Products
Products
Awareness
Response
Intelligence
About Cofense
About Cofense
FAQs for PhishMe Submerge
Registration & Event Information How do I register? Please use the…
Learn More

Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

5 Cybersecurity Trends that Will Dominate 2020

December 20, 2019 by Aaron Higbee in PhishingThreat Intelligence

By Aaron Higbee, CTO, Cofense The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year. Ransomware will continue becoming more targeted to reap more sizeable payouts. Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated...

READ MORE

Bundle Up and Build an End-to-End Phishing Defense

December 2, 2019 by Cofense in Cyber Incident ResponsePhishing

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

READ MORE

Quit Faking It—Train Your Users to Stop Real Phish

November 15, 2019 by Cofense in Internet Security AwarenessPhishing

By Tonia Dudley CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic. When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end....

READ MORE

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

November 14, 2019 by Cofense in Internet Security AwarenessPhishing

By Tonia Dudley, Cofense Security Solutions Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here. That database has since grown to over 330 million email addresses. We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains. To...

READ MORE

Pretty Pictures Sometimes Disguise Ugly Executables

May 15, 2019 by Max Gannon in Threat Intelligence

CISO Summary Reaching deep into their bag of tricks to avoid detection, threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents. This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees not to fall...

READ MORE

Babylon RAT Raises the Bar in Malware Multi-tasking

May 15, 2019 by Aaron Riley in Threat Intelligence

CISO SUMMARY  Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud.  Full Details Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is...

READ MORE

The Cofense Phishing Defense Center Sees Threats That Most Don’t

May 8, 2019 by Marcel Feller in Cyber Incident ResponseSEG Misses

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see. Here’s a Real Example Involving Compromised Email Accounts A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization. In fact, they utilized a technique known...

READ MORE

Flash Update: Emotet Gang Distributes First Japanese Campaign

April 15, 2019 by Cofense in Threat Intelligence

Cofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign. Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide. Appendix Subject Lines 特別請求書 三月發票 確認して承認してください。 請查看和 批准。 謝謝。...

READ MORE

Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims

April 9, 2019 by Jason Meurer in Threat Intelligence

Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.

READ MORE

This ‘Broken’ File Hides Malware Designed to Break Its Targets

April 2, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense IntelligenceTM has identified a phishing campaign with a malicious attachment containing a “broken” file that actually works, in all the wrong ways. Under certain conditions, the file weaponizes in the target environment after evading both automated and manual analysis. The “break” is the lack of a file header, engineered to fool analysts into thinking the attachment is harmless, the work of threat actors too clumsy to be taken seriously. The headless file only appears when you open the attachment or use special programs in attempting to extract it. The campaign tries to exploit a common problem: information...

READ MORE

Emotet Update: New C2 Communication Followed by New Infection Chain

March 26, 2019 by Cofense in Threat Intelligence

CISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...

READ MORE

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

March 20, 2019 by Cofense in Threat Intelligence

CISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats....

READ MORE

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

March 15, 2019 by Cofense in Threat Intelligence

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they...

READ MORE

Bundle Up and Build an End-to-End Phishing Defense

December 2, 2019 by Cofense in Cyber Incident ResponsePhishing

By David Mount, Product Marketing Back in 2008, CofenseTM (then PhishMe®) pioneered the concept of phishing simulation as a tool to reduce organizational risk to phishing threats. Since then, the phishing threat landscape has evolved at a rapid pace, as evidenced in many of the posts on this blog. Back then, traditional approaches to Security Awareness didn’t (and still don’t) demonstrably and measurably improve security posture, especially relating to phishing threats. And, as we’ve mentioned before (and we highlight in this blog), every threat identified by the Cofense Phishing Defense CenterTM has bypassed the technical controls like Secure Email Gateways...

READ MORE

Quit Faking It—Train Your Users to Stop Real Phish

November 15, 2019 by Cofense in Internet Security AwarenessPhishing

By Tonia Dudley CofenseTM was the pioneer of phishing simulation as a training method to defend against phishing incidents. We’ve evolved our products and methodology as we understand that real phish are the real problem. What has also evolved over time is the depth of our scenario templates—when threat actors shift to use a new tactic to make their way past the secure email gateway (SEG), Cofense is able to quickly offer a scenario based on that tactic. When we say, “Real phish are the real problem” we mean organizations should set their phishing defense strategy from end to end....

READ MORE

Cofense Labs Has Identified a Sextortion Botnet in the Wild – and it’s Growing

November 14, 2019 by Cofense in Internet Security AwarenessPhishing

By Tonia Dudley, Cofense Security Solutions Every day, CofenseTM threat analysts and researchers monitor phishing and cyber security threats in the wild. In June of 2019, our researchers uncovered a sextortion botnet that contained a list of 200 million email addresses. Read the original announcement here. That database has since grown to over 330 million email addresses. We have also identified an increase in the number of unique web domains being targeted by the botnet. When we released our original findings, the database had close to 6 million unique domains. That total has grown to 7.4 million unique domains. To...

READ MORE

New Credential Phish Targets Employees with Salary Increase Scam

October 31, 2019 by Cofense in Cisco IronPortCyber Incident ResponsePhishingProofpointSEG Misses

By Milo Salvia, Cofense Phishing Defense CenterTM The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials by preying on employees who are expecting salary increases. The threat actors use a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet. Here’s how it works: Email Body Figure 1: Email Body The threat actor attempts to make the email appear to come from the target company by manipulating the “from” field in the headers. In particular, the threat actor changes the...

READ MORE

Tales from the Trenches: DocuSign® DELoader Phishing Attack

May 17, 2017 by Cofense in Internet Security AwarenessMalware AnalysisPhishing Defense Center

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

READ MORE

Google Doc Phishing Attack Hits Fast and Hard

May 3, 2017 by Cofense in PhishingPhishing Defense Center

Google Doc Campaign Makes a Mark In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.

READ MORE

April Sees Spikes in Geodo Botnet Trojan

May 2, 2017 by Cofense in PhishingPhishing Defense Center

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them. An example of a typical phishing email used in these attacks is shown below: Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of...

READ MORE

Does your Incident Response Plan include Phishing?

April 20, 2017 by Cofense in Cyber Incident ResponsePhishingPhishing Defense Center

It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.

READ MORE

Wide-Spread Ursnif Campaign Goes Live

April 11, 2017 by Cofense in Phishing Defense Center

On April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message. 

READ MORE

W-2 Fraud – Tax Season and All Year Long

April 4, 2017 by Cofense in Phishing Defense Center

It’s the time of year when Taxes are on everyone’s mind – especially Phishers! The stress of filing.  The stress of gathering all the documents.  The stress of reporting.  The stress of the deadline.  All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop.  W2 and CEO fraud are timeless phishing campaigns that run all year long.

READ MORE

Tales from the Trenches:  Loki Bot Malware

March 23, 2017 by Cofense in Phishing Defense Center

On March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets. Included is an example of one of these emails along with basic Triage header information. Each email analyzed contained instructions...

READ MORE

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our Privacy Policy. By clicking ‘I Understand,’ you acknowledge and consent to our use of all cookies on our website.

Cookie settings

Below you can choose which kind of cookies you allow on this website. Click on the "Save cookie settings" button to apply your choice.

FunctionalOur website uses functional cookies. These cookies are necessary to let our website work.

OtherOur website places 3rd party cookies from other 3rd party services which aren't Analytical, Social media or Advertising.