New Credential Phish Masks the Scam Page URL to Thwart Vigilant Users
October 22, 2019 by Cofense in Cyber Incident ResponsePhishingBy Milo Salvia, CofenseTM Phishing Defense CenterTM This blog has been updated since its first appearance on October 17, 2019 to include information related to the threat origin and bypassed email gateways. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover...
Agent Tesla Keylogger Is Now a Top Phishing Threat
October 18, 2019 by Cofense in Malware AnalysisThreat IntelligenceBy Aaron Riley, Cofense IntelligenceTM The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors. A typical theme for...
This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users
October 17, 2019 by Cofense in Cyber Incident ResponsePhishingBy Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers. The phish prevents email recipients from seeing the destination of an embedded link when they try to hover over the URL. Instead, what they see is a bogus account message. Here’s how the campaign works. Email Body The email pretends to be a notification...
New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection
October 8, 2019 by Cofense in Cyber Incident ResponsePhishingBy Hunter Johnson, Cofense Professional Services Cofense has observed threat actors employing a modified version of a sextortion scam using alternative crypto currencies to bitcoin. Typical sextortion scams claim to have installed malware on recipients’ systems and recorded their browsing history of adult websites and webcam footage. Ransom is demanded in bitcoin, upon threat of releasing damaging information to family, friends, and co-workers. Because threat actors often get recipients’ emails from password breach lists, they sometimes include passwords to lend authenticity. Early sextortion scams started with a plain text extortion email threating the recipient and asking for payment. As enterprises began...
Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways
September 25, 2019 by Milo Salvia in Cyber Incident ResponseLast week, the Cofense Phishing Defense CenterTM observed phishing threat actors using low-level trickery to avoid detection, by utilizing basic percentage-based URL encoding. This takes advantage of Google’s nifty ability to decode the encoded URL data on the fly. The easiest way to trick a secure email gateway (SEG) is hiding the true destination of the payload. Here’s how it works: Figure 1: email body The phishing email is simple and originates from a compromised email account of a relatively well-known American brand, informing recipients that they have a new invoice awaiting payment. The email body has an embedded hyperlink...
Rethinking Security Awareness? Fine-Tune Your Simulations
September 20, 2019 by Zach Lewis in Internet Security AwarenessPart 2 of 2 In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats. How to Refocus Your Phishing Simulations If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your...
Emotet Malicious Phishing Campaigns Return in Force
September 18, 2019 by Cofense in Threat IntelligenceBy Alan Rainer and Max Gannon The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation. In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the...
New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet
September 17, 2019 by Milo Salvia in Internet Security AwarenessThreat IntelligenceThe Cofense Phishing Defense CenterTM has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers. Here’s how a typical attack works: Figure 1: Infection chain Figure 2: Email Body The email body reports...
Healthcare’s Getting Smacked by Phishing. These Resources Can Help.
September 13, 2019 by Cofense in PhishingThis summer, phishing attacks continued to hammer healthcare. Florida: Compromised email accounts, at last count 73, were used to send a phish which led to a breach at NCH Healthcare.1 Ohio: Eye Care Associates was hit with ransomware. The regional eye care provider’s systems were locked for several weeks. 2 New York: In the biggest healthcare breach so far in 2019, American Medical Collection Agency was breached to the tune of 25 million patient records. While phishing hasn’t been positively identified as the culprit, it’s high on the suspect list.3 Need Phishing Defense Resources? Start Here. To help healthcare companies...
Astaroth Uses Facebook and YouTube within Infection Chain
September 11, 2019 by Aaron Riley in Threat IntelligenceAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.