Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

By Darrel Rendell, Mollie MacDougall, and Max Gannon

Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection.

Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively.

Figure 1: email template spoofing a major US financial institution

Figure 2: Proofpoint’s URL Wrapping service appearing within this campaign

After a month-long hiatus, Geodo returned on November 6th, 2018 with upgrades to its spamming module, supplementing existing capabilities – namely contact list and signature block theft – with functionality enabling the theft of up to 16KB of raw emails and threads. Although the exact reason for this module upgrade was unclear, Cofense Intelligence assessed it would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder.  Today, it appears the initial prediction was correct.

The campaign observed on November 13th was, in many ways, a standard Geodo campaign: messages distributed en masse to targets across the globe, spoofing a known and trusted organization, containing URLs (Table 1) pointing to Word documents containing hostile macros (Table 2). When executed, these macros retrieve a fresh sample of Geodo from one of five compromised web servers and execute it on the machine. As has become increasingly common with Geodo campaigns, the malware functioned as a downloader for other payloads, in this case retrieving a sample of IcedID.

IcedID shares some basic behavior with TrickBot—another prolific banking trojan turned multipurpose botnet. However, IcedID targets both investment and financial institutions as well as several bank holding companies many of which even TrickBot does not target, as TrickBot is much less focused on investment banks or smaller US commercial banks. An example of an IcedID spoofed login page for a regional US bank can be seen in Figure 3.

Figure 3: a spoofed login page for a regional bank that led to a Geodo and subsequent IcedID payload

Geodo has always been a formidable botnet and continues to grow. During tracking, we have seen at least 20,000 credentials added to the list of credentials used by the botnet clients each week along with millions upon millions of recipients. The introduction of this new module has had clear and dramatic effects on the sophistication and efficacy of this social engineering effort. In July, Geodo began including more sophisticated phishing lures, imitating US banks and including graphics that made the emails look less generic and more convincing.

This most recent campaign demonstrated a shocking improvement from that initial upgrade, demonstrating the value of the email scraping module. Considering that where Geodo goes, TrickBot often follows, we are concerned that this type of module will show up in other malware campaigns. The new inclusion of ProofPoint URLs wrapped with URL Defense adds an additional false sense of security to a user and may indicate the malware scraped the wrapped URLs from a compromised user.

Several members of the Cofense Intelligence team discussed Geodo in a recent open customer call. Any customers who were unable to attend are welcome to email mark.adams@cofense.com for a recording.

Cofense is also offering a complimentary Domain Impact Assessment, powered by the Cofense Research and Intelligence teams, for any organization that may be affected by this Geodo update. Learn more here.

Table 1: Payload URLs observed during this campaign

Table 2: Files associated with this campaign

Table 3: Command and Control infrastructure identified during this campaign

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people.

None of this is surprising, considering that healthcare lives and breathes data. But our research also found this:

Healthcare lags behind other industries in resiliency to phishing.

This is a cross-industry comparison of healthcare and 20 other major verticals like financial services, energy, technology, and manufacturing. Healthcare’s ratio of email reporting vs. phishing susceptibility shows a meager resiliency rate of 1.34. By contrast, the energy industry’s rate is 4.01 and financial services’ is 2.52.

The Cofense report reveals lots more:

  • Further details on healthcare resiliency to phishing
  • The phishing simulations that fool healthcare employees the most
  • A breakdown of real phishing emails received by healthcare companies
  • A look at crimeware rates among select healthcare organizations

Cofense solutions are helping healthcare companies stop phishing attacks.

Our new report also examines how one healthcare company stopped a phishing attack in 19 minutes. The company uses Cofense solutions for phishing awareness and reporting, plus incident response and threat intelligence. Their complete, collaborative phishing defense prevented a costly breach.

Make sure you’re ready, too. View the report now!

To learn even more about healthcare and phishing, check out our Healthcare Resources Center where you’ll find videos, case studies, white papers, expert blogs, and more.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

  1. Verizon, 2018.

How to Protect Against Phishing Attacks that Follow Natural Disasters

By Aaron Riley and Darrel Rendell

With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.

Cofense Shortlisted for Three UK Computing Technology Product Awards

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners.

Following are the categories we are shortlisted for.

Best Business Security Provider

This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™, we’ve since innovated in phishing reporting, phishing incident response, and phishing intelligence. Our rebranding as Cofense earlier this year underscored the ways we deliver a complete, collective defense against phishing attacks in progress.

Best Security Product for SMB

We got the nod here for Cofense PhishMe FreeTM, our entry-level product for businesses with 500 employees or less. Roughly half of all cyber-attacks target small businesses. A similar percentage of SMBs have experienced an attack or breach in the past 12 months. PhishMe Free enables those with small budgets and limited staff to condition users to recognize and report phishing. Though it costs nothing, it comes with deep educational content, plus the reporting and analytics to grasp performance and exposure.

Customer Project of the Year

We’re especially proud of this one. It recognizes our mission to combat cyber-threats with a major university in London. The university picked Cofense to empower over 20,000 staff and students to be an active line of defence and source of attack intelligence in its fight against cybercrime. The university has deployed solutions across the Cofense product line: Cofense PhishMeTM, our phishing awareness solution; Cofense ReporterTM, our one-click email reporting button; and Cofense TriageTM, our automated phishing incident response platform.

Universities are hit with hundreds of successful cyber-attacks each year. Upping the difficulty factor, universities have a constantly shifting user base of students, administrators, and teachers—a moving target for security teams trying to protect data, valuable research and other intellectual property. For a detailed view of our work with City, University of London, read this article by Cofense Cofounder and CTO Aaron Higbee.

For nearly 40 years, Computing has assessed and reported on IT solutions, earning industry-wide respect from both vendors and end-users. These readers will be voting to determine this year’s winners after the final round of judging has been completed in September.

So, watch this space—next time we hope to be asking for your vote!

Learn more about the Cofense suite of phishing defense solutions.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Doubling Down on PhishMe with New Features and Awareness Focus

Back in 2008, Cofense™ (PhishMe®) pretty much invented the phishing awareness industry when we unveiled the first phishing simulation program for businesses. Cofense PhishMe™ made it easy to condition employees to recognize and report phishing emails and today, over 27 million (and counting) end users in 160 countries, including employees at half the Fortune 100, rely on our expertise.