Products
Products
Awareness
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More
Free Tools
Free Tools
Create Transparency
Speed Response
Resources
Resources

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Emotet Update: New C2 Communication Followed by New Infection Chain

March 26, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...

READ MORE

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

March 20, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats....

READ MORE

Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...

READ MORE

Uncomfortable Truth #3 about Phishing Defense

March 18, 2019 by David Mount in Phishing

Part 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...

READ MORE

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

March 15, 2019 by Cofense in Threat Intelligence

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they...

READ MORE

Uncomfortable Truth #2 about Phishing Defense

March 14, 2019 by David Mount in Phishing

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into:  Uncomfortable Truth #2: You cannot defend against attacks you cannot see.  Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more...

READ MORE

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

March 12, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...

READ MORE

Uncomfortable Truth #1 about Phishing Defense

March 11, 2019 by David Mount in Phishing

Part 1 of a 5-Part Series    The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.   Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.   It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...

READ MORE

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

March 6, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot. Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to...

READ MORE

Finding the Whole Phishing Attack: Problems and Solution

March 5, 2019 by David Mount in Cyber Incident Response

Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed. To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish. Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks. Cofense Vision...

READ MORE

Jigsaw Ransomware Returns With Extortion Scam Ploys

January 23, 2019 by Cofense in Phishing Defense Center

By Lucas Ashbaugh Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics. The Delivery Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and...

READ MORE

The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials

January 21, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary It’s a case of hiding in plain sight. CofenseTM recently found a phishing campaign that hides the Kutaki malware in a legitimate application to bypass email gateways and harvest users’ credentials.

READ MORE

Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

January 17, 2019 by Cofense in Threat Intelligence

By Aaron Riley and Marcel Feller CISO Summary Recently, CofenseTM has seen phishing campaigns that bypass email security using a .cpl file extension attachment. .CPL is the file name extension for items or icons appearing in the Windows Control Panel. These file extensions are vital for most Control Panel tools to function, making endpoint threat mitigation extremely difficult. After evading controls and successfully executing on the endpoint, the .cpl file downloads a second-stage payload, which is typically a banking trojan. According to Cofense IntelligenceTM, most of these phishing campaigns are aimed at South American inboxes. As part of security awareness training...

READ MORE

Exploiting an Unpatched Vulnerability, the Ave_Maria Malware Is Not Full of Grace

January 10, 2019 by Max Gannon in Threat Intelligence

CISO Summary CofenseTM has seen a rise in phishing campaigns designed to deliver a type of stealer malware called Ave_Maria. It contains a capability, DLL hijacking, that uses a vulnerability with no forthcoming fix. With origins in a publicly available utility, DLL lets Ave_Maria gain greater admin privileges and avoid detection, then steal information so it can download additional plugins and potentially other payloads. This malware can bypass detection and privilege restrictions on many endpoints.

READ MORE

The Vjw0rm Malware Does It All. Here’s What to Watch For.

January 9, 2019 by Aaron Riley in Threat Intelligence

CISO Summary  It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.   

READ MORE

In 2018, Cheap and Easy Malware Flooded Corporate Inboxes

January 8, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Sometimes it’s the simple things that make life hard. In 2018, over 2/3 of unique malware campaigns Cofense IntelligenceTM observed were simple, inexpensive “stealers” or remote access trojans (RATs). With exceptionally low barrier-to-entry—an email account or website can handle distribution and communication—these malware types make data theft a viable career choice for threat actors without the skills to use more advanced varieties.

READ MORE

Threats of Terror Pervade Recent Extortion Phishing Campaigns

December 20, 2018 by Cofense in Phishing Defense Center

By Lucas Ashbaugh “There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”

READ MORE

Domain Fronting, Phishing Attacks, and What CISOs Need to Know

December 13, 2018 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation). Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables. While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure...

READ MORE

TV-License Phishing Scam Tricks UK Users Into Giving Personal Information

December 5, 2018 by Milo Salvia in Threat Intelligence

Cofense Intelligence™ recently observed a new phishing scam making the rounds in the United Kingdom. It poses as the TV licensing authority better known as the British Broadcasting Corporation. The premise behind the scam is to trick the user into believing that he or she is breaking the law by not owning a valid license to receive TV, a criminal offense in the UK with a maximum penalty of a £1000 fine plus any legal costs incurred during prosecution.  

READ MORE

2018: A Reverse-Course for Ransomware

December 5, 2018 by Cofense in Threat Intelligence

By Mollie MacDougall The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.

READ MORE

Why You Need to Keep Brands Out of Phishing Simulations

July 26, 2018 by Tonia Dudley in Internet Security Awareness

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them. Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it...

