Uncomfortable Truth #2 about Phishing Defense

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into: 

Uncomfortable Truth #2: You cannot defend against attacks you cannot see. 

Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more and more layers of technology – panacea-promising point products aimed at the threat du jour. Sometimes these products generate so much noise they create a fog that obscures the threat. Sometimes they just don’t realize it’s there at all. 

If some of the controls we have in place to protect us from phishing threats are failing to deliver on their promises, what next? I’m certainly not advocating that we rip out our secure email gateways and ditch them into the dumpster of derision. As I said in part 1, they do a good job of stopping known threats and patterns, and I for one am grateful for them stopping unwanted and unsolicited spam reaching my inbox 

Yet I’ve had many conversations with people who are placing blind faith in the promises of technical controls to keep them safe from phishing. While such enthusiasm is admirable, in this context it’s misplaced. The scale and sheer pace of evolution within the phishing threat landscape means that like any other control, it’s not going to be 100% effective. Bad stuff will get through, right under your noses. 

Therefore, we have to remember that when technology fails, the only sensor that can give us visibility of attacks that have bypassed perimeter controls is the recipient themselves. Yet visibility of an attack is more than merely getting a report of a suspicious email from an end user. In future posts, we’ll look at this in more detail, and discuss enabling and empowering users to report suspicious emails, along with the capabilities needed to get visibility of phishing attacks. 

 Next up: Uncomfortable Truth #3 – The best security awareness program in the world will NEVER deliver a zero click rate. Until then, learn more about the expertise of Cofense Phishing Defense Center.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Uncomfortable Truth #1 about Phishing Defense

Part 1 of a 5-Part Series   

The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.  

Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.  

It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In this blog series, we’ll explore these uncomfortable truths and perhaps challenge conventional thinking. Ultimately, we’ll aim to equip you with a refreshed perspective on how to stop phishing attacks in their tracks. 

 Uncomfortable Truth #1 – No matter how good your perimeter defenses, phishing emails are still reaching the inbox. 

Contrary to much of the marketing hype we see in the cybersecurity industry, technology does not, and cannot, stop all phishing emails from reaching a user’s inbox. Sure, technologies like secure email gateways do a good job at stopping known threats and risk patterns, and machine learning and artificial intelligence may live up to expectations for certain attack types such as business email compromise.  

But, and it’s a big but, as defensive technologies become more pervasive, threat actors simply evolve their tactics and techniques to neutralise them. Added to that, any security control is a balance of protection over usability – i.e. being frictionless to the user. Here at Cofense, we see this every day.  

The Cofense Phishing Defense Center currently receives and analyzes suspicious emails from some 2 million enterprise users globally. That’s quite a network of human sensors. 1 in 7 of the emails reported by these users is found to have malicious content. The important thing to remember is that every email our analysts examine has bypassed one or more layers of technical controls that were put in place to prevent threats from reaching the inbox. 

The tactics and techniques used to maximize chances of successful delivery and payload execution are evolving all the time. Some of these tactics pit technology against technology, while others remain surprisingly low tech.  

Waxing Lyrical about the Brazilian Phish.  

Recently, the Cofense Phishing Defense Center began receiving reported emails that followed the somewhat unimaginative but proven theme of ‘Attached Invoice.’ Upon analysis, the attachment appeared benign – no malicious behavior was observed.  

However, it had all the hallmarks of a phish, and the analysts could see more reports arriving – all from Brazil. With this in mind, they put on their metaphorical Brazilian hat, and gave their analysis workstation a Brazilian IP address.   

This time, upon execution, the analysts observed different behavior with the attachment. A connection was made to payload infrastructure, and a malicious script was downloaded. The script didn’t execute, but deeper analysis identified further location validation checks. After configuring the analysis workstation with a Brazilian locale and keyboard layout, the sample was executed again, and, voila, IOCs were captured. The net result? Automated analysis would have had a hard time identifying this threat, as this customer’s perimeter controls clearly did.  

Zombie Apocalypse. Now. 

Here’s another example of how phishing tactics evolve. Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date, and now there is a weird error message. 

Meet the Zombie Phish, a devious tactic that revives a long-dead email conversation.
Fraudsters hijack a compromised email account, and using that account’s inbox, reply to dormant conversations with a phishing link or malicious attachment. Because the subject of the email is directly relevant to the victim, a curious click is highly likely to occur. 

These types of attacks are dangerous as they can involve internaltointernal communication, or communication between trusted third parties. When combined with other techniques such as malicious content being hosted in cloud-sharing services like Dropbox, OneDrive, or Sharepoint.com, inline controls can be rendered ineffective. Learn more about this attack in this Cofense blog: Re: The Zombie Phish

Next in this series: Uncomfortable Truth #2: You cannot defend against attacks you cannot see. In the meantime, learn more about the expertise of Cofense Phishing Defense Center.  

