Cofense Blog


Who’s Got Access? “Value at Risk” Anti-Phishing

July 23, 2018 by Zach Lewis in Internet Security Awareness

Part 3 of 3  So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  


A Very Convincing Tax-Rebate Phishing Campaign Is Targeting UK Users

July 19, 2018 by Milo Salvia in Phishing Defense Center

The Cofense™ Phishing Defence Center has observed a convincing new phishing campaign targeting taxpaying UK nationals. The threat actors posing as Her Majesty’s Revenue and Customs (HMRC) have imitated the Government Gateway tool which is commonly used by UK citizens to access government services online. The threat actor attempts to convince victims that they are due a tax rebate of £458.21 using the lure below.


This “Man in the Inbox” Phishing Attack Highlights a Concerning Gap in Perimeter Technology Defenses

July 18, 2018 by Nick Guarino in Phishing Defense Center

“Man in the Inbox” phishing attacks come from compromised email accounts. They look like someone from within a business, for example the HR director, sent an email directing employees to do something legitimate—like logging onto a fabricated page to read and agree to a corporate policy. When employees log on, the attackers harvest their credentials. These attacks are yet another example of increasingly sophisticated credential phishing.  


New TrickBot Phishing Lure: Mistake or Experiment?

July 17, 2018 by Darrel Rendell in Threat Intelligence

Cofense Intelligence™ recently identified a TrickBot campaign that was noteworthy not for its exceptional guile or novel technique, but rather for its lack thereof. Absent any images or convincing textual narrative, the campaign lacks all the hallmarks of this TrickBot distribution group’s modus operandi.


Data to Dollars: “Value at Risk” Anti-Phishing Strategies

July 16, 2018 by Zach Lewis in Internet Security Awareness

Part 2 of 3 Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.


This Amazon Prime Day, Keep Your Network Safe from Phishing

July 12, 2018 by Josh Bartolomie in Internet Security Awareness

Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.


Turning a blind eye: How end-users and NLP AI are being tricked by clever phishing techniques like ZeroFont

July 11, 2018 by Jason Meurer in Malware Analysis

Overview Recently, an older email security detection bypass method was seen being used to successfully surpass Microsoft’s spam and phishing filters. This technique described above makes use of two methods and was dubbed “ZeroFont Phishing” by Avanan. ZeroFont Phishing is the method when attackers insert random strings within keywords or phrases that many artificially intelligent systems use to identify malicious or suspicious content.  When these strings are placed within the HTML span tags mixed with setting the font-size attribute to zero, they become invisible to the end user, but  simultaneously appear to neuter the ability of existing Natural Language Processing...


“Value at Risk”: Focus Your Anti-Phishing on the Bottom Line

July 10, 2018 by John Robinson in Internet Security Awareness

Part 1 of 3: Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing. As a result, the questions we are now answering for board members globally are – “What phishing threats do you need to be the most concerned with?” “How likely are you to stop those specific attacks in progress?” In the same time frame, the World...


AZORult Malware Finds a New Ride with Recent Stealer Phishing Campaign

July 9, 2018 by Aaron Riley in Threat Intelligence

Cofense Intelligence™ has uncovered a recent AZORult stealer phishing campaign that delivers the malware via malicious attachments. Older versions of AZORult stealer have been delivered via intermediary loaders, typically Seamless or Rammnit malware. In this latest campaign, the attached documents use multiple techniques to download and execute an AZORult sample, indicating a shift by the threat actors behind the campaign to adopt more evasive delivery techniques.


Geodo Malware Targets Patriots with Phishing Attack on Eve of American Independence Day Holiday

July 3, 2018 by Cofense in Threat Intelligence

By Brendan Griffin and Max Gannon A classic phishing technique involves timing attacks to match major holidays and other global and regional events. One example of this scenario in a phishing attack captured by Cofense Intelligence™ delivering the Geodo botnet malware on July 3, 2018. In this attack the threat actor appeals to the patriotic nature of the Fourth of July holiday and recipients’ sense of patriotism in its content. In these messages, the attacker reminds the recipient of the sacrifices of American service member as part of a narrative designed to entice victims to click on the link in...


