Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials

January 21, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary It’s a case of hiding in plain sight. CofenseTM recently found a phishing campaign that hides the Kutaki malware in a legitimate application to bypass email gateways and harvest users’ credentials.

READ MORE

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

January 17, 2019 by Cofense in Threat Intelligence

By Aaron Riley and Marcel Feller CISO Summary Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult. After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training...

READ MORE

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

January 10, 2019 by Max Gannon in Threat Intelligence

CISO Summary CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

READ MORE

The Vjw0rm Malware Does It All. Here’s What to Watch For.

January 9, 2019 by Aaron Riley in Threat Intelligence

CISO Summary  It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

READ MORE

In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

January 8, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties. Why is this a problem? Though complex malware like Geodo and TrickBot are harder to defend against, simple still works. If it didn’t, threat actors wouldn’t go back to the well again and again. A properly...

READ MORE

Threats of Terror Pervade Recent Extortion Phishing Campaigns

December 20, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

READ MORE

5 Things We Launched this Year to Stop Phishing Attacks Faster

December 17, 2018 by John Fitzgerald in Phishing

Merry Phishmas! It’s been another busy year of phishing scams, malware delivery, and other Grinchy activity. To help keep you protected, Cofense™ has refined our solutions to stop phishing in its tracks. Following are some of the new capabilities we launched in 2018. 

READ MORE

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

December 13, 2018 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation). Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables. While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure...

READ MORE

TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

December 5, 2018 by Milo Salvia in Threat Intelligence

Cofense Intelligence™ recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  

READ MORE

2018: A Reverse-Course for Ransomware

December 5, 2018 by Cofense in Threat Intelligence

By Mollie MacDougall The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.

READ MORE

The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials

January 21, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary It’s a case of hiding in plain sight. CofenseTM recently found a phishing campaign that hides the Kutaki malware in a legitimate application to bypass email gateways and harvest users’ credentials.

READ MORE

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

January 17, 2019 by Cofense in Threat Intelligence

By Aaron Riley and Marcel Feller CISO Summary Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult. After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training...

READ MORE

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

January 10, 2019 by Max Gannon in Threat Intelligence

CISO Summary CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

READ MORE

The Vjw0rm Malware Does It All. Here’s What to Watch For.

January 9, 2019 by Aaron Riley in Threat Intelligence

CISO Summary  It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

READ MORE

In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

January 8, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties. Why is this a problem? Though complex malware like Geodo and TrickBot are harder to defend against, simple still works. If it didn’t, threat actors wouldn’t go back to the well again and again. A properly...

READ MORE

Threats of Terror Pervade Recent Extortion Phishing Campaigns

December 20, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

READ MORE

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

December 13, 2018 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation). Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables. While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure...

READ MORE

TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

December 5, 2018 by Milo Salvia in Threat Intelligence

Cofense Intelligence™ recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  

READ MORE

2018: A Reverse-Course for Ransomware

December 5, 2018 by Cofense in Threat Intelligence

By Mollie MacDougall The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.

READ MORE

Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

November 21, 2018 by Aaron Riley in Threat Intelligence

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

READ MORE

5 Things We Launched this Year to Stop Phishing Attacks Faster

December 17, 2018 by John Fitzgerald in Phishing

Merry Phishmas! It’s been another busy year of phishing scams, malware delivery, and other Grinchy activity. To help keep you protected, Cofense™ has refined our solutions to stop phishing in its tracks. Following are some of the new capabilities we launched in 2018. 

READ MORE

Mature Your Anti-Phishing Program to Reflect Active Threats

November 28, 2018 by Zach Lewis in Internet Security Awareness

At CofenseTM we often hear comments from customers like, “My anti-phishing program has been running for years, email reporting rates have increased, and overall my users are better prepared. How can I continue to address and lower my risk?”

READ MORE

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...

READ MORE

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

November 1, 2018 by Tonia Dudley in Internet Security Awareness

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here. As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving. I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2....

READ MORE

Where Do Security Awareness Programs Belong on the Org Chart?

October 25, 2018 by Tonia Dudley in Internet Security Awareness

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here. For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

READ MORE

Security Awareness: Choosing Methods and Content that Work

October 15, 2018 by Tonia Dudley in Internet Security Awareness

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here.  Last week we examined the importance of setting a strategy and goals for your security awareness program. Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors. We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that...

READ MORE

Phishing Enables Domestic Violence. Education Can Help Stop It.

October 8, 2018 by Jim Hansen in Internet Security Awareness

According to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1  Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.

READ MORE

Building a Security Awareness Program? Start with Strategy and Goals

October 8, 2018 by Tonia Dudley in Internet Security Awareness

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month. In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”

READ MORE

Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

September 24, 2018 by John Robinson in Internet Security AwarenessPhishing

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people. None of this is surprising, considering that healthcare lives and breathes data. But our research also found this: Healthcare lags behind other industries in...

READ MORE

Here’s a Free Turnkey Phishing Awareness Program for National Cybersecurity Awareness Month

September 18, 2018 by Tonia Dudley in Internet Security Awareness

So….it’s September and October is only a few weeks away. Have you started putting together your campaign for National Cybersecurity Awareness Month (NCSAM) yet? If not, you’re in luck – we’ve created a complimentary turnkey phishing awareness program for you to quickly launch and look like a super hero to your leader AND your organization! And best yet, these resources can be used all year round – BECAUSE security awareness goes beyond October. 

READ MORE