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

This Company Turned a Phishing Attack into a Teachable Moment

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization.

Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect.

First, the company leveraged information from a real credential phishing attack.

This company trains its employees to recognize and report phishing. The team responsible for the anti-phishing program took advantage of a monthly report from the Cofense Phishing Defense Center (PDC), which analyzes and escalates user-reported emails to alert customers immediately to verified phishing threats.

The monthly report described a phishing email, one seen in a different industry, that asked users to perform an urgent network upgrade. “Action required”—just click a link. Upon clicking, users would be taken to a site where they would enter their network credentials.

The Cofense PDC sees hundreds of thousands of similar emails targeting customers each year. Here’s a sample:

Next, they simulated the attack to educate employees.

Credential phishing is an epidemic. To help their employees spot a credential phishing attack, the company decided to use this real attack to craft a simulation. Here’s what the simulated email looked like:

As you can see, the simulated phishing email used a header very similar to the email seen in the wild.

Armed with other details from the real phish, including the full body of the message, the company sent this simulation to high-value targets—employees with elevated credentials, the “keys to the kingdom.” It’s smart to focus on these employees, just like attackers do.

The results were encouraging. The ratio of employees reporting the simulated phish versus those that fell susceptible was greater than 1:1. It was a good start. With continued simulations, the rate should increase and show better resiliency to credential phishing.

To repeat, it’s good to condition employees to report phishing emails. It’s even better to have them practice against the real deal, so they can help stop it before real damage is done.

To learn more about the growth of credential phishing, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

By John McCabe

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

A new Cofense™ Managed Security Service Provider (MSSP) program makes it easy for service providers to offer phishing defense to small and medium-sized businesses. Phishing is a huge problem for SMB’s. With limited budget and expertise, they’re often targets of spear phishing, ransomware, and other attacks.

Major US Financial Institutions Imitated in Advanced Geodo/Emotet Phishing Lures that Appear More Authentic by Containing ProofPoint URL Wrapped Links

By Darrel Rendell, Mollie MacDougall, and Max Gannon

Cofense IntelligenceTM has observed Geodo (also known as Emotet) malware campaigns that are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection.

Figures 1 and 2 provide examples of the template and URL wrapping. Cofense Intelligence assesses the improved phishing templates are likely based upon data pilfered with a recently updated scraper module to spoof US financial institutions so effectively.

Figure 1: email template spoofing a major US financial institution

Figure 2: Proofpoint’s URL Wrapping service appearing within this campaign

After a month-long hiatus, Geodo returned on November 6th, 2018 with upgrades to its spamming module, supplementing existing capabilities – namely contact list and signature block theft – with functionality enabling the theft of up to 16KB of raw emails and threads. Although the exact reason for this module upgrade was unclear, Cofense Intelligence assessed it would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder.  Today, it appears the initial prediction was correct.

The campaign observed on November 13th was, in many ways, a standard Geodo campaign: messages distributed en masse to targets across the globe, spoofing a known and trusted organization, containing URLs (Table 1) pointing to Word documents containing hostile macros (Table 2). When executed, these macros retrieve a fresh sample of Geodo from one of five compromised web servers and execute it on the machine. As has become increasingly common with Geodo campaigns, the malware functioned as a downloader for other payloads, in this case retrieving a sample of IcedID.

IcedID shares some basic behavior with TrickBot—another prolific banking trojan turned multipurpose botnet. However, IcedID targets both investment and financial institutions as well as several bank holding companies many of which even TrickBot does not target, as TrickBot is much less focused on investment banks or smaller US commercial banks. An example of an IcedID spoofed login page for a regional US bank can be seen in Figure 3.

Figure 3: a spoofed login page for a regional bank that led to a Geodo and subsequent IcedID payload

Geodo has always been a formidable botnet and continues to grow. During tracking, we have seen at least 20,000 credentials added to the list of credentials used by the botnet clients each week along with millions upon millions of recipients. The introduction of this new module has had clear and dramatic effects on the sophistication and efficacy of this social engineering effort. In July, Geodo began including more sophisticated phishing lures, imitating US banks and including graphics that made the emails look less generic and more convincing.

This most recent campaign demonstrated a shocking improvement from that initial upgrade, demonstrating the value of the email scraping module. Considering that where Geodo goes, TrickBot often follows, we are concerned that this type of module will show up in other malware campaigns. The new inclusion of ProofPoint URLs wrapped with URL Defense adds an additional false sense of security to a user and may indicate the malware scraped the wrapped URLs from a compromised user.