READ MORE

Messenger of the Bots: Hermes Malware Makes Phishing Debut

July 24, 2018 by Darrel Rendell in Malware AnalysisPhishing

For the first time ever, Cofense Intelligence™ recently observed a phishing campaign distributing the infamous Hermes ransomware. The low-volume campaign delivered .doc files, weaponized with heavily obfuscated macros. These macros reached out to an attacker-controlled server to download and execute a copy of Hermes.

READ MORE

Who’s Got Access? “Value at Risk” Anti-Phishing

July 23, 2018 by Zach Lewis in Internet Security Awareness

Part 3 of 3  So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

READ MORE

Data to Dollars: “Value at Risk” Anti-Phishing Strategies

July 16, 2018 by Zach Lewis in Internet Security Awareness

Part 2 of 3 Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.

READ MORE

This Amazon Prime Day, Keep Your Network Safe from Phishing

July 12, 2018 by Josh Bartolomie in Internet Security Awareness

Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.

READ MORE

“Value at Risk”: Focus Your Anti-Phishing on the Bottom Line

July 10, 2018 by John Robinson in Internet Security Awareness

Part 1 of 3: Over the past year at Cofense, we’ve introduced and discussed the importance of elevating the visibility of anti-phishing programs to the Board of Directors level. The key measures we presented included a measure of capability we refer to as ‘resilience’ and enumeration of which specific attacks your organization may be facing. As a result, the questions we are now answering for board members globally are – “What phishing threats do you need to be the most concerned with?” “How likely are you to stop those specific attacks in progress?” In the same time frame, the World...

READ MORE

Cofense Phishing Awareness: The Innovations Continue

June 26, 2018 by Garrett Hess in Internet Security Awareness

Every week you read about a new phishing-inflicted breach. Despite heavy spending on perimeter security, malicious emails still get through. Here’s something that can help and, best of all, costs nothing. It’s the latest in a blitz of Cofense phishing awareness innovations.

READ MORE

Phishing Defense: Let’s Get Personal

June 20, 2018 by Dan Marshall in Internet Security AwarenessPhishing

We all know phish aren’t just sent to corporate email accounts, yet this is what we hear about most often in the news. The reason, at least in part, is because headlines highlighting millions of dollars lost or millions of accounts compromised make for better news than “Man Has Personal Savings Account Drained After Clicking Malicious Link.”

READ MORE

Cofense has you covered as Office attachment attacks grow.

June 4, 2018 by Garrett Hess in Internet Security AwarenessMalware Analysis

At Cofense™, we’ve known for some time that phishing attacks using MS Office attachments were a big problem. That’s why our solutions help you combat these attacks in important ways.

READ MORE

Managed Service Gives SMB’s More Security without the Headcount

May 17, 2018 by Zach Lewis in Internet Security Awareness

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT. Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.

READ MORE

New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

May 26, 2017 by Chase Sims in Malware AnalysisPhishingPhishing Defense Center

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which...

READ MORE

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B

May 19, 2017 by Cofense in Malware AnalysisPhishingPhishing Defense Center

Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.  

READ MORE

Tales from the Trenches: DocuSign® DELoader Phishing Attack

May 17, 2017 by Cofense in Internet Security AwarenessMalware AnalysisPhishing Defense Center

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

READ MORE

Google Doc Phishing Attack Hits Fast and Hard

May 3, 2017 by Cofense in PhishingPhishing Defense Center

Google Doc Campaign Makes a Mark In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.

READ MORE

April Sees Spikes in Geodo Botnet Trojan

May 2, 2017 by Cofense in PhishingPhishing Defense Center

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them. An example of a typical phishing email used in these attacks is shown below: Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of...

READ MORE

Does your Incident Response Plan include Phishing?

April 20, 2017 by Cofense in Cyber Incident ResponsePhishingPhishing Defense Center

It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.

READ MORE

Wide-Spread Ursnif Campaign Goes Live

April 11, 2017 by Cofense in Phishing Defense Center

On April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message. 

READ MORE

W-2 Fraud – Tax Season and All Year Long

April 4, 2017 by Cofense in Phishing Defense Center

It’s the time of year when Taxes are on everyone’s mind – especially Phishers! The stress of filing.  The stress of gathering all the documents.  The stress of reporting.  The stress of the deadline.  All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop.  W2 and CEO fraud are timeless phishing campaigns that run all year long.

READ MORE

Tales from the Trenches:  Loki Bot Malware

March 23, 2017 by Cofense in Phishing Defense Center

On March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets. Included is an example of one of these emails along with basic Triage header information. Each email analyzed contained instructions...

READ MORE