Products
Products
Response
Intelligence
About Cofense
About Cofense
Leadership

Cofense Phishing Prevention & Email Security Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Houdini Worm Transformed in New Phishing Attack

June 14, 2019 by Cofense in Threat IntelligencePhishing Defense CenterSEG MissesSymantec

By Nick Guarino and Aaron Riley The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. Figure 1 shows an example message from this campaign.

READ MORE

Cofense Report: 90% of Verified Phish Found in Environments Using Email Gateways

June 10, 2019 by Cofense in Cyber Incident ResponseSEG Misses

By Kaustubh Jagtap Our recently released 2019 Phishing Threat and Malware Review highlights how perimeter protection technologies can’t stop all advanced phishing threats. Email gateways are a critical first line of defense, but as attackers have continued to innovate gateways haven’t kept up.  The CofenseTM report also underscores the importance of human intelligence to identify these advanced attacks once they make it past gateways. Trained users can effectively detect and report advanced phishing to allow SOC teams to accelerate incident response. Credential Phish Are the Most Common Threat 90% of verified phishing emails were found in environments using email gateways....

READ MORE

The Zombie Phish Is Back with a Vengeance

June 4, 2019 by Milo Salvia in Phishing Defense CenterSEG MissesSymantec

Keep a close on your inboxes—the Zombie Phish is back and it’s hitting hard. Last October, on the eve of Halloween, the CofenseTM Phishing Defense CenterTM reported on a new phishing threat dubbed the Zombie Phish. This phish spreads much like a traditional worm. Once a mailbox’s credentials have been compromised, the bot will reply to long-dead emails (hence, Zombie) in the inbox of the infected account, sending a generic phishing email intended to harvest more victims for the Zombie hoard.

READ MORE

New Phishing Attacks Use PDF Docs to Slither Past the Gateway

May 30, 2019 by Cofense in Cyber Incident ResponseMimecastSEG Misses

By Deron Dasilva and Milo Salvia Last week, the CofenseTM Phishing Defense CenterTM saw a new barrage of phishing attacks hiding in legitimate PDF documents, a ruse to bypass the email gateway and reach a victim’s mailbox. The attacks masquerade as a trusted entity, duping victims into opening what appears to be a trusted link, which in turn leads to a fake Microsoft login page. Once there, victims are tricked into providing their corporate login credentials.

READ MORE

Patch or Pass? CVE-2017-11882 Is a Security Conundrum

May 29, 2019 by Max Gannon in Threat Intelligence

CISO Summary Since the latter part of 2018, threat actors have increasingly exploited two Microsoft vulnerabilities: CVE-2017-11882 and CVE-2018-0802. The first of these is especially popular. Cofense IntelligenceTM has seen it surge ahead of Microsoft macros as a favorite malware delivery method. CVE-2017-11882 is an older vulnerability that in fact has a patch. However, it presents a conundrum for security teams that haven’t addressed the problem. They can choose to skip the patching, live with the risks, and keep on using the legacy program. Or they can update, patch, and lose the application entirely to gain much better security. In...

READ MORE

Pretty Pictures Sometimes Disguise Ugly Executables

May 15, 2019 by Max Gannon in Threat Intelligence

CISO Summary Reaching deep into their bag of tricks to avoid detection, phishing emails and threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents. This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees...

READ MORE

NanoCore Variant Delivered Through UUE Files

September 8, 2017 by Marcel Feller in Phishing Defense CenterMalware AnalysisPhishing

Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a .UUE file from Dropbox. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed...

READ MORE

Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

July 24, 2017 by Cofense in Phishing Defense CenterInternet Security AwarenessMalware Analysis

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

READ MORE

Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

June 22, 2017 by Cofense in Malware AnalysisPhishingPhishing Defense Center

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

READ MORE

SMILE – New PayPal Phish Has Victims Sending Them a Selfie

June 15, 2017 by Cofense in Phishing Defense CenterMalware AnalysisPhishing

Phishing scams masquerading as PayPal are unfortunately commonplace. Most recently, the PhishMe Triage™ Managed Phishing Defense Center noticed a handful of campaigns using a new tactic for advanced PayPal credential phishing. The phishing website looks very authentic compared to off-the-shelf crimeware phishing kits, but also levels-up by asking for a photo of the victim holding their ID and credit card, presumably to create cryptocurrency accounts to launder money stolen from victims.

READ MORE

New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

May 26, 2017 by Cofense in Malware AnalysisPhishingPhishing Defense Center

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which...

READ MORE

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B

May 19, 2017 by Cofense in Phishing Defense CenterMalware AnalysisPhishing

Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.  

READ MORE

Tales from the Trenches: DocuSign® DELoader Phishing Attack

May 17, 2017 by Cofense in Phishing Defense CenterInternet Security AwarenessMalware Analysis

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

READ MORE

Google Doc Phishing Attack Hits Fast and Hard

May 3, 2017 by Cofense in PhishingPhishing Defense Center

Google Doc Campaign Makes a Mark In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.

READ MORE

April Sees Spikes in Geodo Botnet Trojan

May 2, 2017 by Cofense in PhishingPhishing Defense Center

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them. An example of a typical phishing email used in these attacks is shown below: Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of...

READ MORE