BEC Scams: Hey! I know I’ve never talked to you before – but can you send some money – QUICK!
April 22, 2019 by Tonia Dudley in PhishingBusiness Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually. What makes BEC campaigns different? In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching...
Flash Update: Emotet Gang Distributes First Japanese Campaign
April 15, 2019 by Cofense in Threat IntelligenceCofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign. Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide. Appendix Subject Lines 特別請求書 三月發票 確認して承認してください。 請查看和 批准。 謝謝。...
When You Unsubscribe to these Emails, You ‘Subscribe’ to the Loda RAT
April 11, 2019 by Max Gannon in PhishingCISO Summary It’s critical that anti-phishing programs reflect the latest threats. Cofense IntelligenceTM has recently observed a phishing campaign that illustrates why. It entices users to download a malicious document from a seemingly legitimate source, an insurance company whose roots go back to 1896. Through a complex chain of abuse, including the exploitation of a legit subdomain hosted by Microsoft, this threat is capable of tricking users unfamiliar with wrinkles like multiple links to the same source and malicious “unsubscribe” links. If successful, the attack activates the Loda Remote Access Trojan, underscoring the importance of educating users to stop phishing...
Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims
April 9, 2019 by Cofense in Threat IntelligenceBeginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.
DMARC Is NOT a Fail-Safe Defense against Phishing Attacks
April 4, 2019 by Cofense in PhishingDMARC, or Domain-based Authentication Reporting & Conformance, is an email authentication, policy and reporting protocol. It was conceived to prevent impersonation-based phishing attacks, but it doesn’t protect you 100%. Let’s examine why. What DMARC Can Do DMARC builds on the existing and widely deployed SPF and DKIM protocols. All mechanisms to protect the email infrastructure we so heavily rely upon should be gratefully received, but as with everything the benefits and limitations should be fully understood. It is this understanding that allows us to optimize our defenses against the perpetual menace of phishing attacks. DMARC has most promise to help...
This ‘Broken’ File Hides Malware Designed to Break Its Targets
April 2, 2019 by Max Gannon in Threat IntelligenceCISO Summary Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis. The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it. The campaign tries to exploit a common problem: information...
Uncomfortable Truth #5 about Phishing Defense
March 27, 2019 by Cofense in PhishingLast in a 5-part series. In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth: Most organizations are unable to effectively respond to phishing attacks. Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...
Emotet Update: New C2 Communication Followed by New Infection Chain
March 26, 2019 by Cofense in Threat IntelligenceCISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...
This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware
March 20, 2019 by Cofense in Threat IntelligenceCISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates. GandCrab is the last of the infamous “ransomware as a service” threats....