About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response

Cofense Blog


Threat Actors Put a Greek Twist on Ransomware with Sigma

November 10, 2017 by Cofense in Malware AnalysisPhishing Defense Center

When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.


Real Estate Phishing Scams…Part 2

November 10, 2017 by Heather McCalley in Malware Analysis

Part 2 In part 1, we looked at the trend of phishing attacks targeting the real estate business, including home buyers who unwittingly wired money (millions) to criminals. Recently, CNBC reported the story and followed up with an interview of PhishMe® CEO and Co-founder Rohyt Belani.


“All-in-One” Phish Gives Malaysians a Choice…of Phony Sites

November 10, 2017 by Heather McCalley in Malware Analysis

Recently, PhishMe® recorded suspicious messages that spoofed, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer. Figure 1  Initial phishing message Red Flags Right Away The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain.  (Red Flag number 1: The friendly portion of sender name does not match the email address.)  Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a...


More Languages? Czech. Our CBT’s Are Truly Global.

November 9, 2017 by Cofense in Internet Security Awareness

Back in June, PhishMe® launched our free computer-based training module on GDPR compliance. The feedback has been great, including urgent requests to make the training available in other languages.


Real Estate Phishing Scams Turn American Dreams into Nightmares

November 6, 2017 by Heather McCalley in Malware Analysis

Recently, CNBC reported on phishing scams in real estate, following up with an interview of PhishMe® CEO and Co-founder Rohyt Belani. Real estate is a bullseye for enterprising phishers. Often, the scammer is attempting wire fraud, trying to induce someone to make an electronic transfer of funds.


Microsoft Office Features Abused to Deliver Malware

November 3, 2017 by Mollie Holleman in Malware Analysis

Less than a week after a Sensepost blog highlighted how to abuse Microsoft Office functionality to deliver malware to systems via phishing messages, PhishMe® observed attackers abusing this feature of Microsoft Windows. This highlights how quickly malicious actors capitalize on such revelations, outpacing many organizations’ abilities to understand and respond to emerging threats.


BadRabbit is not Petya. But…

November 3, 2017 by Cofense in Malware AnalysisRansomware

Petya. NotPetya. Now BadRabbit. Ransomware keeps evolving and wreaking havoc worldwide. There’s no evidence that phishing emails have delivered Bad Rabbit, the new ransomware strain which hit Russian, Eastern European and some U.S. networks this week. But nonetheless at PhishMe, BadRabbit has caught our eye.


Here’s How to Make Every Month Security Awareness Month

November 2, 2017 by Cofense in Internet Security Awareness

It’s fitting that National Security Awareness Month ends on Halloween. It’s the time to contemplate scary things, whether ghouls, men in lederhosen stumbling about with steins or the real deal, phishing emails loaded with ransomware.


Viewing Phish with a Payload using PhishMe Intelligence and Maltego

November 2, 2017 by Cofense in Cyber Incident ResponseThreat Intelligence

BY MIKE SAURBAUGH AND GEOFF SINGER Visualize Phishing Relationships with PhishMe Intelligence™ and Maltego Fishing (without the “P”) is not a lot of fun when you just drop a line in the water and hope for the best. When fishermen want to see where the fish are, they look to the fish finder on the bridge to “look underwater” to find schools of fish. Similarly, when an analyst is looking to “catch” a phishing campaign, correlating the attacker’s campaigns and their payloads can benefit by being able to visually graph and link phishing threats. PhishMe Intelligence combined with Maltego can...


Don’t Go In the Attachment: 5 Security Reminders in Honor of Halloween

October 31, 2017 by Cofense in Internet Security AwarenessMalware Analysis

Do we really need another Halloween-themed security blog? Yep. We do. Not because our edgiest holiday triggers more cyber threats. No, Halloween season is scary because it’s been absorbed by the winter holidays—the spendiest, cyber-riskiest time on the retail calendar, beginning in mid-September and lasting until…it ends, right?


