Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Is .XLSX Phishing Making a Comeback?

April 6, 2018 by Charlie Aiken in Cyber Incident ResponseMalware Analysis

On March 22nd, Cofense came across a rather unique malware sample that had a very low detection rate. At the time of analysis, the file was only detected by 5/61 AV engines. The detection rate did not reach 30% until at least a week later, as per VirusTotal: 38015eb1699b7596e8c95fed7f0bc32d1492b371bd4d7953019f69dcf40ff1fd.

READ MORE

Attention Spans and Education Design

April 5, 2018 by John Robinson in Cyber Incident ResponseInternet Security Awareness

Over the past few years, we have seen media attention drawn towards the length of our attention spans as related to our use of technology. Some reports claim a drop from 12 seconds to 8 seconds over the past decade, while others refute that data.

READ MORE

Doubling Down on PhishMe with New Features and Awareness Focus

April 4, 2018 by phishme in Cyber Incident ResponseInternet Security AwarenessPhishing

Back in 2008, Cofense™ (PhishMe®) pretty much invented the phishing awareness industry when we unveiled the first phishing simulation program for businesses. Cofense PhishMe™ made it easy to condition employees to recognize and report phishing emails and today, over 27 million (and counting) end users in 160 countries, including employees at half the Fortune 100, rely on our expertise.

READ MORE

Become the First Security Awareness Professional to be Fully Certified in Phishing Simulation Programs with Cofense

March 29, 2018 by phishme in Cyber Incident ResponseInternet Security Awareness

Want to boost your anti-phishing and your professional creds? Now you can, in just a few hours and on your own schedule. Cofense™  is pleased to announce the Cofense PhishMe™ certification, the industry’s first and only professional certification for phishing simulation programs. It’s your chance to fully master Cofense PhishMe, our award-winning phishing awareness training solution, while becoming a certified expert in phishing simulation programs.

READ MORE

Analysing TrickBot Doesn’t Have to be Tricky

March 28, 2018 by Milo Salvia in Malware AnalysisPhishing Defense Center

New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware...

READ MORE

Gamers, beware. You are a target for crypto-mining botnets.

March 26, 2018 by Jitendera Sarda in Internet Security AwarenessMalware Analysis

Many gamers are unaware that they are either potential targets for mining botnets or that they may already be mining cryptocurrencies for cybercriminals. Why are gamers targets? Think about it. Mining requires a large graphics card (GPU), a dedicated Internet connection and an uninterrupted power source. Gamers use powerful and immersive, high-performing GPU’s to stay online and play networked games without interruption. It’s the perfect recipe for crypto mining.

READ MORE

By focusing on new hires, this healthcare company lowered its phishing susceptibility.

March 23, 2018 by Zach Lewis in Internet Security AwarenessPhishing Defense Center

A regional healthcare provider started using Cofense PhishMeTM so employees could learn to recognize different types of phishing. At first, the company sent all employees simulated phishes that were tough to recognize. No surprise, susceptibility was high across the business.

READ MORE

The Latest in Software Functionality Abuse: URL Internet Shortcut Files Abused to Deliver Malware

March 22, 2018 by Neera Desai in Internet Security AwarenessMalware AnalysisThreat Intelligence

Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints. By abusing these built-in functionalities, threat actors...

READ MORE

Sigma Ransomware Resurfaces Following a Three-Month Disappearance

March 21, 2018 by Mollie Holleman in Internet Security AwarenessMalware AnalysisRansomwareThreat Intelligence

Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.

READ MORE

New Name, Same People, Stronger Balance Sheet

March 20, 2018 by Rohyt Belani in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

Rohyt Belani, CEO & Co-founder, Cofense So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

READ MORE

Analysing TrickBot Doesn’t Have to be Tricky

March 28, 2018 by Milo Salvia in Malware AnalysisPhishing Defense Center

New additions to the TrickBot malware’s capabilities, observed by the Phishing Defence Centre, indicate that this malware tool is undergoing active development. The designers of this malware are still working hard to introduce new functionality including a network worm functionality and a screen-lock module. The worm component utilises the leaked “EternalBlue” exploit for CVE-2017-0144 to propagate itself across networks that have yet to patch or discontinue the use of SMBv1. The deployment of the screen-lock module (which appears to be still in the early phases of development) gives the threat actors the ability to change the functionality of the malware...

READ MORE

Gamers, beware. You are a target for crypto-mining botnets.

March 26, 2018 by Jitendera Sarda in Internet Security AwarenessMalware Analysis

Many gamers are unaware that they are either potential targets for mining botnets or that they may already be mining cryptocurrencies for cybercriminals. Why are gamers targets? Think about it. Mining requires a large graphics card (GPU), a dedicated Internet connection and an uninterrupted power source. Gamers use powerful and immersive, high-performing GPU’s to stay online and play networked games without interruption. It’s the perfect recipe for crypto mining.

READ MORE

The Latest in Software Functionality Abuse: URL Internet Shortcut Files Abused to Deliver Malware

March 22, 2018 by Neera Desai in Internet Security AwarenessMalware AnalysisThreat Intelligence

Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints. By abusing these built-in functionalities, threat actors...

