Cofense Blog


Why Customers Love Our Board Reports on Their Phishing Defense

August 8, 2018 by Professional Services Team in Internet Security Awareness

Last year, a Cofense™ customer wanted to show his board the results of his phishing-defense program. Specifically, the customer was looking for a board-report template. The customer did a quick Google search and found…nothing.  


Another Tax-Rebate Phishing Scam, This Time in Canada

August 7, 2018 by Dilen Thakuri in Phishing Defense Center

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.


Abusing Microsoft Windows Utilities to Deliver Malware for Fun and Profit

August 6, 2018 by Max Gannon in Malware Analysis

Last year, Cofense Intelligence™ observed an increase in abuse of features built into platforms that are all but ubiquitous throughout the corporate world. An overview of these developments in 2017 was covered in our 2017 Malware Review, which highlighted the abuse of Microsoft features such as Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) to deliver malware. Since last year, this trend has continued as threat actors are exploiting a greater variety of features as well as combining multiple techniques into one campaign.


Cofense Shortlisted for Three UK Computing Technology Product Awards

August 3, 2018 by John Fitzgerald in Phishing

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners. Following are the categories we are shortlisted for. Best Business Security Provider This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™,...


Geodo and TrickBot Malware Morph into Bigger Threats

August 2, 2018 by Max Gannon in Threat Intelligence

It may be time to rethink the Geodo and Trickbot malware. These botnets have recently become more of a threat by increasing in activity and in their variety of delivery mechanisms, utilities, and behaviors.


The Headlines Make the Case for More Efficient Phishing Response

August 1, 2018 by Tonia Dudley in Cyber Incident Response

Last week, Brian Krebs released a blog post about the recent news of a Virginia Bank being breached—not once, but twice. And he didn’t bury the headline. It was right up front: “Hackers used phishing emails to break into a Virginia Bank….”  


Customer Satisfaction Survey Leads to Credential Phishing

July 31, 2018 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for. At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of...


The El Camino Effect in Anti-Phishing Training

July 30, 2018 by John Robinson in Internet Security Awareness

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino. Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed. Understanding the El Camino Effect To...


Why You Need to Keep Brands Out of Phishing Simulations

July 26, 2018 by Tonia Dudley in Internet Security Awareness

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them. Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it...


Messenger of the Bots: Hermes Malware Makes Phishing Debut

July 24, 2018 by Darrel Rendell in Malware AnalysisPhishing

For the first time ever, Cofense Intelligence™ recently observed a phishing campaign distributing the infamous Hermes ransomware. The low-volume campaign delivered .doc files, weaponized with heavily obfuscated macros. These macros reached out to an attacker-controlled server to download and execute a copy of Hermes.


A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

July 19, 2018 by Milo Salvia in Phishing Defense Center

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.


This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

July 18, 2018 by Nick Guarino in Phishing Defense Center

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  


New TrickBot Phishing Lure: Mistake or Experiment?

July 17, 2018 by Darrel Rendell in Threat Intelligence

Cofense Intelligence™ recently identified a TrickBot campaign that was noteworthy not for its exceptional guile or novel technique, but rather for its lack thereof. Absent any images or convincing textual narrative, the campaign lacks all the hallmarks of this TrickBot distribution group’s modus operandi.


Turning a blind eye: How end-users and NLP AI are being tricked by clever phishing techniques like ZeroFont

July 11, 2018 by Jason Meurer in Malware Analysis

Overview Recently, an older email security detection bypass method was seen being used to successfully surpass Microsoft’s spam and phishing filters. This technique described above makes use of two methods and was dubbed “ZeroFont Phishing” by Avanan. ZeroFont Phishing is the method when attackers insert random strings within keywords or phrases that many artificially intelligent systems use to identify malicious or suspicious content.  When these strings are placed within the HTML span tags mixed with setting the font-size attribute to zero, they become invisible to the end user, but  simultaneously appear to neuter the ability of existing Natural Language Processing...


AZORult Malware Finds a New Ride with Recent Stealer Phishing Campaign

July 9, 2018 by Aaron Riley in Threat Intelligence

Cofense Intelligence™ has uncovered a recent AZORult stealer phishing campaign that delivers the malware via malicious attachments. Older versions of AZORult stealer have been delivered via intermediary loaders, typically Seamless or Rammnit malware. In this latest campaign, the attached documents use multiple techniques to download and execute an AZORult sample, indicating a shift by the threat actors behind the campaign to adopt more evasive delivery techniques.


