About Cofense
About Cofense

Cofense Phishing Prevention & Email Security Blog


Why Customers Love Our Board Reports on Their Phishing Defense

August 8, 2018 by Professional Services Team in Internet Security Awareness

Last year, a Cofense™ customer wanted to show his board the results of his phishing-defense program. Specifically, the customer was looking for a board-report template. The customer did a quick Google search and found…nothing.  


Another Tax-Rebate Phishing Scam, This Time in Canada

August 7, 2018 by Dilen Thakuri in Phishing Defense Center

The CofenseTM Phishing Defense Center has observed a phishing email targeting Canadian taxpayers, similar to HMRC scams we recently reported in the United Kingdom. It’s the latest in a surge of tax-rebate phishing scams seen across the globe, prompting tax-collection agencies to issue consumer warnings.


Abusing Microsoft Windows Utilities to Deliver Malware for Fun and Profit

August 6, 2018 by Max Gannon in Malware Analysis

Last year, Cofense Intelligence™ observed an increase in abuse of features built into platforms that are all but ubiquitous throughout the corporate world. An overview of these developments in 2017 was covered in our 2017 Malware Review, which highlighted the abuse of Microsoft features such as Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) to deliver malware. Since last year, this trend has continued as threat actors are exploiting a greater variety of features as well as combining multiple techniques into one campaign.


Cofense Shortlisted for Three UK Computing Technology Product Awards

August 3, 2018 by Cofense in Phishing

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners. Following are the categories we are shortlisted for. Best Business Security Provider This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™,...


Geodo and TrickBot Malware Morph into Bigger Threats

August 2, 2018 by Max Gannon in Threat Intelligence

It may be time to rethink the Geodo and Trickbot malware. These botnets have recently become more of a threat by increasing in activity and in their variety of delivery mechanisms, utilities, and behaviors.


The Headlines Make the Case for More Efficient Phishing Response

August 1, 2018 by Tonia Dudley in Cyber Incident Response

Last week, Brian Krebs released a blog post about the recent news of a Virginia Bank being breached—not once, but twice. And he didn’t bury the headline. It was right up front: “Hackers used phishing emails to break into a Virginia Bank….”  


Customer Satisfaction Survey Leads to Credential Phishing

July 31, 2018 by Marcel Feller in Phishing Defense Center

The CofenseTM Phishing Defense Center (PDC) has observed a phishing campaign masquerading as a Customer Satisfaction Survey from Cathay Pacific. Fake surveys are an old tactic, but the PDC has recently seen an increase in their use. Examining the following email will show you what to look out for. At first look, the email appears to be a legitimate Satisfaction Survey. It is not uncommon to receive a reward for completing a survey, so that alone is not an Indicator of Phishing (IoP). However, as shown in Figure 1, the “Click here – Participate and Win” link feels out of...


The El Camino Effect in Anti-Phishing Training

July 30, 2018 by Cofense in Internet Security Awareness

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino. Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed. Understanding the El Camino Effect To...


Why You Need to Keep Brands Out of Phishing Simulations

July 26, 2018 by Tonia Dudley in Internet Security Awareness

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them. Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it...


PhishMe Celebrates National Cyber Security Awareness Month 2015 and UK Based Security Serious Week

October 7, 2015 by Cofense in Internet Security AwarenessMalware Analysis

It’s that time of year again. No, it’s not the arrival of the pumpkin spiced latte at your local coffee shop. It’s National Cyber Security Awareness month (NCSAM) as proclaimed by President Barack Obama last year. “National Cyber Security Awareness Month — celebrated every October — was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online,” as stated by the National Cyber Security Alliance located on their website. At PhishMe, we are proud to once again play a lead role in the cyber...


Upatre Malware Anti-Sandboxing Mechanism Uncovered

September 17, 2015 by Cofense in Malware Analysis

Researchers have been studying the Upatre malware anti-sandboxing mechanism over the course of the past few days, after capturing a number of samples of the malware. The Upatre malware anti-sandboxing mechanism involves a delay in activity. A 12-minute delay to be precise. That is how long it takes before the malware downloads its malicious payload. The delay is an anti-sandboxing tactic to ensure that the malware is not being executed in a sandbox environment where its actions can be analyzed and studied by security researchers. An early example of this technique can be found in any of the binaries delivered...


These Are Not The (CryptoLocker) Resumes You’re Looking For

July 8, 2015 by Cofense in Internet Security AwarenessThreat Intelligence

For a long time, attackers have used .zip files in order to carry their bad stuff to organizations. Typically attackers include the malware in an .exe or screensaver file in the .zip , but we’ve noticed attackers trying to tell a different story in a recent wave of attacks.  Here’s a screenshot of one of the emails: Once opened, the user is prompted to download a .zip file. We can see this in the iframe of the html file inside, as well as the .zip file that is downloaded.


Deriving Malware Context Requires Human Analysis

June 20, 2015 by Cofense in Threat Intelligence

Man versus machine is one of the oldest technology tropes. In the modern tech economy, it represents one of the largest driving forces in many industries in which processes are streamlined by the inclusion of robotics and automated processes. For the threat intelligence industry, the automated malware sandbox represents the machine that has been put in place to replace the work done by analysts. However, while producing high quality threat intelligence can be enhanced with the inclusion of some automation, completely replacing the human aspect greatly impacts the quality of your analysis. The automated sandbox provides a snapshot of a...


