Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

PhishMe Triage Catches and Mitigates a Phishing Attack on Day 1

September 8, 2017 by Cofense in Cyber Incident ResponseMalware AnalysisPhishing

BY JOHN TRAVISE AND NICOLAS OCTAVIANI PhishMe Triage™ immediately reveals an active, ongoing phishing attack against a new customer during a configuration and deployment.

READ MORE

NanoCore Variant Delivered Through UUE Files

September 8, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed...

READ MORE

Want to Get In Front of Breaches? Be Like the Marines.

September 5, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 1 in our series on being “Left of Breach” in the Phishing Kill Chain. Too often in the information/cyber security industry, we focus our efforts on mitigation of breaches after they occur, relying on incident response teams to find the needles in the haystack. According to “Left of Bang: How the Marine Corps’ Combat Hunter Program Can Save Your Life,” (by Patrick Van Horne and Jason A. Riley; Foreword by Steven Pressfield) The Marine’s Combat Hunter training program works on this premise: by understanding what “normal” looks like, we are much more likely to recognize activities and behaviors that...

READ MORE

5 Reasons Hackers Target SMBs—and 1 Free Way to Fight Back

September 1, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Last week PhishMe® released PhishMe® Free, a no-cost version of our award-winning anti-phishing solution, to protect SMBs from phishing attacks and resulting threats. A new PhishMe white paper shows the urgent need for SMBs to bolster their defenses.

READ MORE

10 Ways to Defend Against Business Email Compromise / CEO Email Fraud Scams

August 31, 2017 by Heather McCalley in Internet Security AwarenessMalware AnalysisPhishing

Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.

READ MORE

The Newest Delivery Method for the Locky Ransomware

August 29, 2017 by Cofense in Malware AnalysisPhishing

Since its introduction in early 2016 and throughout this year, the distribution of the Locky ransomware has been overwhelmingly facilitated by attached script applications written in JScript or Visual Basic. These script applications have been delivered as the content of an attached archive such as a Zip or RAR file delivered as part of the email messages.

READ MORE

Locky Ransomware Keeps Returning After Repeated Absences

August 23, 2017 by Cofense in Malware AnalysisPhishing

It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics. Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past;...

READ MORE

Zeus Panda’s Modular Functions Provide Insight into Botnet Malware Capabilities

August 21, 2017 by Cofense in Malware AnalysisPhishing

One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool. However, in some...

READ MORE

The PhishMe 2017 Excellence Awards Nominations are Open!

August 17, 2017 by Cofense in Phishing

Make your nominations for the 2017 PhishMe® Excellence Awards today! Every day, 1000s of companies use PhishMe as a cornerstone of their phishing defense program. The PhishMe Excellence Awards recognize the outstanding achievements of security professionals and organizations with innovative, successful anti-phishing and phishing defense programs to minimize the risk and impacts associated with phishing attacks.

READ MORE

Ransomware: Don’t Make It Too Easy to Hit Your WordPress Site

August 17, 2017 by Aaron Higbee in Internet Security AwarenessMalware Analysis

Ransomware is a business.  And like all smart business people, hackers look for efficiencies to increase revenue and lower cost of delivery.

READ MORE

Dyre Banking Trojan: What You Need to Know

June 18, 2014 by Cofense in Threat Intelligence

Beware of the Dyre banking Trojan! – A new malware threat that steals financial information such as login credentials. News of rhe Dyre banking Trojan has been circulating the web recently, following its discovery. Dyre or Dyreza as it is also known exhibits classic banking Trojan behaviors such as using “man-in-the-middle” attacks to steal private information from victims. It is also being used on customers of certain banks in targeted attacks. PhishMe identified this new malware on June 11, 2014. The Trojan is distributed via spam email messages that used similar email templates to other banking Trojan and malware distribution campaigns. Rather...

READ MORE

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

June 13, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.

READ MORE

You’re infected! Ransomware with a twist

May 22, 2014 by Cofense in Ransomware

Your computer is infected! Pay $50 USD in order to remove the malware. The FBI has been tracking you for visiting inappropriate sites. Please pay $250 to avoid higher court costs and appearances. Ransomware is nothing new, and typically comes in many shapes and sizes. For years, users have been visiting websites, only to be redirected to a ransomware site and scared into paying fees that amounted to nothing more than lost money. With the advent of CryptoLocker, however, attackers have felt a need to “give” back to their victims. Once they infect a system and encrypt the data, they...

READ MORE

What we’re reading about the Chinese hacking charges

May 21, 2014 by Aaron Higbee in Internet Security AwarenessThreat Intelligence

While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large. Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method). There has been a lot of media attention on this story, so we’ve put together a list...

READ MORE

There’s threat data and then there’s threat intelligence, do you know the difference?

May 20, 2014 by Cofense in Threat Intelligence

The intelligence-led security approach is gaining traction in corporate security circles.  However, we’ve noticed that the term threat data is often confused with threat intelligence. It’s an easy mistake to make, yet very important to distinguish between the two – one represents the “old way of doing things,” while the other brings about a new era in corporate security and brand protection. In this article, we’ll discuss threat intelligence and how it differs from threat data. The Difference between Threat Intelligence and Threat Data #1: Threat intelligence is verified. Threat data is just a list. Modern threat intelligence has been...