Targeting of UK User Financial Accounts Has Surged in Past Two Months

June 19, 2018 by Mollie Holleman in Threat Intelligence

Since this April, Cofense Intelligence™ has observed a sustained increase in the financially motivated targeting of United Kingdom-based users with phishing lures imitating brands like Her Majesty’s Revenue & Customs (HMRC), Lloyds Bank, and HSBC Bank. The most common final payloads delivered by these campaigns are designed to compromise victims’ financial accounts and provide illicit access to financial information. This surge in targeting almost certainly represents a stage in the “whack-a-mole” strategy long employed by threat actors: expand campaigns against a segment of the vast vulnerable attack surface until those users catch on to the threat, then move to the...


More Windows Software Abuse: Microsoft Excel Query Files Used to Deliver Malware

June 13, 2018 by Neera Desai in Malware Analysis

Cofense Intelligence™ recently analyzed a phishing campaign that distributed Microsoft Excel Query files in an infection chain to deliver the AmmyyAdmin remote access trojan (RAT). But analysts noted that this latest campaign bore a striking resemblance to another campaign in March 2018 in which phishing emails were used to distribute .URL internet shortcut files.


CSO Names Cofense Triage to “Best Security Software” List

June 12, 2018 by John Fitzgerald in Cyber Incident Response

Calling it “one of the most advanced defenses against phishing,” CSO has included Cofense TriageTM in its Best Security Software for 2018. Our incident response and phishing defense platform helps to stop attacks in progress and minimize the risk of breach—in minutes, compared to the average detection time of 100+ days.


One IP to Host Them All: Uncovering a Sprawling Crime Ring

June 5, 2018 by Darrel Rendell in Malware AnalysisThreat Intelligence

On Monday May 28, 2018, during routine operations, Cofense Intelligence™ identified traits across several campaigns that indicated they were linked. In fact, this discovery helped to reveal a sprawling criminal enterprise that uses linked infrastructure to host nearly 100 domains, along with corresponding malware campaigns.


Cofense has you covered as Office attachment attacks grow.

June 4, 2018 by Garrett Hess in Internet Security AwarenessMalware Analysis

At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.


We Helped a Customer Block this Open Directory Phishing Attack

June 1, 2018 by Chance Caldwell in Phishing Defense Center

On May 22, 2018, the Cofense Phishing Defense Center observed a Microsoft credential phishing attack that was received by one of our Managed Service customers. The Phishing Defense Center’s goal is to provide our customers all the relevant information on an attack against their employees, within an hour of an email being reported, so customers can take the necessary steps to prevent further attacks. By doing a deep dive investigation into this attack we were able to find multiple other phishing attacks listed on the site, the kits used to create the phishing pages, and several other domains created by...


TrickBot Operators Rapidly Adopt “Plug In” for Delivery, Possibly Following Dreambot’s Lead

May 25, 2018 by Neera Desai in Threat Intelligence

Recently, Cofense IntelligenceTM reported on a new mechanism used to distribute Dreambot malware, where a malicious page impersonating Microsoft Office Online entices victims to download the banking trojan. We have noted a similar delivery technique in the distribution of a TrickBot sample where targets are required to download a “plugin” to interact with a PDF, adding to the iteration of purported “plugin” downloads for malware delivery. The detailed campaign leverages social engineering techniques to gain access to victims’ sensitive information and also contains code obfuscation to evade detection by security technologies.


Hackers Analyse Your Capabilities. Use this Matrix to Do the Same

May 16, 2018 by David Mount in Phishing Defense Center

Regular followers of Cofense™ know that phishing threats evolve. For detailed evidence, read the Cofense Malware Review 2018 and see the techniques threat actors employ to keep security teams on their toes.


New Month; New Sigma

May 15, 2018 by Darrel Rendell in Threat Intelligence

Cofense Intelligence has observed several recent Sigma ransomware campaigns that demonstrate either a new iteration or a fork of this malware. Prior to these new campaigns, the actors behind Sigma stuck rigidly to two very distinct phishing narratives, as detailed in Cofense’s recent blog post, and relied on the same infection process. With these newly observed changes, Sigma’s operators have eliminated various infrastructure concerns and improved the UX (User eXperience) of the whole ransom process, representing the first major shifts in Sigma tactics, techniques and procedures (TTPs).


Sigma Operators Craft New Techniques to Deliver Phish to Your Inbox

May 7, 2018 by Darrel Rendell in Threat Intelligence

Cofense Intelligence recently identified a large Sigma ransomware campaign that contained significant deviations from the established TTPs employed by the actors behind this prolific piece of extortionware. These changes improve Sigma’s A/V detection-evasion and demonstrate new social engineering tactics intended to increase the likelihood that a targeted user would open the phishing email and its malicious attachment.


Become the First Security Awareness Professional to be Fully Certified in Phishing Simulation Programs with Cofense

March 29, 2018 by Cofense in Cyber Incident ResponseInternet Security Awareness

Want to boost your anti-phishing and your professional creds? Now you can, in just a few hours and on your own schedule. Cofense™  is pleased to announce the Cofense PhishMe™ certification, the industry’s first and only professional certification for phishing simulation programs. It’s your chance to fully master Cofense PhishMe, our award-winning phishing awareness training solution, while becoming a certified expert in phishing simulation programs.


Gamers, beware. You are a target for crypto-mining botnets.

March 26, 2018 by Jitendera Sarda in Internet Security AwarenessMalware Analysis

Many gamers are unaware that they are either potential targets for mining botnets or that they may already be mining cryptocurrencies for cybercriminals. Why are gamers targets? Think about it. Mining requires a large graphics card (GPU), a dedicated Internet connection and an uninterrupted power source. Gamers use powerful and immersive, high-performing GPU’s to stay online and play networked games without interruption. It’s the perfect recipe for crypto mining.


By focusing on new hires, this healthcare company lowered its phishing susceptibility.

March 23, 2018 by Zach Lewis in Internet Security AwarenessPhishing Defense Center

A regional healthcare provider started using Cofense PhishMeTM so employees could learn to recognize different types of phishing. At first, the company sent all employees simulated phishes that were tough to recognize. No surprise, susceptibility was high across the business.


The Latest in Software Functionality Abuse: URL Internet Shortcut Files Abused to Deliver Malware

March 22, 2018 by Neera Desai in Internet Security AwarenessMalware AnalysisThreat Intelligence

Adding to a growing trend of phishing attacks wherein Windows and Office functionalities are abused to compromise victim systems, Cofense Intelligence™ has analyzed a recent campaign that uses the URL file type to deliver subsequent malware payloads. This file type is similar to a Windows LNK shortcut file (both file types share the same global object identifier within Windows) and can be used as a shortcut to online locations or network file shares. These files may abuse built-in functionality in Windows to enhance the ability of an attacker to deliver malware to endpoints. By abusing these built-in functionalities, threat actors...


Sigma Ransomware Resurfaces Following a Three-Month Disappearance

March 21, 2018 by Mollie Holleman in Internet Security AwarenessMalware AnalysisRansomwareThreat Intelligence

Cofense Intelligence™ uncovered a resurgent Sigma ransomware campaign on March 13, 2018 following a noted three-month hiatus of the malware. Although many aspects of this campaign—including its anti-analysis techniques—are consistent with previously analyzed Sigma samples, its return is in and of itself atypical.


New Name, Same People, Stronger Balance Sheet

March 20, 2018 by Rohyt Belani in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

Rohyt Belani, CEO & Co-founder, Cofense So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 


This financial services company increased phishing reporting to over 50%

March 9, 2018 by Zach Lewis in Internet Security AwarenessMalware AnalysisPhishing Defense Center

To lower phishing susceptibility, a major financial services company introduced Cofense PhishMeTM. By sending a strategic combination of simulated phishes, the company conditioned employees to recognize phishing scams.


Top Tips from the IRS for Avoiding Tax-Related Phishing Scams in 2018

March 5, 2018 by Gary Warner in Internet Security Awareness

At the beginning of each calendar year, information security professionals revive the discourse surrounding tax-time phishing scams. Researchers and intelligence analysts here at Cofense™ are no exception.


PhishMe is now Cofense.

February 26, 2018 by Aaron Higbee in Cyber Incident ResponseInternet Security AwarenessMalware AnalysisPhishingPhishing Defense CenterRansomwareThreat Intelligence

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.


PhishMe is SOC 2 compliant. Here’s how that helps you.

February 9, 2018 by Cofense in Phishing

Information security is important to everyone, in particular organizations that outsource operations to third-party vendors (like SaaS or cloud-computing providers). If data isn’t handled securely, an organization’s risk of exposure to data theft, extortion and malware increases dramatically.