Cofense Blog

Staff Members’ Inbox Positive for Coronavirus Themed Phish

Phishes Found in Proofpoint-Protected Environments – Week Ending May 3, 2020

Targeted Attack Uses Fake EE Email to Deceive Users

This Phish Uses Skype to Target Surging Remote Workers

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

New Phishing Campaign Spoofs WebEx to Target Remote Workers

Coronavirus-Themed Phish Continue to Surge

Coronavirus Redefines the Phishing Threat Landscape

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

Emotet Gears Up to File (Your) Taxes

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

5 Cybersecurity Trends that Will Dominate 2020

By Aaron Higbee, CTO, Cofense The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year. Ransomware will continue becoming more targeted to reap more sizeable payouts. Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated...

This Advanced Keylogger Delivers a Cryptocurrency Miner

Bundle Up and Build an End-to-End Phishing Defense

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware. Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect...

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

Are URL Scanning Services Accurate for Phishing Analysis?

Staff Members’ Inbox Positive for Coronavirus Themed Phish

Phishes Found in Proofpoint-Protected Environments – Week Ending May 3, 2020

Targeted Attack Uses Fake EE Email to Deceive Users

This Phish Uses Skype to Target Surging Remote Workers

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

New Phishing Campaign Spoofs WebEx to Target Remote Workers

Coronavirus-Themed Phish Continue to Surge

Coronavirus Redefines the Phishing Threat Landscape

Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears

Phishing Attacks on High Street Target Major Retailer

Houdini Worm Transformed in New Phishing Attack

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

The Zombie Phish Is Back with a Vengeance

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

Got a Blockchain Wallet? Be Alert for These Phishing Emails

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics. The Delivery Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and...

Threats of Terror Pervade Recent Extortion Phishing Campaigns

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.