Geodo Malware Targets Patriots with Phishing Attack on Eve of American Independence Day Holiday

July 3, 2018 by Cofense in Threat Intelligence

By Brendan Griffin and Max Gannon A classic phishing technique involves timing attacks to match major holidays and other global and regional events. One example of this scenario in a phishing attack captured by Cofense Intelligence™ delivering the Geodo botnet malware on July 3, 2018. In this attack the threat actor appeals to the patriotic nature of the Fourth of July holiday and recipients’ sense of patriotism in its content. In these messages, the attacker reminds the recipient of the sacrifices of American service member as part of a narrative designed to entice victims to click on the link in...


Zeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent Victims in Italy

June 28, 2018 by Max Gannon in Threat Intelligence

Cofense Intelligence™ recently observed a sample of Zeus Panda which, upon further research, revealed the malware has been increasingly employing a very creative tactic. This crafty malware variant distracts its victims while quietly draining the victims’ bank accounts, even those accounts that employ additional security mechanisms such as Multi-Factor Authentication. After transferring funds, the malware then masks any evidence that the illicit transactions ever occurred. This tactic ensures that victims with the deepest pockets will remain in the dark as their bank accounts are silently liquidated.


Attackers Use a Bag of Tricks to Target Greek Banking Customers

June 27, 2018 by Milo Salvia in Phishing Defense Center

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.


Another Global Phishing Campaign Distributes Malware Via Fake Invoices

June 25, 2018 by Marcel Feller in Phishing Defense Center

On Thursday June 14th, the Cofense™ Phishing Defense Center (PDC) noted a campaign targeting UK customers with several emails containing the same subject, “Invoice INV-03056,” and prompting the user to view a supposed invoice. The next day, we saw a very similar campaign that delivered French language phishing emails. Upon analyzing the emails, the PDC notified customers that received them, so they could respond as needed. We also notified all our UK customers of the IOC’s.


The FBI’s Global Business Email Compromise (BEC) “Wire-Wire” Bust: A Personal Perspective

June 20, 2018 by Aaron Higbee in Cyber Incident Response

Last week, the FBI announced it had busted a business email compromise (BEC) racket that raked in millions of dollars in fraudulent wire transfers secured through email-based cyberattacks. The Bureau, along with federal and overseas partners, arrested 74 people, seized over $2M, and disrupted and recovered another $14M in phony wire payments.


That email from HR? RSA attendees say you’d better check twice for phishing.

May 3, 2018 by Cofense in Phishing

When the security world gathered at RSA 2018, CofenseTM surveyed attendees about phishing attacks and defenses. The #1 phishing concern? Malicious emails that appear to be internal communications, from your boss, HR, or the help desk, making them extra-hard to resist.


Russian “Troldesh” AKA Encoder.858 or Shade is back!

April 27, 2018 by Dilen Thakuri in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.


5 ways we boost your anti-phishing program’s ROI.

April 25, 2018 by Zach Lewis in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

If you’re shopping for a vendor to help with phishing awareness training, you might be thinking, “They all seem pretty similar. What’s the difference?”


How to Avoid Drowning in Spam and Phishing Emails

April 23, 2018 by John Robinson in Cyber Incident ResponseInternet Security AwarenessPhishing Defense Center

As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.


Their email filters missed these threats. Good thing the users didn’t.

April 19, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.


Examples of Silver-bullet Technology Fails

April 13, 2018 by Jesse Lands in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

Most security teams today are pretty much in the same boat: limited budget, limited man power, and limited time to defend their network against escalating threats and attacks.  Perhaps that’s why so many information security vendors claim to have the “silver bullet” to protect the customer’s environment and solve their problems. 


Communication is essential to your anti-phishing program.

April 12, 2018 by Shelli Matiscik in Cyber Incident ResponseInternet Security Awareness

One of the keys to a successful anti-phishing program is communication. Specifically,  communicating with users before and after a phishing scenario.


Phishing attack shut down in 19 minutes with Cofense Triage.

April 10, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

Imagine a cunning phisher: he knows his craft and sends your users an email appearing to come from your CEO that bypasses all your other technology. What would you do? One of our customers faced that very scenario and relied on Cofense TriageTM and the Cofense Phishing Defense Center (PDC) to analyze and respond to the attack in less than 20 minutes after it launched.


Attention Spans and Education Design

April 5, 2018 by John Robinson in Cyber Incident ResponseInternet Security Awareness

Over the past few years, we have seen media attention drawn towards the length of our attention spans as related to our use of technology. Some reports claim a drop from 12 seconds to 8 seconds over the past decade, while others refute that data.


Doubling Down on PhishMe with New Features and Awareness Focus

April 4, 2018 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Back in 2008, Cofense™ (PhishMe®) pretty much invented the phishing awareness industry when we unveiled the first phishing simulation program for businesses. Cofense PhishMe™ made it easy to condition employees to recognize and report phishing emails and today, over 27 million (and counting) end users in 160 countries, including employees at half the Fortune 100, rely on our expertise.