Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

PhishMe Named a Consecutive Leader in the 2017 Gartner Magic Quadrant

October 27, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing

PhishMe has been named a consecutive leader in Gartner’s 2017 Security Awareness Computer-Based Training Magic Quadrant. It’s the second year we’ve been recognized as a leader and positioned highest in “ability to execute.”

READ MORE

Sage Ransomware Distinguishes Itself with Engaging User Interface and Easy Payment Process

October 26, 2017 by Cofense in Internet Security AwarenessMalware AnalysisPhishing

In early 2017, the Sage ransomware distinguished itself with a fresh take on the business model for criminal ransomware operations. Built with an engaging, intuitive user interface for requesting the ransom payment, it also reinforced the fact criminals are willing to invest in developing new versions of established ransomware tools.  Sage has reasserted itself as a relevant player on the already-saturated ransomware threat landscape with version 2.2.

READ MORE

Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

October 25, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.

READ MORE

Social Media: It’s Time to <3 Security Awareness

October 24, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 4 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month. Over the past decade, mobile phones and social media have become essential to how we ingest news and communicate friends and families.

READ MORE

Beware: These Scams Turn Open Enrollment into Open Season for Phishing

October 24, 2017 by Heather McCalley in Internet Security AwarenessMalware AnalysisPhishing

Last fall, PhishMe® warned you about scams that use phishing to steal your health savings account (HSA) details during open enrollment periods. This year we are seeing a variety of phishing scams that can take advantage of your year-end diligence in managing personal and corporate assets.

READ MORE

New Strain of Locky with a “Deadly” Twist

October 19, 2017 by Cofense in Cyber Incident ResponseMalware AnalysisPhishing Defense Center

With it being flu season, no one wants to hear that a new strain of the flu has been discovered. Just as network defenders will not be excited that Locky ransomware has evolved yet again. This time however, threat actors decided to add a darker theme to code.  

READ MORE

Security Awareness: 4 tips on Trusting Technology

October 17, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 3 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month.

READ MORE

Malicious Chrome Extension Targets Users in Brazil

October 17, 2017 by Cofense in Malware AnalysisPhishingPhishing Defense Center

Our Phishing Defense Center recently detected a significant increase in the number of emails with malware designed  exclusively to target users in Brazil.

READ MORE

Locky or TrickBot? Depends Where You Are. Malicious Payload Delivery Tailored by Geographic Location

October 13, 2017 by Cofense in Internet Security AwarenessMalware AnalysisPhishing

BY NEERA DESAI AND VICTOR CORNELL It is not uncommon for threat actors to deploy malicious payloads from multiple malware families during a single phishing campaign. These malware tools may include ransomware, a financial crimes trojan, or other botnet malware. However, it is not as common for those attackers to deploy different malware tools based upon the geographic location of their victim.

READ MORE

To Raise Security Awareness, Don’t Trust the Process.

October 12, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 2 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month. 

READ MORE

Small but powerful — shortened URLs as an attack vector

July 31, 2014 by Cofense in PhishingThreat Intelligence

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware. Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took...

READ MORE

The New GameOver Zeus Variant (newGOZ) Spams Again

July 22, 2014 by Cofense in Malware Analysis

Almost two weeks ago, PhishMe identified a new Trojan based almost entirely on the notorious GameOver Zeus variant. The new GameOver Zeus variant demonstrated many of the same behaviors and characteristics of the original. The most notable change between these two Trojans was the abandonment of the peer-to-peer botnet used by the older GameOver Zeus. Instead, the new variant used a new fast-flux infrastructure. However, much of the behavior—and malicious capabilities— of the original was retained in this newer form of the malware. Today, a large number of spam emails were received and analyzed by PhishMe in one of the...

READ MORE

Slava Ukraini: Dyre Returns

July 17, 2014 by Cofense in Threat Intelligence

It has been a few weeks since the original discovery of the Dyre malware, and the attackers have sent another wave of phishing. This time, the phishing campaign only went to one senior level individual within our enterprise.

READ MORE

Breaking: GameOver Zeus Mutates, Launches Attacks

July 10, 2014 by Cofense in Malware Analysis

Today, PhishMe’s analysts identified a new banking Trojan that is based heavily on the GameOver Zeus binary. The GameOver Zeus mutation was distributed as an attachment in three spam email templates, utilizing the simplest method of infection to compromise end users’ systems. The E-mail spam campaign From 9:06 AM to 9:55 AM we intercepted spam messages claiming to have been sent from NatWest Bank. One of the email messages used to distribute the new GameOver Zeus variant is listed below. As you can see, the message uses a common social engineering technique. It alerts the recipient to the risk of...

READ MORE

Attackers using Dropbox to target Taiwanese government

July 1, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug). From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking.

