Cofense Phishing Prevention & Email Security Blog

Linktree Abused to Send Phishing Links

Maneuvering the Wave of Ransomware

By Tonia Dudley For several years, Cofense Intelligence has been predicting the threat of ransomware increasing. Organizations have barely been able to catch their breath from the SolarWinds breach and agency alerts on infrastructure vulnerabilities that needed to be patched. We’ve come a long way from the days of advanced persistent threats (APT) when organizations kept attacks on the down-low; assumptions were made when suits would show up or statements were issued by major incident response firms. Remember the few years when “APT” made it to the buzzword bingo at RSA? We’ve seen some of the recent major incidents, such...

BEC. How Can I Help You?

Phishing for Credentials: New Tactics as COVID’s Grip Eases

Can genericization become a credential-theft threat? Beware of phish in plain email wrappers.

There Are Phish in Your Inbox!

DARKSIDE Ransomware Operations Abuse Trusted Platforms Including Google Drive

By Dylan Duncan DARKSIDE Ransomware Operations DARKSIDE Ransomware first emerged in August 2020 and is used as a Ransomware-as-a-Service. The ransomware has been confirmed by the FBI as responsible for the compromise of the Colonial Pipeline networks. Traditionally, the goal of ransomware is to infect an organization that can pay the ransom. This attack certainly shows the financial impact a successful ransomware infection can have in terms of operational and economic disruption. Since the malware release, DARKSIDE ransomware operators, and affiliates that use the service, have been seen targeting a variety of major organizations across most sectors. A report from FireEye sheds light...

HTML Phishing Email Opens the Door for Threat Actors

Pipeline Phishing: Colonial Pipeline Ransomware Attack

By Rohyt Belani, CEO We keep saying it. It almost always starts with a phish. The latest news of the Colonial Pipeline ransomware attack is not surprising, but it is alarming. The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable U.S. energy infrastructure is to hackers, according to Reuters. What’s disconcerting to me as a security professional who has spent two decades in this industry is that no one ever talks about the root cause of these major breaches. Instead, media and pundits talk about the symptoms and how those can be...

Hot Off the Press: Cofense Q4 2019 Malware Trends Report

5 Cybersecurity Trends that Will Dominate 2020

This Advanced Keylogger Delivers a Cryptocurrency Miner

Bundle Up and Build an End-to-End Phishing Defense

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways

Threat Actors Use Bogus Payment HTML File to Scoot Past Proofpoint Gateway

You’ve Been Served: UK Scammers Deliver ‘Predator the Thief’ Malware Via Subpoena

By Aaron Riley Not even the halls of justice are immune from scammers. A new phishing campaign spoofing the UK Ministry of Justice has successfully targeted users with a subpoena-themed email delivering Predator the Thief, a publicly available information-stealing malware. Cofense IntelligenceTM has observed employees in insurance and retail companies receiving these emails. The phishing email states that the recipient has been subpoenaed and is asked to click on a link to see more details about the case. The enclosed link uses trusted sources—namely Google Docs and Microsoft OneDrive—for the infection chain. The initial Google Docs link contains a redirect...

New Credential Phish Targets Employees with Salary Increase Scam

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

Are URL Scanning Services Accurate for Phishing Analysis?

Linktree Abused to Send Phishing Links

Maneuvering the Wave of Ransomware

By Tonia Dudley For several years, Cofense Intelligence has been predicting the threat of ransomware increasing. Organizations have barely been able to catch their breath from the SolarWinds breach and agency alerts on infrastructure vulnerabilities that needed to be patched. We’ve come a long way from the days of advanced persistent threats (APT) when organizations kept attacks on the down-low; assumptions were made when suits would show up or statements were issued by major incident response firms. Remember the few years when “APT” made it to the buzzword bingo at RSA? We’ve seen some of the recent major incidents, such...

BEC. How Can I Help You?

Phishing for Credentials: New Tactics as COVID’s Grip Eases

Can genericization become a credential-theft threat? Beware of phish in plain email wrappers.

There Are Phish in Your Inbox!

DARKSIDE Ransomware Operations Abuse Trusted Platforms Including Google Drive

By Dylan Duncan DARKSIDE Ransomware Operations DARKSIDE Ransomware first emerged in August 2020 and is used as a Ransomware-as-a-Service. The ransomware has been confirmed by the FBI as responsible for the compromise of the Colonial Pipeline networks. Traditionally, the goal of ransomware is to infect an organization that can pay the ransom. This attack certainly shows the financial impact a successful ransomware infection can have in terms of operational and economic disruption. Since the malware release, DARKSIDE ransomware operators, and affiliates that use the service, have been seen targeting a variety of major organizations across most sectors. A report from FireEye sheds light...

HTML Phishing Email Opens the Door for Threat Actors

Pipeline Phishing: Colonial Pipeline Ransomware Attack

By Rohyt Belani, CEO We keep saying it. It almost always starts with a phish. The latest news of the Colonial Pipeline ransomware attack is not surprising, but it is alarming. The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable U.S. energy infrastructure is to hackers, according to Reuters. What’s disconcerting to me as a security professional who has spent two decades in this industry is that no one ever talks about the root cause of these major breaches. Instead, media and pundits talk about the symptoms and how those can be...

Got a Blockchain Wallet? Be Alert for These Phishing Emails

Jigsaw Ransomware Returns With Extortion Scam Ploys

By Lucas Ashbaugh Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics. The Delivery Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and...

Threats of Terror Pervade Recent Extortion Phishing Campaigns

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

Re: The Zombie Phish

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

Email Security Gateway (to Your Next Breach)

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.

The Lazy Man’s Guide to Phishing

By Lucas Ashbaugh Laziness and sloppy work are the twenty first century’s newest business model, and for phishing actors it’s a gold rush. The real winners from modern phishing have taken a chapter out of the entrepreneur’s  handbook: The Lean Startup. For them, phishing isn’t about artisanal fraud and refined skills, it’s about starting cheap, failing quickly, and getting their head back in the game. It’s horrendously brilliant. In a world where SOCs are constantly grinding to block that IP, scan for that hash, disable macros, etc., automated solutions just can’t keep up. When it comes to phishing, speed is king....

An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Another Tax-Rebate Phishing Scam, This Time in Canada

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.