One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.
On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which…
The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries. While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry…
Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.
Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.
Adding another entry to the ever-growing list of encryption ransomware, the Jaff Ransomware made its debut onto the threat landscape with large sets of phishing emails on May 11, 2017 – one day before the sensational impact of the WannaCry ransomware attack. However, the risks posed by the Jaff ransomware should not be overlooked. This, too, is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.
As most of you are aware, a fast moving, self-propagating attack blew across the internet over the weekend, and it’s not over yet. Using an alleged NSA exploit , this malware is able to quickly traverse a network and deliver a ransomware payload affecting hundreds of countries and hundreds of thousands of users.
A strain of encryption malware, or ransomware, is making a global presence today as numerous organizations struggle to respond. Reports of infections were found all over the globe.
This week, our co-founder and Chief Technology Officer Aaron Higbee had an opportunity to discuss the recent Google Docs phishing scam on the The Charles Tendell Show.
FireEye has identified three new zero-day vulnerabilities in Microsoft Office products that have been exploited by Russian cyber espionage entities and a yet-to-be-identified group.
According to internet sources, Eugene Pupov is not a student at Coventry University. Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign. A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a…
Google Doc Campaign Makes a Mark In the process of managing phishing threats for our customers, our Phishing Defense Center and PhishMe Intelligence teams saw a flood of suspicious emails with subject line stating that someone has “has shared a document on Google Docs with you”, which contained a link to “Open in Docs”. The “Open in Docs” link goes to one of several URLs all within the https://accounts.google.com website.
One of the most popular Netflix series, Orange is the New Black, scored an early parole due to some bad behavior this weekend. TheDarkOverload, the group claiming responsibility for the hack, already released the season five premier and is threatening to release “a trove of unreleased TV shows and movies.”
Even the biggest companies fall for it. This week, reports showed that Business Email Compromise (BEC) scams, sometimes referred to as CEO Fraud Emails, netted over $100 million dollars from Facebook and Google. While people are increasingly aware of phishing emails containing links and attachments, BEC scams (also known as CEO Fraud) continue to reward criminals with alarming effectiveness. These phishing scams fly past traditional security roadblocks because there are no URLs or Attachments to scan.
Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware…
The ransomware that defined much of the phishing threat landscape in 2016 raged back into prominence on April 21, 2017 with multiple sets of phishing email messages. Harkening back to narratives used throughout 2016, these messages leveraged simple, easily-recognizable, but perennially-effective phishing lures to convince recipients to open the attached file.
It’s no secret that 90% of breaches start with a phishing attack. The question is: are you prepared to recognize phishing and respond to it? Many organizations are concerned with how much spam they receive and implement controls specific to spam. But you shouldn’t confuse preventing spam with responding to phishing attacks.
Threat actors using the Dridex botnet malware received a great deal of attention recently for their purported utilization of content exploiting a previously un-patched vulnerability in Microsoft Word. This exploit, which took advantage of unexpected behavior in the handling of certain document types, was reportedly used to deliver the Dridex botnet malware via documents attached to phishing emails. However, the bulk of Dridex campaigns leverage far more common delivery techniques that abuse the functionality that already exists in Microsoft Office and Adobe Reader rather than deploying some complex exploit content. This serves as a reminder that threat actors don’t always…
On April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message.