READ MORE

Sigma Ransomware Resurfaces Following a Three-Month Disappearance

March 21, 2018 by Mollie Holleman in Internet Security AwarenessMalware AnalysisRansomwareThreat Intelligence

Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.

READ MORE

New Name, Same People, Stronger Balance Sheet

March 20, 2018 by Rohyt Belani in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

Rohyt Belani, CEO & Co-founder, Cofense So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

READ MORE

After improving phishing detection, this company is focusing on response.

March 16, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

A global commercial development company needed to train employees to recognize and report phishing. The company launched Cofense PhishMeTM and Cofense ReporterTM, conditioning users to identify potentially malicious emails and empowering them to report with a single click.

READ MORE

For this financial services company, tougher simulations hardened phishing resiliency

March 15, 2018 by Zach Lewis in Malware AnalysisPhishing Defense Center

After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only. In other words, employees had learned to identify basic phishing attacks. Sometimes you need to “turn up the heat.” The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything. To...

READ MORE

Careful: This “life insurance invoice” contains the Ursnif malware

March 12, 2018 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.

READ MORE

This financial services company increased phishing reporting to over 50%

March 9, 2018 by Zach Lewis in Internet Security AwarenessMalware AnalysisPhishing Defense Center

To lower phishing susceptibility, a major financial services company introduced Cofense PhishMeTM. By sending a strategic combination of simulated phishes, the company conditioned employees to recognize phishing scams.

READ MORE

Triple threat: This phishing campaign used 3 separate vectors.

March 8, 2018 by phishme in Malware Analysis

BY DARREL RENDELL AND MOLLIE HOLLEMAN Cofense IntelligenceTM rarely sees a weaponized document that contains three separate vectors to launch an embedded payload. However, we recently observed a small phishing campaign that distributed an RTF which abuses two vulnerabilities and leverages social engineering in an attempt to execute a FormGrabber payload on the victim’s machine.

READ MORE

Missing in Action: Several Prominent Malware of 2017

February 9, 2018 by Mollie Holleman in Phishing

Thus far in 2018, PhishMe Intelligence™ has observed a lull in multiple malware families that were prominent throughout 2017. There are several possible reasons for this hiatus.

READ MORE

Another wave of Brazilian malspam leads to banking trojan

February 9, 2018 by Oscar Sendin in Phishing

In October of 2017 we blogged about a phishing campaign specifically targeting Brazilian Portuguese- speaking users. Back then, the campaign distributed a malicious Chrome browser extension. More recently, we have observed a wave of emails that have remarkably similar characteristics. This time around, the malware of choice is a banking trojan.

READ MORE

New Enhancements Help Streamline Incident Response with PhishMe Triage

December 22, 2017 by phishme in Phishing

With security analysts pulled in many directions, they must be able to prioritize and invoke incident response on ransomware, business email compromise (BEC), malware infections, and credential-based theft emails. The key to this is the automation and streamlining of the incident response. PhishMe Triage™ has been updated with new features to help security analysts and incident response teams streamline their processes and secure administrative access. Key Features this Release Tighter Integration – Authenticated API for integration across the incident response team Additional Security – Two-factor authentication for PhishMe Triage users More Accountability – Audit logs are generated for all users...

READ MORE

Here’s How Boards Should Measure Anti-Phishing Programs

December 6, 2017 by John Robinson in Phishing

In board rooms across the globe, directors are asking the question, “How is phishing affecting the organization and are we able to handle the risks?”

READ MORE

Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

November 16, 2017 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.

READ MORE

Threat Actors Put a Greek Twist on Ransomware with Sigma

November 10, 2017 by Chase Sims in Malware AnalysisPhishing Defense Center

When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.

READ MORE

Oh Behave! – Simulation Analysis

October 30, 2017 by John Robinson in Cyber Incident ResponseInternet Security AwarenessPhishing

When considering your organization’s response to a simulated phish, it is critical to understand that we are emulating / practicing for real life events with the purpose of conditioning appropriate response patterns in our user base. 

READ MORE

PhishMe Named a Consecutive Leader in the 2017 Gartner Magic Quadrant

October 27, 2017 by phishme in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing

PhishMe has been named a consecutive leader in Gartner’s 2017 Security Awareness Computer-Based Training Magic Quadrant. It’s the second year we’ve been recognized as a leader and positioned highest in “ability to execute.”

READ MORE

Sage Ransomware Distinguishes Itself with Engaging User Interface and Easy Payment Process

October 26, 2017 by Brendan Griffin in Internet Security AwarenessMalware AnalysisPhishing

In early 2017, the Sage ransomware distinguished itself with a fresh take on the business model for criminal ransomware operations. Built with an engaging, intuitive user interface for requesting the ransom payment, it also reinforced the fact criminals are willing to invest in developing new versions of established ransomware tools.  Sage has reasserted itself as a relevant player on the already-saturated ransomware threat landscape with version 2.2.

READ MORE

Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

October 25, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.

READ MORE