Why Join Us at Cofense Submerge? Here’s What Attendees Say
August 20, 2019 by Tonia Dudley in Internet Security AwarenessNext month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree. Here are some of the answers we heard last year when we asked, “Why attend Submerge?” “Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.” We’re all on this journey...
New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry
August 19, 2019 by Milo Salvia in PhishingThreat IntelligenceThe CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...
Remote Access Trojan Uses Sendgrid to Slip through Proofpoint
August 14, 2019 by Marcel Feller in Phishing Defense CenterThe CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:
Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector
August 13, 2019 by Aaron Riley in Cyber Incident ResponsePhishingCofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...
TrickBot Adds ‘Cookie Grabber’ Information Stealing Module
August 8, 2019 by Aaron Riley in PhishingThreat IntelligenceCofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...
This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials
August 7, 2019 by Cofense in PhishingBy Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...
Cofense Labs Shares Research on Massive Sextortion Campaign
August 2, 2019 by David Mount in Threat IntelligenceAre you one in two hundred (or so) million? Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them. What’s Sextortion? You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: Send an email in which they claim to have installed malware on your system and have a record of...
Threat Actors Subscribe To Patches
July 29, 2019 by Max Gannon in PhishingThreat IntelligenceCofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....
Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team
July 25, 2019 by Cofense in Cyber Incident ResponsePhishingBy Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...
Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways
July 23, 2019 by Cofense in Cyber Incident ResponsePhishing Defense CenterBy Jake Longden The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...