Using Windows 10? It’s Becoming a Phishing Target
June 5, 2019 by Max Gannon in Threat IntelligenceCISO Summary Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection. What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and...
The Zombie Phish Is Back with a Vengeance
June 4, 2019 by Milo Salvia in Phishing Defense CenterKeep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.
New Phishing Attacks Use PDF Docs to Slither Past the Gateway
May 30, 2019 by Cofense in Cyber Incident ResponseBy Deron Dasilva and Milo Salvia Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.
Patch or Pass? CVE-2017-11882 Is a Security Conundrum
May 29, 2019 by Max Gannon in Threat IntelligenceCISO Summary Since the latter part of 2018, threat actors have increasingly exploited two Microsoft vulnerabilities: CVE-2017-11882 and CVE-2018-0802. The first of these is especially popular. Cofense IntelligenceTM has seen it surge ahead of Microsoft macros as a favorite malware delivery method. CVE-2017-11882 is an older vulnerability that in fact has a patch. However, it presents a conundrum for security teams that haven’t addressed the problem. They can choose to skip the patching, live with the risks, and keep on using the legacy program. Or they can update, patch, and lose the application entirely to gain much better security. In...
Got a Blockchain Wallet? Be Alert for These Phishing Emails
May 22, 2019 by Cofense in Phishing Defense CenterBy Tej Tulachan and Milo Salvia The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users. Here’s how the phishing emails work. Red Flag #1: ‘You Have Been Chosen.’ In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of Stellar (XLM), an up and coming...
Pretty Pictures Sometimes Disguise Ugly Executables
May 15, 2019 by Max Gannon in Threat IntelligenceCISO Summary Reaching deep into their bag of tricks to avoid detection, threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents. This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees not to fall...
Babylon RAT Raises the Bar in Malware Multi-tasking
May 15, 2019 by Aaron Riley in Threat IntelligenceCISO SUMMARY Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...
The Cofense Phishing Defense Center Sees Threats That Most Don’t
May 8, 2019 by Marcel Feller in Cyber Incident ResponseThe CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...
SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond
May 6, 2019 by Tonia Dudley in PhishingIn the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving. “What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.” The best...
Hey! I know I’ve never talked to you before – but can you send some money – QUICK!
April 22, 2019 by Tonia Dudley in PhishingBusiness Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually. What makes BEC campaigns different? In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching...