Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

January 17, 2019 by Cofense in Threat Intelligence

By Aaron Riley and Marcel Feller CISO Summary Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult. After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training...

READ MORE

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

January 10, 2019 by Max Gannon in Threat Intelligence

CISO Summary CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

READ MORE

The Vjw0rm Malware Does It All. Here’s What to Watch For.

January 9, 2019 by Aaron Riley in Threat Intelligence

CISO Summary  It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

READ MORE

In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

January 8, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties.

READ MORE

Threats of Terror Pervade Recent Extortion Phishing Campaigns

December 20, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

READ MORE

5 Things We Launched this Year to Stop Phishing Attacks Faster

December 17, 2018 by John Fitzgerald in Phishing

Merry Phishmas! It’s been another busy year of phishing scams, malware delivery, and other Grinchy activity. To help keep you protected, Cofense™ has refined our solutions to stop phishing in its tracks. Following are some of the new capabilities we launched in 2018. 

READ MORE

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

December 13, 2018 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation). Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables. While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure...

READ MORE

TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

December 5, 2018 by Milo Salvia in Threat Intelligence

Cofense Intelligence™ recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  

READ MORE

2018: A Reverse-Course for Ransomware

December 5, 2018 by Cofense in Threat Intelligence

By Mollie MacDougall The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.

READ MORE

Mature Your Anti-Phishing Program to Reflect Active Threats

November 28, 2018 by Zach Lewis in Internet Security Awareness

At CofenseTM we often hear comments from customers like, “My anti-phishing program has been running for years, email reporting rates have increased, and overall my users are better prepared. How can I continue to address and lower my risk?”

READ MORE

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...

READ MORE

Phishing Emails with .COM Extensions Are Hitting Finance Departments

November 15, 2018 by Aaron Riley in Threat Intelligence

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized. The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.)...

READ MORE

They stopped a phishing attack in 10 minutes. It used to take days.

November 7, 2018 by John Fitzgerald in Cyber Incident Response

Don’t you love a feel-good story? Me too. Especially in an industry where the headlines tend to be scary. Recently, a CofenseTM customer—a large financial services company—stopped a phishing attack in 10 minutes using Cofense TriageTM. That’s a very cool story, but as they say, wait, there’s more.

READ MORE

Re: The Zombie Phish

October 31, 2018 by Cofense in Malware AnalysisPhishing Defense CenterThreat Intelligence

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

READ MORE

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

October 31, 2018 by Max Gannon in Malware AnalysisThreat Intelligence

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™ Phishing Defense Center and known to target South American users.

READ MORE

Threat Actors Seek Your Credentials Before You Even Reach the URL

October 30, 2018 by Neera Desai in Threat Intelligence

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique. Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened...

READ MORE

H-Worm and jRAT Malware: Two RATs are Better than One

October 23, 2018 by Neera Desai in Malware AnalysisThreat Intelligence

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB. Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a...

READ MORE

America’s First: US Leads in Global Malware C2 Distribution

October 19, 2018 by Cofense in Malware AnalysisThreat Intelligence

By Mollie MacDougall and Darrel Rendell Cofense Intelligence™ has found that 27% of network Indicators of Compromise (IoC) from phishing-borne malware analysed during 2018 used C2 infrastructure located in, or proxied through, the United States—making the US the leader in global malware C2 distribution. Map 1 details these observations. This does not indicate that US-based users are getting hit disproportionately, as threat actors are incentivised to host C2 infrastructure outside of their own country or countries with extradition agreements with their host nations to avoid arrest and/or extradition. However, C2 infrastructure is enormously biased toward compromised hosts, indicating a high prevalence...

READ MORE

Email Security Gateway (to Your Next Breach)

October 16, 2018 by Cofense in Phishing Defense Center

BY THE COFENSE PHISHING DEFENSE CENTER Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface. Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous...

READ MORE

Threat Actors Customize URLs to Avoid Detection

October 4, 2018 by Max Gannon in Threat Intelligence

Threat actors have many ways to avoid being detected. Today, let’s look at how they tweak URLs to bypass firewall rules—and what you can do to stop them from succeeding.

READ MORE

Automate Your Phishing Defense While Keeping Human Control

September 6, 2018 by John Fitzgerald in Phishing

When it comes to combatting phishing, “set and forget” is a pipe dream. You can’t, and you shouldn’t, take humans out of the picture. But thanks to CofenseTM automation, you can stop attacks while reducing man hours and saving money.

READ MORE

Ask the DNC: #fakephishing Phishing Pen-Tests Are Still a Bad Idea.

August 24, 2018 by Aaron Higbee in Internet Security Awareness

Cliff notes: Phishing “tests” at best are a waste of time, and at worst, disruptive and weaken your ability to defend against real phishing.

READ MORE

5 Steps to Targeting Newbies with Phishing Awareness Training

August 21, 2018 by Alexandra Wenisch in Internet Security Awareness

When it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training. Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks. Step 1: Announce and Set the Stage...

READ MORE

How to Get Internal Buy-In for Your Phishing Simulation and Awareness Training Programs

August 14, 2018 by Bunmi Ogun in Internet Security Awareness

If you run an anti-phishing program, you’ve probably run into this. You want to impersonate internal teams in your phishing simulations, because that’s what attackers do. But you get pushback:

READ MORE

Why Customers Love Our Board Reports on Their Phishing Defense

August 8, 2018 by Professional Services Team in Internet Security Awareness

Last year, a Cofense™ customer wanted to show his board the results of his phishing-defense program. Specifically, the customer was looking for a board-report template. The customer did a quick Google search and found…nothing.  

READ MORE

Cofense Shortlisted for Three UK Computing Technology Product Awards

August 3, 2018 by John Fitzgerald in Phishing

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners. Following are the categories we are shortlisted for. Best Business Security Provider This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™,...

READ MORE

The El Camino Effect in Anti-Phishing Training

July 30, 2018 by John Robinson in Internet Security Awareness

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino. Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed. Understanding the El Camino Effect To...

READ MORE

Why You Need to Keep Brands Out of Phishing Simulations

July 26, 2018 by Tonia Dudley in Internet Security Awareness

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them. Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it...

READ MORE

Messenger of the Bots: Hermes Malware Makes Phishing Debut

July 24, 2018 by Darrel Rendell in Malware AnalysisPhishing

For the first time ever, Cofense Intelligence™ recently observed a phishing campaign distributing the infamous Hermes ransomware. The low-volume campaign delivered .doc files, weaponized with heavily obfuscated macros. These macros reached out to an attacker-controlled server to download and execute a copy of Hermes.

READ MORE

Who’s Got Access? “Value at Risk” Anti-Phishing

July 23, 2018 by Zach Lewis in Internet Security Awareness

Part 3 of 3  So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

READ MORE