Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

November 21, 2018 by Aaron Riley in Threat Intelligence

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

READ MORE

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...

READ MORE

Phishing Emails with .COM Extensions Are Hitting Finance Departments

November 15, 2018 by Aaron Riley in Threat Intelligence

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized. The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.)...

READ MORE

They stopped a phishing attack in 10 minutes. It used to take days.

November 7, 2018 by John Fitzgerald in Cyber Incident Response

Don’t you love a feel-good story? Me too. Especially in an industry where the headlines tend to be scary. Recently, a CofenseTM customer—a large financial services company—stopped a phishing attack in 10 minutes using Cofense TriageTM. That’s a very cool story, but as they say, wait, there’s more.

READ MORE

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

November 1, 2018 by Tonia Dudley in Internet Security Awareness

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here. As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving. I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2....

READ MORE

Re: The Zombie Phish

October 31, 2018 by Cofense in Malware AnalysisPhishing Defense CenterThreat Intelligence

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

READ MORE

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

October 31, 2018 by Max Gannon in Malware AnalysisThreat Intelligence

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™ Phishing Defense Center and known to target South American users.

READ MORE

Threat Actors Seek Your Credentials Before You Even Reach the URL

October 30, 2018 by Neera Desai in Threat Intelligence

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique. Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened...

READ MORE

Where Do Security Awareness Programs Belong on the Org Chart?

October 25, 2018 by Tonia Dudley in Internet Security Awareness

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here. For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

READ MORE

H-Worm and jRAT Malware: Two RATs are Better than One

October 23, 2018 by Neera Desai in Malware AnalysisThreat Intelligence

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB. Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a...

READ MORE

Phishing Emails with .COM Extensions Are Hitting Finance Departments

November 15, 2018 by Aaron Riley in Threat Intelligence

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized. The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.)...

READ MORE

They stopped a phishing attack in 10 minutes. It used to take days.

November 7, 2018 by John Fitzgerald in Cyber Incident Response

Don’t you love a feel-good story? Me too. Especially in an industry where the headlines tend to be scary. Recently, a CofenseTM customer—a large financial services company—stopped a phishing attack in 10 minutes using Cofense TriageTM. That’s a very cool story, but as they say, wait, there’s more.

READ MORE

Re: The Zombie Phish

October 31, 2018 by Cofense in Malware AnalysisPhishing Defense CenterThreat Intelligence

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

READ MORE

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

October 31, 2018 by Max Gannon in Malware AnalysisThreat Intelligence

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™ Phishing Defense Center and known to target South American users.

READ MORE

Threat Actors Seek Your Credentials Before You Even Reach the URL

October 30, 2018 by Neera Desai in Threat Intelligence

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique. Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened...

READ MORE

H-Worm and jRAT Malware: Two RATs are Better than One

October 23, 2018 by Neera Desai in Malware AnalysisThreat Intelligence

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB. Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a...

READ MORE

America’s First: US Leads in Global Malware C2 Distribution

October 19, 2018 by Cofense in Malware AnalysisThreat Intelligence

By Mollie MacDougall and Darrel Rendell Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution. Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence...

READ MORE

Email Security Gateway (to Your Next Breach)

October 16, 2018 by Cofense in Phishing Defense Center

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

READ MORE

Threat Actors Customize URLs to Avoid Detection

October 4, 2018 by Max Gannon in Threat Intelligence

Threat actors have many ways to avoid being detected. Today, let’s look at how they tweak URLs to bypass firewall rules—and what you can do to stop them from succeeding.

READ MORE

A Staggering Amount of Stolen Data is Heading to Zoho Domains

October 2, 2018 by Darrel Rendell in Malware Analysis

After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.

READ MORE

How to Protect Against Phishing Attacks that Follow Natural Disasters

September 14, 2018 by Cofense in Internet Security AwarenessPhishing

By Aaron Riley and Darrel Rendell With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.

READ MORE

Automate Your Phishing Defense While Keeping Human Control

September 6, 2018 by John Fitzgerald in Phishing

When it comes to combatting phishing, “set and forget” is a pipe dream. You can’t, and you shouldn’t, take humans out of the picture. But thanks to CofenseTM automation, you can stop attacks while reducing man hours and saving money.

READ MORE

Ask the DNC: #fakephishing Phishing Pen-Tests Are Still a Bad Idea.

August 24, 2018 by Aaron Higbee in Internet Security Awareness

Cliff notes: Phishing “tests” at best are a waste of time, and at worst, disruptive and weaken your ability to defend against real phishing.

READ MORE

5 Steps to Targeting Newbies with Phishing Awareness Training

August 21, 2018 by Alexandra Wenisch in Internet Security Awareness

When it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training. Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks. Step 1: Announce and Set the Stage...

READ MORE

How to Get Internal Buy-In for Your Phishing Simulation and Awareness Training Programs

August 14, 2018 by Bunmi Ogun in Internet Security Awareness

If you run an anti-phishing program, you’ve probably run into this. You want to impersonate internal teams in your phishing simulations, because that’s what attackers do. But you get pushback:

READ MORE

Why Customers Love Our Board Reports on Their Phishing Defense

August 8, 2018 by Professional Services Team in Internet Security Awareness

Last year, a Cofense™ customer wanted to show his board the results of his phishing-defense program. Specifically, the customer was looking for a board-report template. The customer did a quick Google search and found…nothing.  

READ MORE

Cofense Shortlisted for Three UK Computing Technology Product Awards

August 3, 2018 by John Fitzgerald in Phishing

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners. Following are the categories we are shortlisted for. Best Business Security Provider This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™,...

READ MORE

The El Camino Effect in Anti-Phishing Training

July 30, 2018 by John Robinson in Internet Security Awareness

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino. Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed. Understanding the El Camino Effect To...

READ MORE

Why You Need to Keep Brands Out of Phishing Simulations

July 26, 2018 by Tonia Dudley in Internet Security Awareness

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them. Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it...

READ MORE

Messenger of the Bots: Hermes Malware Makes Phishing Debut

July 24, 2018 by Darrel Rendell in Malware AnalysisPhishing

For the first time ever, Cofense Intelligence™ recently observed a phishing campaign distributing the infamous Hermes ransomware. The low-volume campaign delivered .doc files, weaponized with heavily obfuscated macros. These macros reached out to an attacker-controlled server to download and execute a copy of Hermes.

READ MORE