your kingdom – condition end users to be resilient to Credential Harvesting attacks with Cofense PhishMe.

 

All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

i Google Search “Argos Data Breach 2018”

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley

The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.