CTB-Locker: The Latest Crypto Malware Coming to you Via Email Spam

January 19, 2015 by Cofense in Malware Analysis

The latest crypto malware threat – CTB-Locker – promises to be one of the most serious security threats seen in recent years. The latest crypto malware is one of many of its ilk that have emerged in the past two years. This form of malware encrypts files on victims’ computers and will not unlock them until a ransom is paid. Only then will the key to decrypt data be provided. Crypto malware has been around for some time, although its popularity has been increasing over the past couple of years. One of the first major crypt malware variants was CryptoLocker....


The Evolution of Upatre and Dyre

January 16, 2015 by Cofense in Malware Analysis

Over the last few months, we’ve been tracking Dyre and reporting changes to the malware on this blog.  Dyre’s latest iteration shows  yet another shift in tactics – one that combines characteristics of Dyre with Upatre code to create a new downloader… Figures 1, 2, 3 and 4 shows three different emails, all with the same content but with different malicious links, which we we’ll use interchangeably in our examples.


MS Word and Macros… Now With Social Engineering Malware

December 15, 2014 by Cofense in Internet Security AwarenessMalware Analysis

On December 11, one of our employees reported a phishing  email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:


Cridex Malware Authors Warn Lloyds users of Dyre

November 19, 2014 by Cofense in Malware Analysis

PhishMe malware researchers have been helping you protect your network by sharing information about the Dyre Trojan and Cridex malware on a daily basis for several months; however, in that time we have not seen any actions as bold as those used by the Cridex malware authors today. Dyre is the current top banking Trojan being distributed by email, and it poses a significant threat to businesses and consumers. The Trojan steals credentials and the attackers use that information for financial fraud. Threat Analyst Neera Desai let us know about this new threat from today’s Cridex attack, which uses a malicious Microsoft...


Three Ways Reporter Can Enhance Your Incident Response Process

November 18, 2014 by Cofense in Cyber Incident Response

Most of us have been in an airport and heard the announcement over the loud speaker; “If you see something, say something.”  The airport has security personnel; however, their agents cannot be everywhere at once.  They collectively rely on travelers passing through the airport to be their eyes and ears in places agents cannot be.  In this way, as an airport traveler, you are a “sensor” watching for, detecting, and alerting on suspicious behavior such as unoccupied luggage. What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting...


Two Attacks… Two Dyres… All Infrastructure

November 6, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)


.NET Keylogger: Watching Attackers Watch You

October 16, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.


Bash Vulnerability CVE-2014-6271 – Worm-able and Possibly Worse Than Heartbleed

September 25, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

Post Updated 9/30/2014 Several months ago, the Internet was put to a halt when the Heartbleed vulnerability was disclosed. Webservers, devices, and essentially anything running SSL were affected; as a result, attackers were able to collect passwords, free of charge. With Heartbleed, the exploit made a splash and many attackers started to use the vulnerability. One of the more high-profile attacks of Heartbleed was the CHS attack, where the attackers siphoned 4.5 million patient records by attacking a Juniper device, then hopping onto their VPN. So how can something be bigger than Heartbleed? I’m glad you asked.


PDF Exploits: A Deep Dive

September 8, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

On Friday, several of our users received phishing emails that contained PDF attachments, and reported these emails through Reporter. The PDF attachment is a slight deviation from the typical zip-with-exe or zip-with-scr; however, it’s still delivering malware to the user.


Four Ways Phishing Has Evolved in 2014

August 20, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

Phishing isn’t exactly a new kid on the block. Phishing is one of the most common email-based threats. It is a tried and tested tactic that continues to deliver impressive results for cybercriminals. That’s why phishing continues to grow in popularity. In the month of June 2014 alone, phishing activities totaled $400 million in losses, which could be annualized at $102 million per year. While it has been around for years, phishing has evolved considerably and has increased in efficiency and effectiveness. In the last six months (as compared to 2013), we’ve seen several differences in the type, size and...


