PhishMe® Triage Integrates with Recorded Future’s® OSINT Platform for Investigative Incident Response

Phishing Incident Response – Back to the Past, Present, and Recorded Future

Attackers like to boast about their accomplishments as well as announce their plans. They leave trails of evidence across the open web just waiting to be discovered, if you’re looking in the right places. Similarly, as events occur, researchers and those attacked begin to share information. Employees within our organizations are a primary target of attackers with well-crafted spear phishing emails and some of which may stem from over sharing or whatever is personally newsworthy. Indicators of compromise (IOCs) help security teams in their incident response process. Has this been seen before? When did it start? Are there any indicators that this attack will be used again? This is valuable information to help determine the validity of the attack and what may be next.

PhishMe Blazes Extraordinary Pathway for Enterprise Phishing Defense as Finalist in the 2016 Tech Trailblazer Awards

We’re excited to announce that PhishMe has been named a finalist for the 2016 Tech Trailblazer Awards in the “Security Trailblazer” category. This prestigious award recognizes both established and up-and-coming startups.

At PhishMe, we strive to provide companies with a comprehensive, enterprise-class phishing defense solution – one that proactively engages every employee in the fight against phishing attacks and malware. Human targets, such as employees, are the number one attack target for hackers because of the level of network access they can provide, making phishing attacks one of the most prolific threat vectors used today. Without building a human layer of defense through the behavioral conditioning of employees to recognize potential threats, security teams cannot keep pace with increasingly sophisticated onslaught of attacks.

PowerPoint and Custom Actions

We’ve recently observed a Phishing attack which uses PowerPoint Custom Actions instead of macros to execute a malicious payload. Although using PowerPoint attachments is not new, these types of attacks are interesting as they generally bypass controls that assert on macro enabled Office attachments.

Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out in our recent piece on Dridex, nearly three quarters of Dridex samples in 2015 where delivered using some form of Office documents using macro scripts as a download tool.

Dridex Experimenting with New Attack Vectors

A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.

FluxerBot: Nginx Powered Proxy Malware

What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.

HMRC Phishing Messages Still a Threat

As the Self Assessment Tax Return deadline looms in the UK, PhishMe has warned of phishing messages, purporting to be from HM Revenue and Customs (HMRC) circulating. While the number of campaigns* circulating in 2015 has decreased against previous years, the messages themselves still pose a threat due to their sophisticated and devious nature.

Read More