New Name, Same People, Stronger Balance Sheet

Rohyt Belani, CEO & Co-founder, Cofense

So far, it’s been a very exciting 2018 here at Cofense, with our recent acquisition and announcement of our new name and brand. We continued performing well as a company and launching numerous new features across our products. 

For this financial services company, tougher simulations hardened phishing resiliency

After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only.

In other words, employees had learned to identify basic phishing attacks.

Sometimes you need to “turn up the heat.”

The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything.

To make scenarios tougher, the company added its branding to simulated phishes, plus mirrored complex phishing attacks it had seen in the wild. By upping the difficulty, the company figured susceptibility would increase, at least temporarily.

That’s exactly what happened. A phishing email pretending to be about manager evaluations, a scenario common to most organizations, fooled nearly 37% of recipients. But a month later, another office-communication phish, relating to time-off requests, elicited a click rate of just 12%—evidence the company did a good job of educating employees, especially those who had clicked the month before.

Not only that, reporting levels held steady during the same period, remaining higher than rates of user susceptibility. In fact, in a recent simulation the first email was reported before anyone mistakenly clicked. In a real phishing attack, the reported email would have been actionable information incident responders could use.

Smart next steps.

The company anticipates that employees will keep getting better at spotting advanced phishes. As susceptibility rates level out, employees should expect to see even tougher scenarios.

Again, these will likely include emails based on active threats, in particular emails purporting to come from internal sources. According to Cofense’s 2017 Phishing Defense and Resiliency Report, these kinds of “business process” scenarios are among the most effective.

One great source of complex scenarios: Cofense IntelligenceTM, our phishing-specific threat intelligence which helps organizations stay in front of attacks. You can use this service’s insights to keep your scenarios relevant.

Important note: it’s wise to mix in complex scenarios vs. abandoning basic phishing scenarios altogether. Users need to prepare for both, since attacks come in all degrees of complexity. Also, you don’t want users to be afraid to open legitimate emails from HR or other teams. If you’re not sure about the right mix, Cofense’s Professional Service Team can help.

When it comes to battling phishing, you can never say “mission accomplished.” But refining your defenses like this client did is an accomplishment in itself.

Learn more about phishing defense in Cofense’s 2017 Phishing Resiliency and Defense Report.

Careful: This “life insurance invoice” contains the Ursnif malware

Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.

Triple threat: This phishing campaign used 3 separate vectors.


Cofense IntelligenceTM rarely sees a weaponized document that contains three separate vectors to launch an embedded payload. However, we recently observed a small phishing campaign that distributed an RTF which abuses two vulnerabilities and leverages social engineering in an attempt to execute a FormGrabber payload on the victim’s machine.

That Little Click Could Be Sending Your Browser to the Mines

Bitcoin and most other cryptocurrencies are based on the idea that coins can be generated by causing computers to solve a difficult problem.  The more CPU cycles an individual can dedicate towards the mining problem, the more likely the chance that they will create a new coin.   For years, botnets have scanned corporate networks for high-powered machines and installed Bitcoin or other cryptocurrency mining software on the fastest computers.

PhishMe is now Cofense.

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.

Italian DHL-Themed Phishing leads to Ursnif, Spambot

PhishMe Intelligence™ recently intercepted a subtle, DHL-spoofing campaign delivering a heavily-obfuscated JavaScript file. When executed, this JavaScript file downloads and runs a variant of the Ursnif/Gozi-ISFB trojan. Ursnif, in addition to its banker and stealer pedigree, acts as a downloader to serve a nasty surprise to the infected system. This is the first time PhishMe Intelligence has observed Ursnif actively delivering a spambot onto an infected system. Given Ursnif’s usually stealthy tendencies, it is somewhat unusual to see such a pairing.