READ MORE

GameOver Zeus: Three Things You Should Know

April 2, 2014 by Cofense in Malware Analysis

The Zeus banking Trojan is a popular topic in the security world these days. It’s not new, but it still garners attention as one of the most successful and prolific Trojans in use today. Banking Trojans hide on infected machines and intercept activity related to the user’s finances—bank account logins, investment information, even purchases on sites like eBay. This differs from phishing. With phishing, an end user is infected with a banking Trojan like Zeus, but they are not directed to a fake website and made to believe they are logging in to an official website. Instead, he or she...

READ MORE

Top Phishing Concerns of DNS Providers

August 29, 2013 by Cofense in Internet Security AwarenessThreat Intelligence

Twitter and the New York Times were hacked this week, which means that they have officially joined the ranks of other major news organizations, including the Financial Times and Washington Post who have been targeted by hackers over the past few months. So, how’d it happen? Three things: hacker groups, DNS providers and spear phishing. The Syrian Electronic Army (SEA) appears to be taking credit for this attack, as their logo was prominently displayed at NYTimes.com when the site was compromised. The SEA, a hacker group, protesting Syrian President Bashar Al-Assad, launched the attack in order to generate high profile awareness...

READ MORE

An untapped resource to improve threat detection

July 31, 2013 by Cofense in Internet Security AwarenessThreat Intelligence

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence. How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user...

READ MORE

Royal Baby Spam and Malware Attack Happening Now

July 25, 2013 by Cofense in Malware Analysis

It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link. Such is the case right now. The public is captivated by content about the new royal baby...

READ MORE

Build Phishing Countermeasures to Protect Your Brand

May 22, 2013 by Cofense in PhishingThreat Intelligence

Corporations fight phishing each and every day. Large and recognizable financial institutions, retail companies, internet service providers/telecommunication companies are among those most heavily targeted victims of phishing. While the aftermath of a phishing attack is costly and yields long-term consequences, it’s quite difficult to keep up with cybercriminals. It’s shockingly easy for cybercriminals to create a phishing site targeted at your brand, so easy that the cybercriminal simply needs to unpack and upload a pre-built “phishing kit” in order to create a new phishing website. Just one phishing kit can produce hundreds of phishing URLs. With just a few clicks...

READ MORE

An IRS Rebate That Isn’t Worth It: Phishing Tactics Repeat Themselves

August 13, 2014 by Cofense in Phishing

It’s about the time of year when people should be receiving tax refunds from the IRS, which gives attackers a great opportunity to craft phishing emails. PhishMe users recently reported a round of phishing emails purporting to be from the IRS about tax refunds:

READ MORE

Small but powerful — shortened URLs as an attack vector

July 31, 2014 by Cofense in PhishingThreat Intelligence

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware. Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took...

READ MORE

Phishing: Stop Paving the Cow Path

July 14, 2014 by Cofense in Phishing

Paving the cow path—why are we still using the same technologies to combat modern phishing attacks? When the city of Boston was new and unpaved, the city fathers decided against laying out a regular street plan. Instead, they merely paved the paths that had been worn by cattle. The results? A chaotic and inefficient street plan that lacks logic. The admonition not to “pave the cow path” is supposed to remind us not to enshrine an existing way of doing something. However, when combating phishing, the #1 threat vector in security*, we are paving the cow path. Let’s start with some facts about...

READ MORE

The E-ZPass Scam: More Information On This Week’s Attacks

July 11, 2014 by Cofense in Phishing

Earlier this week, reports surfaced about a new E-Z Pass scam. The spam campaign used the E-ZPass branding to fool recipients into visiting a malicious website. E-Z Pass is the electronic toll collection system used by several state departments of transportation. The E-Z Pass scam emails are likely to be sent to a large number of individuals who use the system, after all, the toll system is used in many cities. One of the emails we captured is shown in the image below. As you can see, the E-Z Pass scam emails use appropriate branding, and warn the recipient that...

READ MORE

Attackers using Dropbox to target Taiwanese government

July 1, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug). From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking.

READ MORE

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

June 13, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.

READ MORE

The Chances of Becoming a Cyber Victim: A Look at Cyber Safety

June 9, 2014 by Cofense in Internet Security Awareness

What are the chances of becoming a cyber victim? In this post, we’ll explore the odds compared to the chances of other unrelated events. Many of us take comfort in knowing that certain bad things are not likely to happen to us, so we don’t worry too much about those things. We think our chances are pretty good. Comforting Odds:  Dying from a shark attack: 300,000,000 : 1 Your opponent’s getting a Royal Flush in poker: 649,739 : 1 Being struck by lightning in California: 7,538,382 : 1 A meteor landing on your house: 182,138,880,000,000 : 1 Dying from a mountain lion...

READ MORE

An inside look at Dropbox phishing: Cryptowall, Bitcoins, and You (updated)

June 6, 2014 by Cofense in Phishing

Post Updated on June 10 On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.

READ MORE

Beware of phishing emails using Dropbox links

June 2, 2014 by Cofense in Phishing

Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.

READ MORE

What do Takedown Vendors and Fire Hydrants Have in Common?

June 2, 2014 by Cofense in Internet Security Awareness

What, you may ask, do takedown vendors and fire hydrants have in common?  Well, perhaps more than one might think. In this post, we’ll examine a couple of different aspects: what they do and their intended use, their impact on us and our businesses and where they fall short in protecting us and our assets from harm and how we can address these shortcomings. Let’s start with what each does and their intended use.  Both are intended to protect us from further harm once a threat to our security and wellbeing are identified.  In the case of the fire hydrant, water is provided by...

READ MORE