READ MORE

Dyre Banking Trojan: What You Need to Know

June 18, 2014 by Cofense in Threat Intelligence

Beware of the Dyre banking Trojan! – A new malware threat that steals financial information such as login credentials. News of rhe Dyre banking Trojan has been circulating the web recently, following its discovery. Dyre or Dyreza as it is also known exhibits classic banking Trojan behaviors such as using “man-in-the-middle” attacks to steal private information from victims. It is also being used on customers of certain banks in targeted attacks. PhishMe identified this new malware on June 11, 2014. The Trojan is distributed via spam email messages that used similar email templates to other banking Trojan and malware distribution campaigns. Rather...

READ MORE

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

June 13, 2014 by Cofense in Internet Security AwarenessThreat Intelligence

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.

READ MORE

You’re infected! Ransomware with a twist

May 22, 2014 by Cofense in Ransomware

Your computer is infected! Pay $50 USD in order to remove the malware. The FBI has been tracking you for visiting inappropriate sites. Please pay $250 to avoid higher court costs and appearances. Ransomware is nothing new, and typically comes in many shapes and sizes. For years, users have been visiting websites, only to be redirected to a ransomware site and scared into paying fees that amounted to nothing more than lost money. With the advent of CryptoLocker, however, attackers have felt a need to “give” back to their victims. Once they infect a system and encrypt the data, they...

READ MORE

What we’re reading about the Chinese hacking charges

May 21, 2014 by Aaron Higbee in Internet Security AwarenessThreat Intelligence

While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large. Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method). There has been a lot of media attention on this story, so we’ve put together a list...

READ MORE

There’s threat data and then there’s threat intelligence, do you know the difference?

May 20, 2014 by Cofense in Threat Intelligence

The intelligence-led security approach is gaining traction in corporate security circles.  However, we’ve noticed that the term threat data is often confused with threat intelligence. It’s an easy mistake to make, yet very important to distinguish between the two – one represents the “old way of doing things,” while the other brings about a new era in corporate security and brand protection. In this article, we’ll discuss threat intelligence and how it differs from threat data. The Difference between Threat Intelligence and Threat Data #1: Threat intelligence is verified. Threat data is just a list. Modern threat intelligence has been...

READ MORE

Yara CTF, Blackhat 2015

August 4, 2015 by Cofense in Phishing

Welcome and good luck on the CTF! Password: “Go forth and hack!!##one1”, no quotes. PM_Yara_CTF_2015 One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP! Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error. Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.

READ MORE

The Danger of Sensationalizing Phishing Statistics

August 3, 2015 by Rohyt Belani in Phishing

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

READ MORE

These Are Not The (CryptoLocker) Resumes You’re Looking For

July 8, 2015 by Cofense in Internet Security AwarenessThreat Intelligence

For a long time, attackers have used .zip files in order to carry their bad stuff to organizations. Typically attackers include the malware in an .exe or screensaver file in the .zip , but we’ve noticed attackers trying to tell a different story in a recent wave of attacks.  Here’s a screenshot of one of the emails: Once opened, the user is prompted to download a .zip file. We can see this in the iframe of the html file inside, as well as the .zip file that is downloaded.

READ MORE

DNS Abuse by Cybercriminals – RATs, Phish, and ChickenKillers

June 15, 2015 by Cofense in PhishingThreat Intelligence

This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “chickenkiller.com” in their infrastructure. I thought this sounded familiar, but my first guess was wrong.  Chupacabra means “goat sucker” not “chicken killer”.  So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “chickenkiller.com” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain! What we’re seeing here is a combination...

READ MORE

Dyre Configuration Dumper

June 11, 2015 by Cofense in Internet Security Awareness

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

READ MORE

Forget About IOCs… Start Thinking About IOPs!

June 9, 2015 by Aaron Higbee in Internet Security Awareness

For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim. We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing. This perception leads to us receiving...

READ MORE

Disrupting an Adware-serving Skype Botnet

June 3, 2015 by Cofense in Internet Security Awareness

In the early days of malware, we all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader. In this day and age, it’s slightly different. Whereas botnets previously had to run on systems that attackers owned or had compromised, now bots can run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers.

READ MORE

Surfing the Dark Web: How Attackers Piece Together Partial Data

June 2, 2015 by Aaron Higbee in Internet Security Awareness

The recent Carefirst breach is just the latest in a rash of large-scale healthcare breaches, but the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet here, since attackers only accessed personal information such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, attackers may still be able to use this partial information in a variety of ways, and a partial breach should not...

READ MORE

Has Your Yahoo Password Been Stolen?

May 14, 2015 by Cofense in Phishing

Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure. PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail. Since the beginning of May, the URL: hxxp://markspikes.com/2/us-mg5.mail.yahoo.com/
 has loaded a page...

READ MORE

Updated Dyre, Dropped by Office Macros

May 4, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email: Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give...

READ MORE