Several members of the Cofense Intelligence team discussed Geodo in a recent open customer call. Any customers who were unable to attend are welcome to email mark.adams@cofense.com for a recording.

Cofense is also offering a complimentary Domain Impact Assessment, powered by the Cofense Research and Intelligence teams, for any organization that may be affected by this Geodo update. Learn more here.

Table 1: Payload URLs observed during this campaign

Table 2: Files associated with this campaign

Table 3: Command and Control infrastructure identified during this campaign

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Ouch! Our Report Shows Why the Healthcare Industry Needs Better Phishing Defense

Cofense™ released new research last week on phishing in the healthcare industry. It’s one of those industries that routinely gets hammered by phishing and data breaches. In fact, according to Verizon’s most recent Data Breach Investigations Report, over a third of all breaches target healthcare companies1. One recently reported example: the phishing attack on the Augusta University healthcare system, which triggered a breach that may have compromised the confidential records of nearly half a million people.

None of this is surprising, considering that healthcare lives and breathes data. But our research also found this:

Healthcare lags behind other industries in resiliency to phishing.

This is a cross-industry comparison of healthcare and 20 other major verticals like financial services, energy, technology, and manufacturing. Healthcare’s ratio of email reporting vs. phishing susceptibility shows a meager resiliency rate of 1.34. By contrast, the energy industry’s rate is 4.01 and financial services’ is 2.52.

The Cofense report reveals lots more:

  • Further details on healthcare resiliency to phishing
  • The phishing simulations that fool healthcare employees the most
  • A breakdown of real phishing emails received by healthcare companies
  • A look at crimeware rates among select healthcare organizations

Cofense solutions are helping healthcare companies stop phishing attacks.

Our new report also examines how one healthcare company stopped a phishing attack in 19 minutes. The company uses Cofense solutions for phishing awareness and reporting, plus incident response and threat intelligence. Their complete, collaborative phishing defense prevented a costly breach.

Make sure you’re ready, too. View the report now!

To learn even more about healthcare and phishing, check out our Healthcare Resources Center where you’ll find videos, case studies, white papers, expert blogs, and more.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

  1. Verizon, 2018.

How to Protect Against Phishing Attacks that Follow Natural Disasters

By Aaron Riley and Darrel Rendell

With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.

Cofense Shortlisted for Three UK Computing Technology Product Awards

We are delighted to share the news that CofenseTM has been shortlisted for not just one but three Computing Technology Product Awards! Some of the most prestigious awards on the UK IT industry’s calendar, the Computing Technology Product Awards aim to recognise the very best in technology and shine a spotlight on the winners.

Following are the categories we are shortlisted for.

Best Business Security Provider

This recognizes our history and reputation in defining and leading the space. Since 2007, Cofense has pioneered the phishing defense industry. While we began in phishing awareness with what was then called PhishMe Simulator™, we’ve since innovated in phishing reporting, phishing incident response, and phishing intelligence. Our rebranding as Cofense earlier this year underscored the ways we deliver a complete, collective defense against phishing attacks in progress.

Best Security Product for SMB

We got the nod here for Cofense PhishMe FreeTM, our entry-level product for businesses with 500 employees or less. Roughly half of all cyber-attacks target small businesses. A similar percentage of SMBs have experienced an attack or breach in the past 12 months. PhishMe Free enables those with small budgets and limited staff to condition users to recognize and report phishing. Though it costs nothing, it comes with deep educational content, plus the reporting and analytics to grasp performance and exposure.

Customer Project of the Year

We’re especially proud of this one. It recognizes our mission to combat cyber-threats with a major university in London. The university picked Cofense to empower over 20,000 staff and students to be an active line of defence and source of attack intelligence in its fight against cybercrime. The university has deployed solutions across the Cofense product line: Cofense PhishMeTM, our phishing awareness solution; Cofense ReporterTM, our one-click email reporting button; and Cofense TriageTM, our automated phishing incident response platform.

Universities are hit with hundreds of successful cyber-attacks each year. Upping the difficulty factor, universities have a constantly shifting user base of students, administrators, and teachers—a moving target for security teams trying to protect data, valuable research and other intellectual property. For a detailed view of our work with City, University of London, read this article by Cofense Cofounder and CTO Aaron Higbee.

For nearly 40 years, Computing has assessed and reported on IT solutions, earning industry-wide respect from both vendors and end-users. These readers will be voting to determine this year’s winners after the final round of judging has been completed in September.

So, watch this space—next time we hope to be asking for your vote!

Learn more about the Cofense suite of phishing defense solutions.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.