Cofense Blog

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

Emotet Gears Up to File (Your) Taxes

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

Ransomware in 2020: Not Just More, But Different

By Aaron Riley, Cofense Intelligence Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach. Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at...

Jeopardy GOATs Buzz In, Security World Groans

In 2020, Resolve Not to Simulate Last Year’s Phish

Organization of Post-Soviet States Spoofed in Phishing Email

Want to simulate a holiday phish? This one’s from your friends at Emotet.

By Tonia Dudley Tis the season when organizations are looking to send out the year’s last phishing simulation. Often the Security Awareness team lands on a holiday theme – holiday party, holiday raffle, or even the fun ugly sweater lure. In the past, when I worked with teams to advance their phishing defense programs, I would recommend staying away from holiday themed scenarios. I’ll explain why in a moment. But my opinion has changed, thanks to the threat actors behind Emotet.

5 Cybersecurity Trends that Will Dominate 2020

By Aaron Higbee, CTO, Cofense The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year. Ransomware will continue becoming more targeted to reap more sizeable payouts. Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated...

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware. Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect...

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

Are URL Scanning Services Accurate for Phishing Analysis?

What’s Up With Malware? Find Out In Our Q3 Report

By Alan Rainer and Max Gannon On the malware front, the summer of 2019 was quiet and steady-state. But the end of Q3 saw the infamous Emotet resurface, presaging a malware uptick in Q4. Read all about it in the Cofense Q3 2019 Malware Trends Report. Maintaining a relative lull when Emotet suspended activity, threat actors in Q3 stuck to tried-and-true practices of intrusion. Phishing emails containing keyloggers (namely ‘Agent Tesla’) slightly rose in popularity, while information stealers like Loki Bot fell. Threat actors continue to seek the easiest, most efficient way of infiltrating users. Agent Tesla, for example, offers...

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors. A typical theme for...

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works. Email Body The email pretends to be a notification...

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways

Emotet Gears Up to File (Your) Taxes

Ransomware in 2020: Not Just More, But Different

By Aaron Riley, Cofense Intelligence Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach. Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at...

Jeopardy GOATs Buzz In, Security World Groans

In 2020, Resolve Not to Simulate Last Year’s Phish

Organization of Post-Soviet States Spoofed in Phishing Email

Want to simulate a holiday phish? This one’s from your friends at Emotet.

By Tonia Dudley Tis the season when organizations are looking to send out the year’s last phishing simulation. Often the Security Awareness team lands on a holiday theme – holiday party, holiday raffle, or even the fun ugly sweater lure. In the past, when I worked with teams to advance their phishing defense programs, I would recommend staying away from holiday themed scenarios. I’ll explain why in a moment. But my opinion has changed, thanks to the threat actors behind Emotet.

5 Cybersecurity Trends that Will Dominate 2020

By Aaron Higbee, CTO, Cofense The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year. Ransomware will continue becoming more targeted to reap more sizeable payouts. Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated...

Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

Tis the Prime Season for Phishing Attacks Against Retail Brands

PowerShell Scripts Delivered Via Office Macro Attachments Target Polish Employees

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics. The Delivery Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and...

Threats of Terror Pervade Recent Extortion Phishing Campaigns

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.

The Lazy Man’s Guide to Phishing

By Lucas Ashbaugh Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king....

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Another Tax-Rebate Phishing Scam, This Time in Canada

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.