Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Bah HumBUG: 5 Recent Holiday Phishing Samples You Need to Watch Out For

November 21, 2018 by Aaron Riley in Threat Intelligence

Along with more online shopping, correspondence, and travel, the holiday season sees an increase in phishing operators eager to capitalize on a more-active attack surface. With Thanksgiving tomorrow, Cofense Intelligence and the Cofense Phishing Defense Center have seen a bombardment of Thanksgiving-themed phishing lures this week. Threat actors use this inundation of emails to their advantage—hoping to trick anyone looking for a good deal or eager to partake in the season’s merriment.

READ MORE

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...

READ MORE

Phishing Emails with .COM Extensions Are Hitting Finance Departments

November 15, 2018 by Aaron Riley in Threat Intelligence

Cofense IntelligenceTM has seen a substantial uptick in the use of .com extensions in phishing emails that target financial service departments. In October alone, Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in all nine months preceding. Four different malware families were utilized. The .com file extension is used for text files with executable byte code. Both DOS (Disk Operating System) and Microsoft NT kernel-based operating systems allow execution of .com files for backwards compatibility reasons. The .com style byte code is the same across all PE32 binaries (.exe, .dll, .scr, etc.)...

READ MORE

They stopped a phishing attack in 10 minutes. It used to take days.

November 7, 2018 by John Fitzgerald in Cyber Incident Response

Don’t you love a feel-good story? Me too. Especially in an industry where the headlines tend to be scary. Recently, a CofenseTM customer—a large financial services company—stopped a phishing attack in 10 minutes using Cofense TriageTM. That’s a very cool story, but as they say, wait, there’s more.

READ MORE

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

November 1, 2018 by Tonia Dudley in Internet Security Awareness

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here. As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving. I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2....

READ MORE

Re: The Zombie Phish

October 31, 2018 by Cofense in Malware AnalysisPhishing Defense CenterThreat Intelligence

By: Lucas Ashbaugh, Nick Guarino, Max Gannon Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date and now there is a weird error message. This is a devious tactic, reviving an email conversation long dead – it’s the Zombie Phish. Not Your Average Phish The Cofense™ Phishing...

READ MORE

“Brazilian Election” Themed Phish Target Users with South American-Targeted Malware, Astaroth Trojan

October 31, 2018 by Max Gannon in Malware AnalysisThreat Intelligence

Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™ Phishing Defense Center and known to target South American users.

READ MORE

Threat Actors Seek Your Credentials Before You Even Reach the URL

October 30, 2018 by Neera Desai in Threat Intelligence

Cofense Intelligence™ has observed a phishing technique that takes a unique approach to illicitly obtain a target’s sensitive information. In a recent campaign, threat actors harvested victims’ credentials through a PDF window prompt rather than via a webpage—the more traditional credential phishing technique. Cofense Intelligence obtained a phishing email that allegedly informs the recipient of an Amazon.de bill of sale. The German language email lure claims to deliver a tax invoice and requests the recipient to view the attached PDF. The PDF, also presented in German, specifies that the document cannot be opened in a browser and must be opened...

READ MORE

Where Do Security Awareness Programs Belong on the Org Chart?

October 25, 2018 by Tonia Dudley in Internet Security Awareness

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here. For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

READ MORE

H-Worm and jRAT Malware: Two RATs are Better than One

October 23, 2018 by Neera Desai in Malware AnalysisThreat Intelligence

When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB. Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a...

READ MORE

A Staggering Amount of Stolen Data is Heading to Zoho Domains

October 2, 2018 by Darrel Rendell in Malware Analysis

After last month’s brief domain suspension of Zoho—which resulted from an insufficient response to reported phishing abuse— Cofense Intelligence™ has uncovered Zoho’s connection to an extremely high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all Keyloggers analysed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.

READ MORE

How to Orchestrate a Smarter Phishing Response

October 1, 2018 by John Fitzgerald in Cyber Incident Response

We’ve been talking a lot recently about phishing-specific SOAR (Security Orchestration Automation and Response). It’s a capability CofenseTM has pioneered to help you mitigate phishing emails faster and more efficiently. Recently, we examined automation, the ‘A’ in the acronym. Now let’s take a deeper look at the ‘O,’ orchestration. Involve the Right Teams Faster with Cofense TriageTM Like a symphony conductor waving a wand, your phishing response needs to engage the right teams at the right time. To make that happen, Cofense TriageTM starts by reducing noise with an advanced spam engine, removing benign emails your employees have reported and...

READ MORE

Potential Misuse of Legitimate Websites to Avoid Malware Detection

September 28, 2018 by Max Gannon in Threat Intelligence

Sometimes, common malware will attempt to gather information about its environment, such as public IP address, language, and location. System queries and identifier websites like whatismyipaddress.com are often used for these purposes, but are easily identified by modern network monitors and antivirus. It’s important to know, however, that everyday interactions with legitimate websites provide much of the same information and are not monitored because the interactions are legitimate. In other words, threat actors can bypass automated defenses by abusing legitimate websites that often cannot be blocked for business purposes. First, cookies—easily accessible records of a user’s interactions with a webpage—are...

READ MORE

Beware of payroll-themed phishing. Here’s one example.