CERT Researchers Examine Domain Blacklists

June 19, 2015 by Cofense in Threat Intelligence

After researching everything you want to know about domain blacklists, Jonathan Spring and Leigh Metcalf – two members of the technical staff at the CERT Division of Carnegie Mellon University’s Software Engineering Institute – performed an additional analysis and case study on the Domain Blacklist Ecosystem. Their research supports a hypothesis regarding how the difference in the threat indicators available from a range of different sources is related to sensor vantage and detection strategy. To facilitate this, they required a source of intelligence that varied the detection strategy without changing the sensor vantage. University research continues to play an important role in how we develop...


DNS Abuse by Cybercriminals – RATs, Phish, and ChickenKillers

June 15, 2015 by Cofense in Threat IntelligencePhishing

This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “” in their infrastructure. I thought this sounded familiar, but my first guess was wrong.  Chupacabra means “goat sucker” not “chicken killer”.  So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain! What we’re seeing here is a combination...


Updated Dyre, Dropped by Office Macros

May 4, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Whenever attackers make a shift in tactics, techniques, and protocol (TTP), we like to make note of it to help both customers and the rest of the Internet community. We recently analyzed a sample that started out appearing to be Dridex, but quickly turned into a headache leading to Dyre that featured some notable differences to past Dyre samples. One PhishMe user was targeted to their personal account, and here’s a copy of the phishing email: Once opened, we’re presented with the very familiar story of “please enable this macro so you can get infected”. This time, they do give...


Detecting a Dridex Variant that Evades Anti-virus

March 25, 2015 by Cofense in Internet Security AwarenessMalware Analysis

Attackers constantly tweak their malware to avoid detection. The latest iteration of Dridex we’ve analyzed provides a great example of malware designed to evade anti-virus, sandboxing, and other detection technologies. How did we get our hands on malware that went undetected by A/V? Since this malware (like the majority of malware) was delivered via a phishing email, we received the sample from a user reporting the phishing email using Reporter.


Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

March 18, 2015 by Cofense in Malware Analysis

Post Updated on March 25 The arrival of spring brings many good things, but it’s also prime season for tax-themed phishing emails. A partner of ours recently reported an email with the subject “Your Tax rebate” that contained an attachment with Dridex and password-protected macros to hinder analysis. If you read this blog, this story should sound familiar, but this particular strain took new precautions, such as adding a longer password and using VM detection inside of the code.


5 Reasons Hackers Target SMBs—and 1 Free Way to Fight Back

September 1, 2017 by Cofense in PhishingCyber Incident ResponseInternet Security Awareness

Last week PhishMe® released PhishMe® Free, a no-cost version of our award-winning anti-phishing solution, to protect SMBs from phishing attacks and resulting threats. A new PhishMe white paper shows the urgent need for SMBs to bolster their defenses.


10 Ways to Defend Against Business Email Compromise / CEO Email Fraud Scams

August 31, 2017 by Heather McCalley in Malware AnalysisInternet Security AwarenessPhishing

Cybercriminals continue to successfully hack and spoof emails to impersonate supervisors, CEOs, and suppliers and then request seemingly legitimate business payments. Because the emails look authentic and seem to come from known authority figures, many employees comply. But later they discover they’ve been tricked into wiring money or depositing checks into criminals’ bank accounts.


The Newest Delivery Method for the Locky Ransomware

August 29, 2017 by Cofense in Malware AnalysisPhishing

Since its introduction in early 2016 and throughout this year, the distribution of the Locky ransomware has been overwhelmingly facilitated by attached script applications written in JScript or Visual Basic. These script applications have been delivered as the content of an attached archive such as a Zip or RAR file delivered as part of the email messages.


Locky Ransomware Keeps Returning After Repeated Absences

August 23, 2017 by Cofense in PhishingMalware Analysis

It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics. Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past;...


Zeus Panda’s Modular Functions Provide Insight into Botnet Malware Capabilities

August 21, 2017 by Cofense in PhishingMalware Analysis

One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool. However, in some...


The PhishMe 2017 Excellence Awards Nominations are Open!

August 17, 2017 by Cofense in Phishing

Make your nominations for the 2017 PhishMe® Excellence Awards today! Every day, 1000s of companies use PhishMe as a cornerstone of their phishing defense program. The PhishMe Excellence Awards recognize the outstanding achievements of security professionals and organizations with innovative, successful anti-phishing and phishing defense programs to minimize the risk and impacts associated with phishing attacks.


Ransomware: Don’t Make It Too Easy to Hit Your WordPress Site

August 17, 2017 by Aaron Higbee in Internet Security AwarenessMalware Analysis

Ransomware is a business.  And like all smart business people, hackers look for efficiencies to increase revenue and lower cost of delivery.


PhishMe Free Launches to Protect SMBs

August 16, 2017 by Cofense in PhishingInternet Security Awareness

When it comes to cyberattacks, small businesses are big targets. That’s why we recently introduced PhishMe® Free, a no-cost, easy-to-use version of our award-winning anti-phishing simulation solution.


Even the “Smart Ones” Fall for Phishing

August 4, 2017 by Heather McCalley in PhishingInternet Security AwarenessMalware Analysis

It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement[1] about a phishing incident last week, even smart developers can be fooled with a phish. As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store.  This means that the Copyfish plugin built by a9t9 was no longer under its control.  Meanwhile, the plugin has already been used to...