Using RTF Files as a Delivery Vector for Malware

December 9, 2015 by Cofense in Phishing

During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.


CNBC Squawk Box Tackles Multi-Billion Dollar Enterprise Phishing Problem, Taps PhishMe CEO Rohyt Belani for Expert Opinion

December 4, 2015 by Cofense in Phishing

NEW YORK, NEW YORK — This morning, CNBC Squawk Box anchors tackled the enterprise phishing scourge with the assistance of PhishMe CEO and recognized cybersecurity thought leader, Rohyt Belani. As pointed out by anchor Andrew Ross Sorkin at the beginning of the segment, phishing attacks are responsible for more than 90 percent of the major data breaches taking place today and were cybercriminals’ primary attack vector for recent compromises at the OPM and Anthem.


Macro documents with XOR Encoded Payloads

November 9, 2015 by Cofense in Phishing

When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.


Awareness isn’t the goal, it’s just the beginning

October 27, 2015 by Aaron Higbee in Internet Security AwarenessMalware Analysis

When people refer to PhishMe as the awareness company, we smile and nod. I want to correct them, but the label ‘security awareness’ is comfortable and relatable. One of the activities that organizations commonly believe will help reduce risk is mandatory security awareness computer-based training (CBT) lessons.  The hope is that if we enroll our humans in online courses about how the bad guys hack us, they will walk away with a wealth of new-found awareness and avoid being victimized.  (Try to visualize how far in the back of my head my eyes are rolling…)


PhishMe Celebrates National Cyber Security Awareness Month 2015 and UK Based Security Serious Week

October 7, 2015 by Cofense in Internet Security AwarenessMalware Analysis

It’s that time of year again. No, it’s not the arrival of the pumpkin spiced latte at your local coffee shop. It’s National Cyber Security Awareness month (NCSAM) as proclaimed by President Barack Obama last year. “National Cyber Security Awareness Month — celebrated every October — was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online,” as stated by the National Cyber Security Alliance located on their website. At PhishMe, we are proud to once again play a lead role in the cyber...


Business Email Compromise Phishing Attacks Soaring

September 30, 2015 by Cofense in Internet Security AwarenessPhishing

Business email compromise phishing attacks are soaring. The profits that can be made from these types of attacks have made them highly popular with cybercriminals. That should be of major concern for all business leaders. When people ask me “What’s going on with Phishing?” these days I tell them that 2015 will be remembered as the Year of the Email Phish.  Not Email Phish as in “someone sent me a link to a malicious website by email”, but rather Email Phish as in “the goal of this phishing attack is to steal my email password.”  During the calendar month of...


Vistaprint Abuse – Free Phish for All

September 24, 2015 by Cofense in Phishing

Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?


VIDEO UPDATE: Wire Fraud Phisher attempts to phish PhishMe, instead gets phished by PhishMe

September 17, 2015 by Aaron Higbee in Phishing

(VIDEO UPDATE LINK: Defending Against Phishing Attacks: Case Studies and Human Defenses by Jim Hansen • A human centric method of defense • Attack case studies & attacker technique analysis • Proactive simulation methods: educating workforces & detecting / thwarting attacks)  (^ say that title ten time fast) Every year PhishMe Simulator sends millions of phishing emails to its 500+ enterprise customers’ employees worldwide. PhishMe is hands down the most robust and sophisticated phishing platform in existence. To say that we are a little obsessive about Phishing is a bit of an understatement. In fact, we are sitting on innovations in phishing that...


Using Yara to Break CryptoWall Phishing

September 15, 2015 by Cofense in Phishing

Over two months ago, we wrote about phishing emails that contained zip files containing html downloaders to versions of CryptoWall. Fast forward to now, and we’re still seeing the same phishing story, but different attachments. Here’s a screenshot:


A Peek Inside an Affiliate’s Malspam Operation: Kovter and Miuref/Boaxxe Infections

September 11, 2015 by Cofense in Phishing

In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.