Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

October 22, 2019 by Cofense in Cyber Incident ResponsePhishing

By Milo Salvia, CofenseTM Phishing Defense CenterTM This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover...

READ MORE

Agent Tesla Keylogger Is Now a Top Phishing Threat

October 18, 2019 by Cofense in Malware AnalysisThreat Intelligence

By Aaron Riley, Cofense IntelligenceTM The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors. A typical theme for...

READ MORE

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users

October 17, 2019 by Cofense in Cyber Incident ResponsePhishing

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works. Email Body The email pretends to be a notification...

READ MORE

New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection

October 8, 2019 by Cofense in Cyber Incident ResponsePhishing

By Hunter Johnson, Cofense Professional Services  Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin. Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity. Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began...

READ MORE

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways

September 25, 2019 by Milo Salvia in Cyber Incident Response

Last week, the Cofense Phishing Defense CenterTM observed phishing threat actors using low-level trickery to avoid detection, by utilizing basic percentage-based URL encoding. This takes advantage of Google’s nifty ability to decode the encoded URL data on the fly. The easiest way to trick a secure email gateway (SEG) is hiding the true destination of the payload. Here’s how it works: Figure 1: email body The phishing email is simple and originates from a compromised email account of a relatively well-known American brand, informing recipients that they have a new invoice awaiting payment. The email body has an embedded hyperlink...

READ MORE

Rethinking Security Awareness? Fine-Tune Your Simulations

September 20, 2019 by Zach Lewis in Internet Security Awareness

Part 2 of 2 In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats. How to Refocus Your Phishing Simulations If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your...

READ MORE

Emotet Malicious Phishing Campaigns Return in Force

September 18, 2019 by Cofense in Threat Intelligence

By Alan Rainer and Max Gannon The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation. In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the...

READ MORE

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

September 17, 2019 by Milo Salvia in Internet Security AwarenessThreat Intelligence

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

READ MORE

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

September 13, 2019 by Cofense in Phishing

This summer, phishing attacks continued to hammer healthcare. Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1 Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2 New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3 Need Phishing Defense Resources? Start Here. To help healthcare companies...

READ MORE

Astaroth Uses Facebook and YouTube within Infection Chain

September 11, 2019 by Aaron Riley in Threat Intelligence

  All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

READ MORE

Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway

August 29, 2019 by Cofense in Phishing Defense Center

By Tej Tulachan The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link. Trickbot has been making the rounds for a long time now and is still considered one of the biggest malware threats targeting business today. Threat actors frequently utilize legitimate applications or trusted file sharing sites like Google Docs to bypass the email gateway and lure users to click on the link to deliver malware. In this case, the email made it through Proofpoint’s gateway utilized by our PDC customer. Email Body The email attempts to lure curious...

READ MORE

Advanced Phishing Campaign Delivers Quasar RAT

August 26, 2019 by Max Gannon in Threat Intelligence

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along...

READ MORE

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

August 19, 2019 by Milo Salvia in PhishingThreat Intelligence

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

READ MORE

Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

August 14, 2019 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:

READ MORE

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponsePhishing

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

READ MORE

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

READ MORE

Cofense Labs Shares Research on Massive Sextortion Campaign

August 2, 2019 by David Mount in Threat Intelligence

Are you one in two hundred (or so) million?   Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.   What’s Sextortion?  You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this:  Send an email in which they claim to have installed malware on your system and have a record of...

READ MORE

Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....

READ MORE

Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team

July 25, 2019 by Cofense in Cyber Incident ResponsePhishing

By Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...

READ MORE

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

July 23, 2019 by Cofense in Cyber Incident ResponsePhishing Defense Center

By Jake Longden The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...

READ MORE

Rethinking Security Awareness? Fine-Tune Your Simulations

September 20, 2019 by Zach Lewis in Internet Security Awareness

Part 2 of 2 In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats. How to Refocus Your Phishing Simulations If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your...

READ MORE

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

September 17, 2019 by Milo Salvia in Internet Security AwarenessThreat Intelligence

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...

READ MORE

Healthcare’s Getting Smacked by Phishing. These Resources Can Help.

September 13, 2019 by Cofense in Phishing

This summer, phishing attacks continued to hammer healthcare. Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1 Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2 New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3 Need Phishing Defense Resources? Start Here. To help healthcare companies...

READ MORE

Is It Time to Rethink Your Phishing Awareness Program?

September 6, 2019 by Zach Lewis in Internet Security Awareness

Part 1 of 2 As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs. With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats. If...

READ MORE

Why Join Us at Cofense Submerge? Here’s What Attendees Say

August 20, 2019 by Tonia Dudley in Internet Security Awareness

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.    Here are some of the answers we heard last year when we asked, “Why attend Submerge?”  “Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.”  We’re all on this journey...

READ MORE

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

August 19, 2019 by Milo Salvia in PhishingThreat Intelligence

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...

READ MORE

Phishing Campaigns Imitating CEOs Bypass Microsoft Gateway to Target Energy Sector

August 13, 2019 by Aaron Riley in Cyber Incident ResponsePhishing

Cofense Intelligence™ has identified a highly customized credential phishing campaign using Google Drive to target a company within the energy sector. This phishing campaign is crafted to look like the CEO of the targeted company has shared an important message with the recipient via Google Drive. The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company. By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular...

READ MORE

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

August 8, 2019 by Aaron Riley in PhishingThreat Intelligence

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host. TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting...

READ MORE

This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials

August 7, 2019 by Cofense in Phishing

By Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...

READ MORE

Threat Actors Subscribe To Patches

July 29, 2019 by Max Gannon in PhishingThreat Intelligence

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....

READ MORE

Customer Satisfaction Survey Leads to Credential Phishing

July 31, 2018 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for. At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of...

READ MORE

A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

July 19, 2018 by Milo Salvia in Phishing Defense Center

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.

READ MORE

This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

July 18, 2018 by Nick Guarino in Phishing Defense Center

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  

READ MORE

Attackers Use a Bag of Tricks to Target Greek Banking Customers

June 27, 2018 by Milo Salvia in Phishing Defense Center

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.

READ MORE

Another Global Phishing Campaign Distributes Malware Via Fake Invoices

June 25, 2018 by Marcel Feller in Phishing Defense Center

On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.

READ MORE

We Helped a Customer Block this Open Directory Phishing Attack

June 1, 2018 by Chance Caldwell in Phishing Defense Center

On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...

READ MORE

Hackers Analyse Your Capabilities. Use this Matrix to Do the Same

May 16, 2018 by David Mount in Phishing Defense Center

Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.

READ MORE

Russian “Troldesh” AKA Encoder.858 or Shade is back!

April 27, 2018 by Dilen Thakuri in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.

READ MORE

5 ways we boost your anti-phishing program’s ROI.

April 25, 2018 by Zach Lewis in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

If you’re shopping for a vendor to help with phishing awareness training, you might be thinking, “They all seem pretty similar. What’s the difference?”

READ MORE

How to Avoid Drowning in Spam and Phishing Emails

April 23, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.

READ MORE