Cofense Blog

This Advanced Keylogger Delivers a Cryptocurrency Miner

Bundle Up and Build an End-to-End Phishing Defense

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

By Tej Tulachan The Cofense Phishing Defense CenterTM (PDC) has prevented a phishing attack that attempts to steal users’ Office365 credentials by luring them with a fake payment order attachment. Hiding a malicious re-direct within a html file, threat actors bypassed the Proofpoint secure email gateway to try and steal users’ credentials. Here’s how it works: At first glance, the email appears to be a genuine communication originating from the accounts team of a relatively well-known company. The message body informs the recipient there is a payment order that requires processing. The message simply says, “Please find attached copies of...

Quit Faking It—Train Your Users to Stop Real Phish

By Tonia Dudley CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic. When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end....

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

By Tonia Dudley, Cofense Security Solutions Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here. That database has since grown to over 330 million email addresses. We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains. To...

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware. Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect...

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point. But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites. Phishing Sites Are Using Redirect Methods to Avoid Detection Let start with this example: An attacker can easily set up...

What’s Up With Malware? Find Out In Our Q3 Report

By Alan Rainer and Max Gannon On the malware front, the summer of 2019 was quiet and steady-state. But the end of Q3 saw the infamous Emotet resurface, presaging a malware uptick in Q4. Read all about it in the Cofense Q3 2019 Malware Trends Report. Maintaining a relative lull when Emotet suspended activity, threat actors in Q3 stuck to tried-and-true practices of intrusion. Phishing emails containing keyloggers (namely ‘Agent Tesla’) slightly rose in popularity, while information stealers like Loki Bot fell. Threat actors continue to seek the easiest, most efficient way of infiltrating users. Agent Tesla, for example, offers...

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, CofenseTM Phishing Defense CenterTM This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover...

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors. A typical theme for...

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works. Email Body The email pretends to be a notification...

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services  Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin. Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity. Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began...

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways

Last week, the Cofense Phishing Defense CenterTM observed phishing threat actors using low-level trickery to avoid detection, by utilizing basic percentage-based URL encoding. This takes advantage of Google’s nifty ability to decode the encoded URL data on the fly. The easiest way to trick a secure email gateway (SEG) is hiding the true destination of the payload. Here’s how it works: Figure 1: email body The phishing email is simple and originates from a compromised email account of a relatively well-known American brand, informing recipients that they have a new invoice awaiting payment. The email body has an embedded hyperlink...

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation. In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the...

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

Astaroth Uses Facebook and YouTube within Infection Chain

  All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Uses Captcha to Bypass Email Gateway

By Fabio Rodrigues Phishing threat actors are using Captcha methods to bypass automated URL analysis. By using Captcha techniques to prove human presence, the phish prevents the secure email gateway (SEG), in this case Mimecast’s gateway, from scanning the URL thereby enabling the threat to get through. Here’s how it works. Email Body The phishing email is sent from a compromised account at @avis.ne.jp as if it originated from a voip2mail service. The email alerts the recipient to a new voicemail message. The message is crafted in a simple format, with a preview of the voicemail to entice the recipient...

Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks

Hiding in plain sight by using trusted enterprise technologies almost guarantees delivery of a phishing URL. Case in point: a phishing campaign that delivered a legitimate Sharepoint URL to bypass the email gateway, in this case Symantec’s. Here’s how this increasingly popular phishing tactic works. Email Body The phishing email is sent from a compromised account at a third-party vendor asking the recipient to review a proposal document. The recipient is urged to click on an embedded URL. As seen below in figure 1, the URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a...

Bundle Up and Build an End-to-End Phishing Defense

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

By Tej Tulachan The Cofense Phishing Defense CenterTM (PDC) has prevented a phishing attack that attempts to steal users’ Office365 credentials by luring them with a fake payment order attachment. Hiding a malicious re-direct within a html file, threat actors bypassed the Proofpoint secure email gateway to try and steal users’ credentials. Here’s how it works: At first glance, the email appears to be a genuine communication originating from the accounts team of a relatively well-known company. The message body informs the recipient there is a payment order that requires processing. The message simply says, “Please find attached copies of...

Quit Faking It—Train Your Users to Stop Real Phish

By Tonia Dudley CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic. When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end....

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

By Tonia Dudley, Cofense Security Solutions Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here. That database has since grown to over 330 million email addresses. We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains. To...

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

Are URL Scanning Services Accurate for Phishing Analysis?

By Chris Hall, Professional Services There are plenty of websites offering URL scanning for malicious links. Their tools are a quick and easy way to analyze a URL without visiting the site in a sandboxed environment. Widely used, these tools are accurate to a point. But in today’s phishing landscape, where attacks are increasingly sophisticated, such tools are becoming less and less reliable. We in the Cofense Phishing Defense CenterTM (PDC) believe they are ineffective against more advanced phishing websites. Phishing Sites Are Using Redirect Methods to Avoid Detection Let start with this example: An attacker can easily set up...

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, CofenseTM Phishing Defense CenterTM This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover...

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works. Email Body The email pretends to be a notification...

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

By Hunter Johnson, Cofense Professional Services  Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin. Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity. Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began...

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

By Tej Tulachan and Milo Salvia The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users. Here’s how the phishing emails work. Red Flag #1: ‘You Have Been Chosen.’ In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming...

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics. The Delivery Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and...

Threats of Terror Pervade Recent Extortion Phishing Campaigns

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.

The Lazy Man’s Guide to Phishing

By Lucas Ashbaugh Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king....

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Another Tax-Rebate Phishing Scam, This Time in Canada

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.