September 26, 2018 by Neera Desai in Threat Intelligence

Last week, the Internet Crime Complaint Center (IC3) published a public service announcement on cybercriminals disseminating payroll-themed phishing emails. These phishing emails, often imitating financial organizations, contain alluring content such as an enticing subject line or use social engineering techniques to convince targets that the email is from a legitimate source. Cofense Intelligence™ has observed payroll-themed phishing lures requesting targets to view an embedded link or download an attached file. The emails typically deliver credential phishing links or malware that is tasked with stealing the target’s financial and personal credentials. Recently, Cofense Intelligence analyzed a payroll-themed phish distributing the TrickBot...

READ MORE

Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses

September 21, 2018 by Aaron Riley in Malware Analysis

GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases...

READ MORE

Microsoft Office Macros: Still Your Leader in Malware Delivery

September 13, 2018 by Aaron Riley in Malware Analysis

In the last month, Microsoft Office documents laden with malicious macros account have remained the malware loader-du-jour. Cofense IntelligenceTM has found they account for 45% of all delivery mechanisms analyzed.

READ MORE

We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan

September 10, 2018 by Cofense in Phishing Defense Center

By Jerome Doaty and Garrett Primm The Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with dozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have been potentially compromised.

READ MORE

Summer Reruns: Threat Actors Are Sticking with Malware that Works

September 5, 2018 by Neera Desai in Malware Analysis

Let’s take a look back at this summer’s malware trends as observed by Cofense IntelligenceTM. Summer 2018 has been marked by extremely inconsistent delivery of TrickBot and Geodo, though volumes of lower-impact malware families like Pony and Loki Bot remained consistently high. What’s more, improvements to the delivery and behavior of Geodo and TrickBot accompanied the resurgence of two updated malware families—Hermes ransomware and AZORult stealer—in reaffirming a preference by threat actors to update previous tools instead of developing new malware.  Because threat actors will continue to improve their software to ensure a successful infection, it’s important to understand these...

READ MORE

Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros

August 30, 2018 by Darrel Rendell in Malware Analysis

Part 3 of 3 As we mentioned in our previous overview of Geodo, the documents used to deliver Geodo are all quite similar. Each document comes weaponised with a hostile macro. The macros are always heavily obfuscated, with junk functions and string substitutions prevalent throughout the code. The obfuscation uses three languages or dialects as part of the obfuscation process: Visual Basic, PowerShell, and Batch.

READ MORE

Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes

August 29, 2018 by Darrel Rendell in Malware Analysis

Part 2 of 3 As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows. 

READ MORE

Data to Dollars: “Value at Risk” Anti-Phishing Strategies

July 16, 2018 by Zach Lewis in Internet Security Awareness

Part 2 of 3 Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.

READ MORE

This Amazon Prime Day, Keep Your Network Safe from Phishing

July 12, 2018 by Josh Bartolomie in Internet Security Awareness

Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.

READ MORE

“Value at Risk”: Focus Your Anti-Phishing on the Bottom Line

July 10, 2018 by John Robinson in Internet Security Awareness

Part 1 of 3: Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing. As a result, the questions we are now answering for board members globally are – “What phishing threats do you need to be the most concerned with?” “How likely are you to stop those specific attacks in progress?” In the same time frame, the World...

READ MORE

Cofense Phishing Awareness: The Innovations Continue

June 26, 2018 by Garrett Hess in Internet Security Awareness

Every week you read about a new phishing-inflicted breach. Despite heavy spending on perimeter security, malicious emails still get through. Here’s something that can help and, best of all, costs nothing. It’s the latest in a blitz of Cofense phishing awareness innovations.

READ MORE

Phishing Defense: Let’s Get Personal

June 20, 2018 by Dan Marshall in Internet Security AwarenessPhishing

We all know phish aren’t just sent to corporate email accounts, yet this is what we hear about most often in the news. The reason, at least in part, is because headlines highlighting millions of dollars lost or millions of accounts compromised make for better news than “Man Has Personal Savings Account Drained After Clicking Malicious Link.”

READ MORE

Cofense has you covered as Office attachment attacks grow.

June 4, 2018 by Garrett Hess in Internet Security AwarenessMalware Analysis

At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.

READ MORE

Managed Service Gives SMB’s More Security without the Headcount

May 17, 2018 by Zach Lewis in Internet Security Awareness

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT. Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.

READ MORE

Prevent Your Social Media Users from Arming Phishing Attackers

May 8, 2018 by Zach Lewis in Phishing

An employee goes on Facebook and makes a snarky comment about his boss. Or posts a picture of a co-worker that includes a confidential document open on her laptop. Or simply mentions your company name when sharing something online. All of these are examples of potential trouble.

READ MORE

That email from HR? RSA attendees say you’d better check twice for phishing.

May 3, 2018 by Cofense in Phishing

When the security world gathered at RSA 2018, CofenseTM surveyed attendees about phishing attacks and defenses. The #1 phishing concern? Malicious emails that appear to be internal communications, from your boss, HR, or the help desk, making them extra-hard to resist.

READ MORE

Russian “Troldesh” AKA Encoder.858 or Shade is back!

April 27, 2018 by Dilen Thakuri in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishing Defense Center

On the 19th of April, the Cofense Phishing Defense Center received an email crafted to appear to be from “Sberbank Russia.” In fact, it was a phishing email containing the Troldesh malware, a variant of Russian Ransomware first seen in mid-2015. The PDC hadn’t seen this variant for quite some time.

READ MORE