About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More

Cofense Blog


Here’s How to Make Every Month Security Awareness Month

November 2, 2017 by Cofense in Internet Security Awareness

It’s fitting that National Security Awareness Month ends on Halloween. It’s the time to contemplate scary things, whether ghouls, men in lederhosen stumbling about with steins or the real deal, phishing emails loaded with ransomware.


Viewing Phish with a Payload using PhishMe Intelligence and Maltego

November 2, 2017 by Cofense in Cyber Incident ResponseThreat Intelligence

BY MIKE SAURBAUGH AND GEOFF SINGER Visualize Phishing Relationships with PhishMe Intelligence™ and Maltego Fishing (without the “P”) is not a lot of fun when you just drop a line in the water and hope for the best. When fishermen want to see where the fish are, they look to the fish finder on the bridge to “look underwater” to find schools of fish. Similarly, when an analyst is looking to “catch” a phishing campaign, correlating the attacker’s campaigns and their payloads can benefit by being able to visually graph and link phishing threats. PhishMe Intelligence combined with Maltego can...


Don’t Go In the Attachment: 5 Security Reminders in Honor of Halloween

October 31, 2017 by Cofense in Internet Security AwarenessMalware Analysis

Do we really need another Halloween-themed security blog? Yep. We do. Not because our edgiest holiday triggers more cyber threats. No, Halloween season is scary because it’s been absorbed by the winter holidays—the spendiest, cyber-riskiest time on the retail calendar, beginning in mid-September and lasting until…it ends, right?


Oh Behave! – Simulation Analysis

October 30, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

When considering your organization’s response to a simulated phish, it is critical to understand that we are emulating / practicing for real life events with the purpose of conditioning appropriate response patterns in our user base. 


PhishMe Named a Consecutive Leader in the 2017 Gartner Magic Quadrant

October 27, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing

PhishMe has been named a consecutive leader in Gartner’s 2017 Security Awareness Computer-Based Training Magic Quadrant. It’s the second year we’ve been recognized as a leader and positioned highest in “ability to execute.”


Sage Ransomware Distinguishes Itself with Engaging User Interface and Easy Payment Process

October 26, 2017 by Cofense in Internet Security AwarenessMalware AnalysisPhishing

In early 2017, the Sage ransomware distinguished itself with a fresh take on the business model for criminal ransomware operations. Built with an engaging, intuitive user interface for requesting the ransom payment, it also reinforced the fact criminals are willing to invest in developing new versions of established ransomware tools.  Sage has reasserted itself as a relevant player on the already-saturated ransomware threat landscape with version 2.2.


Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

October 25, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.


Social Media: It’s Time to <3 Security Awareness

October 24, 2017 by Cofense in Cyber Incident ResponseInternet Security AwarenessPhishing

Part 4 in a weekly blog series, “How Attackers Target Trust,” running during October, National Cyber Security Awareness Month and European Cyber Security Month. Over the past decade, mobile phones and social media have become essential to how we ingest news and communicate friends and families.


Beware: These Scams Turn Open Enrollment into Open Season for Phishing

October 24, 2017 by Heather McCalley in Internet Security AwarenessMalware AnalysisPhishing

Last fall, PhishMe® warned you about scams that use phishing to steal your health savings account (HSA) details during open enrollment periods. This year we are seeing a variety of phishing scams that can take advantage of your year-end diligence in managing personal and corporate assets.


New Strain of Locky with a “Deadly” Twist

October 19, 2017 by Cofense in Cyber Incident ResponseMalware AnalysisPhishing Defense Center

With it being flu season, no one wants to hear that a new strain of the flu has been discovered. Just as network defenders will not be excited that Locky ransomware has evolved yet again. This time however, threat actors decided to add a darker theme to code.  


VIDEO UPDATE: Wire Fraud Phisher attempts to phish PhishMe, instead gets phished by PhishMe

September 17, 2015 by Aaron Higbee in Phishing

(VIDEO UPDATE LINK: Defending Against Phishing Attacks: Case Studies and Human Defenses by Jim Hansen • A human centric method of defense • Attack case studies & attacker technique analysis • Proactive simulation methods: educating workforces & detecting / thwarting attacks)  (^ say that title ten time fast) Every year PhishMe Simulator sends millions of phishing emails to its 500+ enterprise customers’ employees worldwide. PhishMe is hands down the most robust and sophisticated phishing platform in existence. To say that we are a little obsessive about Phishing is a bit of an understatement. In fact, we are sitting on innovations in phishing that...


Using Yara to Break CryptoWall Phishing

September 15, 2015 by Cofense in Phishing

Over two months ago, we wrote about phishing emails that contained zip files containing html downloaders to versions of CryptoWall. Fast forward to now, and we’re still seeing the same phishing story, but different attachments. Here’s a screenshot:


A Peek Inside an Affiliate’s Malspam Operation: Kovter and Miuref/Boaxxe Infections

September 11, 2015 by Cofense in Phishing

In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.


Yara CTF – The Answers

September 3, 2015 by Cofense in Internet Security Awareness

Hello everyone, and thank you for coming to check out the Yara CTF answers! We had a TON of folks who were interested in the challenge, many submitted answers, and many folks enjoyed the challenges. Some of the best feedback we received was “This was the shortest plane ride over to Vegas. Thanks, PhishMe!”


Yara CTF, Blackhat 2015

August 4, 2015 by Cofense in Phishing

Welcome and good luck on the CTF! Password: “Go forth and hack!!##one1”, no quotes. PM_Yara_CTF_2015 One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP! Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error. Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.


The Danger of Sensationalizing Phishing Statistics

August 3, 2015 by Rohyt Belani in Phishing

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.


These Are Not The (CryptoLocker) Resumes You’re Looking For

July 8, 2015 by Cofense in Internet Security AwarenessThreat Intelligence

For a long time, attackers have used .zip files in order to carry their bad stuff to organizations. Typically attackers include the malware in an .exe or screensaver file in the .zip , but we’ve noticed attackers trying to tell a different story in a recent wave of attacks.  Here’s a screenshot of one of the emails: Once opened, the user is prompted to download a .zip file. We can see this in the iframe of the html file inside, as well as the .zip file that is downloaded.


DNS Abuse by Cybercriminals – RATs, Phish, and ChickenKillers

June 15, 2015 by Cofense in PhishingThreat Intelligence

This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “” in their infrastructure. I thought this sounded familiar, but my first guess was wrong.  Chupacabra means “goat sucker” not “chicken killer”.  So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain! What we’re seeing here is a combination...


Dyre Configuration Dumper

June 11, 2015 by Cofense in Internet Security Awareness

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.


Forget About IOCs… Start Thinking About IOPs!

June 9, 2015 by Aaron Higbee in Internet Security Awareness

For those who may have lost track of time, it’s 2015, and phishing is still a thing. Hackers are breaking into networks, stealing millions of dollars, and the current state of the Internet is pretty grim. We are surrounded with large-scale attacks, and as incident responders, we are often overwhelmed, which creates the perception that the attackers are one step ahead of us. This is how most folks see the attackers, as being a super villain who only knows evil, breathes evil, and only does new evil things to trump the last evil thing. This perception leads to us receiving...