America’s First: US Leads in Global Malware C2 Distribution
October 19, 2018 by Cofense in Malware AnalysisThreat IntelligenceBy Mollie MacDougall and Darrel Rendell Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution. Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence...
Email Security Gateway (to Your Next Breach)
October 16, 2018 by Cofense in Phishing Defense CenterBY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...
Security Awareness: Choosing Methods and Content that Work
October 15, 2018 by Tonia Dudley in Internet Security AwarenessPart 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here. Last week we examined the importance of setting a strategy and goals for your security awareness program. Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors. We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that...
Phishing Enables Domestic Violence. Education Can Help Stop It.
October 8, 2018 by Jim Hansen in Internet Security AwarenessAccording to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1 Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.
Building a Security Awareness Program? Start with Strategy and Goals
October 8, 2018 by Tonia Dudley in Internet Security AwarenessPart 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month. In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”
Threat Actors Customize URLs to Avoid Detection
October 4, 2018 by Max Gannon in Threat IntelligenceThreat actors have many ways to avoid being detected. Today, let’s look at how they tweak URLs to bypass firewall rules—and what you can do to stop them from succeeding.
A Staggering Amount of Stolen Data is Heading to Zoho Domains
October 2, 2018 by Darrel Rendell in Malware AnalysisAfter last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.
How to Orchestrate a Smarter Phishing Response
October 1, 2018 by John Fitzgerald in Cyber Incident ResponseWe’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration. Involve the Right Teams Faster with Cofense TriageTM Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and...
Potential Misuse of Legitimate Websites to Avoid Malware Detection
September 28, 2018 by Max Gannon in Threat IntelligenceSometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like whatismyipaddress.com are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes. First, cookies—easily accessible records of a user’s interactions with a webpage—are...
Beware of payroll-themed phishing. Here’s one example.
September 26, 2018 by Neera Desai in Threat IntelligenceLast week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source. Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials. Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot...