Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

This ‘Voice Mail’ Is a Phish—and an Email Gateway Fail

June 11, 2019 by Cofense in Phishing Defense Center

By Milo Salvia and Kamlesh Patel The Cofense Phishing Defense CenterTM has observed a phishing campaign that masquerades as a voicemail message from a well-known company. The goal is to steal your domain credentials by mimicking the Outlook Web App (OWA).  Email Body:  The message body is designed to mimic your typical VOIP “missed call” message delivered via email when a user misses a call. A simple HTML box appears with a blue hyperlink, Play Voice. One would assume it was meant to say Play Message or Play Voice Message. This could indicate that English is not the threat actor’s first language...

READ MORE

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

June 10, 2019 by Cofense in Cyber Incident Response

By Kaustubh Jagtap Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response. Credential Phish Are the Most Common Threat 90% of verified phishing emails were found in environments using email gateways....

READ MORE

Using Windows 10? It’s Becoming a Phishing Target

June 5, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has recently seen a complex phishing campaign that delivers a simple payload, FormGrabber keylogger malware. The targets are Windows 10 operating systems running Windows Anti-malware Scan Interface (AMSI). The phishing emails deliver a Microsoft Excel Worksheet containing a MS Word macro that initiates infection. What’s notable: threat actors are hitting Windows 10 instead of Windows 7, a more common target. Expect to see greater abuse heaped on the newer version as more businesses adopt it. No one aspect of this campaign is novel, but the attackers easily assembled a complex infection chain using multiple obfuscation and...

READ MORE

The Zombie Phish Is Back with a Vengeance

June 4, 2019 by Milo Salvia in Phishing Defense Center

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

READ MORE

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

May 30, 2019 by Cofense in Cyber Incident Response

By Deron Dasilva and Milo Salvia Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

READ MORE

Patch or Pass? CVE-2017-11882 Is a Security Conundrum

May 29, 2019 by Max Gannon in Threat Intelligence

CISO Summary Since the latter part of 2018, threat actors have increasingly exploited two Microsoft vulnerabilities: CVE-2017-11882 and CVE-2018-0802. The first of these is especially popular. Cofense IntelligenceTM has seen it surge ahead of Microsoft macros as a favorite malware delivery method. CVE-2017-11882 is an older vulnerability that in fact has a patch. However, it presents a conundrum for security teams that haven’t addressed the problem. They can choose to skip the patching, live with the risks, and keep on using the legacy program. Or they can update, patch, and lose the application entirely to gain much better security. In...

READ MORE

Got a Blockchain Wallet? Be Alert for These Phishing Emails

May 22, 2019 by Cofense in Phishing Defense Center

By Tej Tulachan and Milo Salvia The CofenseTM Phishing Defense Center™ has seen a fresh wave of attacks targeting Blockchain wallet users. The attacks aim to steal all the information needed to hijack unsuspecting victims’ wallets and syphon off their hard-earned crypto gains. In the past week, we have detected more than 180 of these malicious emails, all reported by customers’ users. Here’s how the phishing emails work. Red Flag #1: ‘You Have Been Chosen.’ In the message below, we can see that the victim has been “selected to receive” a $50 dollar amount of  Stellar (XLM), an up and coming...

READ MORE

Pretty Pictures Sometimes Disguise Ugly Executables

May 15, 2019 by Max Gannon in Threat Intelligence

CISO Summary Reaching deep into their bag of tricks to avoid detection, threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents. This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees not to fall...

READ MORE

Babylon RAT Raises the Bar in Malware Multi-tasking

May 15, 2019 by Aaron Riley in Threat Intelligence

CISO SUMMARY  Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud.  Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...

READ MORE

The Cofense Phishing Defense Center Sees Threats That Most Don’t

May 8, 2019 by Marcel Feller in Cyber Incident Response

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...

READ MORE

Babylon RAT Raises the Bar in Malware Multi-tasking

May 15, 2019 by Aaron Riley in Threat Intelligence

CISO SUMMARY  Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud.  Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...

READ MORE

The Cofense Phishing Defense Center Sees Threats That Most Don’t

May 8, 2019 by Marcel Feller in Cyber Incident Response

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...

READ MORE

Flash Update: Emotet Gang Distributes First Japanese Campaign

April 15, 2019 by Darrel Rendell in Threat Intelligence

Cofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign. Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide. Appendix Subject Lines 特別請求書 三月發票 確認して承認してください。 請查看和 批准。 謝謝。...

READ MORE

Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims

April 9, 2019 by Jason Meurer in Threat Intelligence

Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.

READ MORE

This ‘Broken’ File Hides Malware Designed to Break Its Targets

April 2, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis. The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it. The campaign tries to exploit a common problem: information...

READ MORE

Emotet Update: New C2 Communication Followed by New Infection Chain

March 26, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...

READ MORE

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

March 20, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats....

READ MORE

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

March 15, 2019 by Cofense in Threat Intelligence

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they...

READ MORE

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

March 12, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...

READ MORE

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

March 6, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot. Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to...

READ MORE

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

November 19, 2018 by Cofense in PhishingThreat Intelligence

By Darrel Rendell, Mollie MacDougall, and Max Gannon Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection. Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively. Figure 1:...

READ MORE

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

November 1, 2018 by Tonia Dudley in Internet Security Awareness

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here. As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving. I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2....

READ MORE

Where Do Security Awareness Programs Belong on the Org Chart?

October 25, 2018 by Tonia Dudley in Internet Security Awareness

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here. For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

READ MORE

Security Awareness: Choosing Methods and Content that Work

October 15, 2018 by Tonia Dudley in Internet Security Awareness

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here.  Last week we examined the importance of setting a strategy and goals for your security awareness program. Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors. We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that...

READ MORE

Phishing Enables Domestic Violence. Education Can Help Stop It.

October 8, 2018 by Jim Hansen in Internet Security Awareness

According to estimates, approximately 760 people, or more than two per day, are killed by their partners. Most of the victims are women.1  Making matters worse, abusers use “stalkerware” to track their victims online, cutting off sources of income, isolating them from friends and family, and otherwise trying to control every aspect of their lives.

READ MORE

Building a Security Awareness Program? Start with Strategy and Goals

October 8, 2018 by Tonia Dudley in Internet Security Awareness

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month. In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”

READ MORE

Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

September 24, 2018 by John Robinson in Internet Security AwarenessPhishing

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people. None of this is surprising, considering that healthcare lives and breathes data. But our research also found this: Healthcare lags behind other industries in...

READ MORE

Here’s a Free Turnkey Phishing Awareness Program for National Cybersecurity Awareness Month

September 18, 2018 by Tonia Dudley in Internet Security Awareness

So….it’s September and October is only a few weeks away. Have you started putting together your campaign for National Cybersecurity Awareness Month (NCSAM) yet? If not, you’re in luck – we’ve created a complimentary turnkey phishing awareness program for you to quickly launch and look like a super hero to your leader AND your organization! And best yet, these resources can be used all year round – BECAUSE security awareness goes beyond October. 

READ MORE

How to Protect Against Phishing Attacks that Follow Natural Disasters

September 14, 2018 by Cofense in Internet Security AwarenessPhishing

By Aaron Riley and Darrel Rendell With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.

READ MORE

Automate Your Phishing Defense While Keeping Human Control

September 6, 2018 by John Fitzgerald in Phishing

When it comes to combatting phishing, “set and forget” is a pipe dream. You can’t, and you shouldn’t, take humans out of the picture. But thanks to CofenseTM automation, you can stop attacks while reducing man hours and saving money.

READ MORE

Be Careful Who You Trust: Impersonation Emails Deliver Geodo Malware

November 16, 2017 by Marcel Feller in Malware AnalysisPhishing Defense Center

Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.

READ MORE

Threat Actors Put a Greek Twist on Ransomware with Sigma

November 10, 2017 by Chase Sims in Malware AnalysisPhishing Defense Center

When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.

READ MORE

Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

October 25, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.

READ MORE

New Strain of Locky with a “Deadly” Twist

October 19, 2017 by Chase Sims in Cyber Incident ResponseMalware AnalysisPhishing Defense Center

With it being flu season, no one wants to hear that a new strain of the flu has been discovered. Just as network defenders will not be excited that Locky ransomware has evolved yet again. This time however, threat actors decided to add a darker theme to code.  

READ MORE

Malicious Chrome Extension Targets Users in Brazil

October 17, 2017 by Oscar Sendin in Malware AnalysisPhishingPhishing Defense Center

Our Phishing Defense Center recently detected a significant increase in the number of emails with malware designed  exclusively to target users in Brazil.

READ MORE

Heads Up: This Netflix Phish Targets Business Email, Not Just Home Accounts

October 10, 2017 by Chase Sims in Malware AnalysisPhishingPhishing Defense Center

PhishMe® analyzes phishing attacks intended for corporate email all the time—phishing for corporate email credentials, malware delivery, etc. However, we also analyze phishing for consumer service credentials—think online shopping or Netflix—since it is also a part of the threat landscape.

READ MORE

NanoCore Variant Delivered Through UUE Files

September 8, 2017 by Marcel Feller in Malware AnalysisPhishingPhishing Defense Center

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed...

READ MORE

Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

July 24, 2017 by Chase Sims in Internet Security AwarenessMalware AnalysisPhishing Defense Center

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

READ MORE

Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

June 22, 2017 by Eesaan Atluri in Malware AnalysisPhishingPhishing Defense Center

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

READ MORE

SMILE – New PayPal Phish Has Victims Sending Them a Selfie

June 15, 2017 by Chase Sims in Malware AnalysisPhishingPhishing Defense Center

Phishing scams masquerading as PayPal are unfortunately commonplace. Most recently, the PhishMe Triage™ Managed Phishing Defense Center noticed a handful of campaigns using a new tactic for advanced PayPal credential phishing. The phishing website looks very authentic compared to off-the-shelf crimeware phishing kits, but also levels-up by asking for a photo of the victim holding their ID and credit card, presumably to create cryptocurrency accounts to launder money stolen from victims.

READ MORE