This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials
August 7, 2019 by Cofense in PhishingBy Tej Tulachan The Cofense Phishing Defense CenterTM has observed a new wave of phishing attacks masquerading as an email from DocuSign to target the credentials of all major email providers. DocuSign is an electronic signature technology that facilitates exchanges of contracts, tax documents, and legal materials. Threat actors utilize this legitimate application to bypass the email gateway and entice users into handing out their credentials. Here’s how it works. Email Body At first glance, the email body looks well-presented with the correct DocuSign logo and its content. However, there is something suspicious within the first line of the message—the...
Cofense Labs Shares Research on Massive Sextortion Campaign
August 2, 2019 by David Mount in Threat IntelligenceAre you one in two hundred (or so) million? Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them. What’s Sextortion? You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: Send an email in which they claim to have installed malware on your system and have a record of...
Threat Actors Subscribe To Patches
July 29, 2019 by Max Gannon in PhishingThreat IntelligenceCofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld....
Cofense Vision UI: Quarantine Phish Faster, Without Disrupting the Mail Team
July 25, 2019 by Cofense in Cyber Incident ResponsePhishingBy Karen Kokiko The holy grail of phishing defense is now within your grasp. Cofense VisionTM now comes with a user interface that lets you quarantine phishing emails with a single click—without disrupting the mail team and slowing down your response. Let’s stop and let that sink in. You can quarantine phish right from your desktop, without asking the busy mail team to stop and perform a search. There’s no more waiting while an active phish does the backstroke in your inboxes. Faster, more precise phishing response is here. Fast and Flexible Searching Traditional email search and quarantine tools are...
Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways
July 23, 2019 by Cofense in Cyber Incident ResponsePhishing Defense CenterBy Jake Longden The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...
Ransomware: A Mid-Year Summary
July 22, 2019 by Cofense in RansomwareThreat IntelligenceBy Alan Rainer Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting. Ransomware Is Down...
This Phishing Attacker Takes American Express—and Victims’ Credentials
July 16, 2019 by Milo Salvia in Internet Security AwarenessPhishing Defense CenterRecently, the CofenseTM Phishing Defense CenterTM observed a phishing attack against American Express customers, both merchant and corporate card holders. Seeking to harvest account credentials, the phishing emails use a relatively new exploit to bypass conventional email gateway URL filtering services.
UK Banking Phish Targets 2-Factor Information
July 10, 2019 by Milo Salvia in Phishing Defense CenterRecently, the Cofense Phishing Defense Center observed a wave of phishing attacks targeting TSB banking customers in the UK. We found these consumer-oriented phishing emails in corporate environments, after the malicious messages made it past perimeter defenses. The convincing emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to bite on the phish, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards. Most UK banks implement two-factor authentication. They require users to set a standard password and...
Double Duty: Dridex Banking Malware Delivered with RMS RAT
July 8, 2019 by Max Gannon in Threat IntelligenceCofense IntelligenceTM analyzes millions of emails and malware samples each day to alert organizations to emerging phishing threats. Thanks to our expansive view of the threat landscape, we recently were able to discover and investigate a campaign impersonating eFax that appeared to have an attached Microsoft Word document. The attachment was a .zip archive which contained a .xls Microsoft Excel spreadsheet. This spreadsheet included an Office macro which, when enabled, was used to download and execute two malicious executables: samples of Dridex and Remote Manipulator System Remote Access Tool (RMS RAT). What’s notable: By delivering a banking trojan and a...
Under the Radar – Phishing Using QR Codes to Evade URL Analysis
June 28, 2019 by Nick Guarino in PhishingPhishing Defense CenterPhishing attacks evolve over time, and attacker frustration with technical controls is a key driver in the evolution of phishing tactics. In today’s modern enterprise, it’s not uncommon for our emails to run the gauntlet of security products that wrap or scan embedded URLs with the hope of finding that malicious link. Products like Proofpoint URL Defense, Microsoft Safe Links, and Mimecast URL Protect hope to prevent phishing attacks by wrapping or analyzing URLs. These technologies can only be effective IF they can find the URLs in the first place. Fast forward to this week where our Phishing Defense Center™...