Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

UK Banking Phish Targets 2-Factor Information

July 10, 2019 by Milo Salvia in Phishing Defense Center

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...

READ MORE

Double Duty: Dridex Banking Malware Delivered with RMS RAT

July 8, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT). What’s notable: By delivering a banking trojan and a...

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

Phishing Attacks on High Street Target Major Retailer

June 21, 2019 by Cofense in PhishingPhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year. With the goal of stealing your store credit card and login information, here’s how it works: All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the...

READ MORE

Houdini Worm Transformed in New Phishing Attack

June 14, 2019 by Cofense in Phishing Defense CenterThreat Intelligence

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

READ MORE

John Podesta’s Phish Foreshadows Doom for 2020

June 13, 2019 by Aaron Higbee in Phishing

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

READ MORE

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

June 11, 2019 by Cofense in Phishing Defense Center

By Milo Salvia and Kamlesh Patel The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA).  Email Body:  The message body is designed to mimic your typical VOIP “missed call” message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language...

READ MORE

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

June 10, 2019 by Cofense in Cyber Incident Response

By Kaustubh Jagtap Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response. Credential Phish Are the Most Common Threat 90% of verified phishing emails were found in environments using email gateways....

READ MORE

Using Windows 10? It’s Becoming a Phishing Target

June 5, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection. What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and...

READ MORE

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

UK Banking Phish Targets 2-Factor Information

July 10, 2019 by Milo Salvia in Phishing Defense Center

Recently, the Cofense Phishing Defense Center observed a wave of phishing attacks  targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...

READ MORE

Double Duty: Dridex Banking Malware Delivered with RMS RAT

July 8, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT). What’s notable: By delivering a banking trojan and a...

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

Phishing Attacks on High Street Target Major Retailer

June 21, 2019 by Cofense in PhishingPhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year. With the goal of stealing your store credit card and login information, here’s how it works: All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the...

READ MORE

Houdini Worm Transformed in New Phishing Attack

June 14, 2019 by Cofense in Phishing Defense CenterThreat Intelligence

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

READ MORE

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

June 11, 2019 by Cofense in Phishing Defense Center

By Milo Salvia and Kamlesh Patel The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA).  Email Body:  The message body is designed to mimic your typical VOIP “missed call” message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language...

READ MORE

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

June 10, 2019 by Cofense in Cyber Incident Response

By Kaustubh Jagtap Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response. Credential Phish Are the Most Common Threat 90% of verified phishing emails were found in environments using email gateways....

READ MORE

Using Windows 10? It’s Becoming a Phishing Target

June 5, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection. What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and...

READ MORE

The Zombie Phish Is Back with a Vengeance

June 4, 2019 by Milo Salvia in Phishing Defense Center

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

READ MORE

This Phishing Attacker Takes American Express—and Victims’ Credentials

July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense Center

Recently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.

READ MORE

Under the Radar – Phishing Using QR Codes to Evade URL Analysis

June 28, 2019 by Nick Guarino in PhishingPhishing Defense Center

Phishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs.  These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...

READ MORE

Phishing Attacks on High Street Target Major Retailer

June 21, 2019 by Cofense in PhishingPhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center™ has observed a phishing campaign that purports to be from Argos, a major retailer in the UK and British High Street. During 2018, Argos was the subject of a large number of widely reported phishing scamsi; this threat specifically targets Argos customers for their personal information and looks like a continuation of what was seen last year. With the goal of stealing your store credit card and login information, here’s how it works: All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the...

READ MORE

John Podesta’s Phish Foreshadows Doom for 2020

June 13, 2019 by Aaron Higbee in Phishing

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

READ MORE

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

May 6, 2019 by Tonia Dudley in Phishing

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving. “What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.” The best...

READ MORE

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

April 22, 2019 by Tonia Dudley in Phishing

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually. What makes BEC campaigns different? In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching...

READ MORE

When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT

April 11, 2019 by Max Gannon in Phishing

CISO Summary It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing...

READ MORE

DMARC Is NOT a Fail-Safe Defense against Phishing Attacks

April 4, 2019 by David Mount in Phishing

DMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why. What DMARC Can Do DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks. DMARC has most promise to help...

READ MORE

Uncomfortable Truth #5 about Phishing Defense

March 27, 2019 by David Mount in Phishing

Last in a 5-part series.  In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth:   Most organizations are unable to effectively respond to phishing attacks.   Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...

READ MORE

Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...

READ MORE