Products
Products
Detection
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

COFENSE PHISHING PREVENTION & EMAIL SECURITY BLOG

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

February 17, 2016 by Cofense in Phishing

On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out...

READ MORE

Dridex Experimenting with New Attack Vectors

February 10, 2016 by Cofense in Phishing

A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.

READ MORE

FluxerBot: Nginx Powered Proxy Malware

February 4, 2016 by Cofense in Phishing

What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.

READ MORE

PhishMe® Triage Integrates with OpenDNS’ Investigate API for Intelligent Incident Response

January 28, 2016 by Cofense in Phishing

The APIs have it – Emphasis on ‘I’– Individuals, Integrate, Investigate, and Incident Response Everyday, PhishMe is helping enterprise employees change their behavior against the top threat leading to many of today’s high profile breaches – phishing. Our customers empower their employees to report suspicious email thereby creating a rich source of actionable intelligence for incident responders. Triage provides security operations center (SOC) analysts and incident responders a way to automate the identification, prioritization, and remediation of these phishing threats. This threat intelligence can then be shared with other teams to better protect your enterprise.

READ MORE

Phishing Scams Cost UK Consumers £174m In 2015

January 22, 2016 by Cofense in Phishing

In response to the findings that Phishing Scams Cost UK Consumers £174m last year, Ronnie Tokazowski, senior researcher at PhishMe have the following comments on it. Read More

READ MORE

Dridex, Pony, and Neutrino…oh my!

January 19, 2016 by Cofense in Phishing

From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.

READ MORE

Translation Update: How to Pwn an Electric Company (or Anyone Else, for That Matter)

January 6, 2016 by Cofense in Phishing

1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document. On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.

READ MORE

Enterprise Phishing Susceptibility Analysis

December 21, 2015 by Cofense in Phishing

Analysis overview: 8 million emails over a 13 month span 75% of organizations are training more than 1,000 employees Representing organizations from US (86%) and Europe (14%) Representing 23 industries Tackling a mountain of unmined data in search of answers can be a daunting task. Starting from scratch, we understood that we would likely face challenges to our pre-conceived notions of what works well and were prepared to accept what the data would tell us, however challenging it might be. Our goals were simply to understand what and how much data was available for analysis. We began with basic questions;...

READ MORE

Using RTF Files as a Delivery Vector for Malware

December 9, 2015 by Cofense in Phishing

During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.

READ MORE