PhishMe Blog

STAY CURRENT ON INDUSTRY TRENDS & PHISHME NEWS

Malware Delivery OLE Packages Carve Out Market Share in 2017 Threat Landscape

BY phishme IN Malware Analysis, Phishing, Threat Intelligence

In the first quarter of 2017, PhishMe Intelligence has noted an increase in malware distributors utilizing OLE packages in order to deliver malware content to victims. This current trend was first noted in December 2016 with close association to the delivery of the Ursnif botnet malware. This technique abuses Microsoft Office documents by prompting the victim to double-click an embedded icon to access some content. These objects are used to write a script application to disk that facilitates the download and execution of a malware payload. This method adds to another iteration of techniques threat actors use to evade anti-analysis…

READ MORE

0 comments

Dridex Threat Actors Reinvigorate Attacks with Sizable, Concurrent Campaigns

BY phishme IN Malware Analysis, Phishing, Threat Intelligence

One of the most historically effective techniques for gaining new infections for the powerful Dridex botnet malware has been sizable sets of widely-distributed phishing email. While these large campaigns have been intermittent for several months, the past week’s Dridex distributions have shown a renewed vigor with several larger campaigns being launched both concurrently and repeatedly. Many of these campaigns return to well-used and previously-successful email templates and malware delivery tools that had seen earlier utilization in conjunction with both Dridex deliveries and the delivery of other malware tools. On March 30, 2017 three distinct sets of phishing emails were identified…

READ MORE

0 comments

W-2 Fraud – Tax Season and All Year Long

BY phishme IN Phishing Defense Center

It’s the time of year when Taxes are on everyone’s mind – especially Phishers! The stress of filing.  The stress of gathering all the documents.  The stress of reporting.  The stress of the deadline.  All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop.  W2 and CEO fraud are timeless phishing campaigns that run all year long.

READ MORE

0 comments

Spam is Spam, Phishing is Phishing, but Phishing is not Spam

BY Aaron Higbee IN Internet Security Awareness, Phishing

Problems arise when we use the terms Spam and Phishing interchangeably. At the risk of sounding persnickety, I’m going to try to build the case of why we need to stop confusing Spam and Phishing.

READ MORE

0 comments

Tales from the Trenches:  Loki Bot Malware

BY PhishMe IN Phishing Defense Center

On March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets. Included is an example of one of these emails along with basic Triage header information. Each email analyzed contained instructions…

READ MORE

0 comments

What is Actionable Intelligence?

BY PhishMe IN Internet Security Awareness, Threat Intelligence

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on. The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless. Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service…

READ MORE

0 comments

Tax-time Phishing: A Global Problem

BY Brendan Griffin IN Phishing

I don’t think anyone likes to do taxes… unless you’re an accountant. Maybe. Collecting all the documents, knowing which ones are needed, completing them in time, and handing over payments is a headache for individuals and companies alike. Phishing threat actors know this and will try to take advantage. The United States Internal Revenue Service provides lots of resources about recent and relevant phishing attacks and scams targeting American taxpayers. Their international counterparts in the United Kingdom and Australia also provide extensive resources on recent attacks impacting their taxpayers. One important aspect of the material provided by these organizations is…

READ MORE

0 comments

PhishMe Triage Integrates with Palo Alto Networks WildFire Cloud to Combat Phishing

BY phishme IN Phishing

Integration Pairs Efficient and Expedient Phishing Incident Response with Integrated Threat Analysis and Prevention PhishMe® and Palo Alto Networks® technologies equip security teams with enhanced protection against phishing threats. Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. PhishMe Triage™ ingests employee-reported suspicious email – allowing security teams to quickly assess and respond to threats. PhishMe Triage now integrates with Palo Alto Networks WildFire™ cloud-based threat analysis and prevention capabilities to provide an even more formidable approach to identifying and preventing potentially…

READ MORE

0 comments

Got Any Good Phishing TIPs?

BY PhishMe IN Internet Security Awareness, Phishing, Threat Intelligence

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs) Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data. This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions. PhishMe Intelligence...

READ MORE

0 comments

The Rise of RaaS: Satan

BY phishme IN Malware Analysis

RaaS, or Ransomware as a Service, enables threat actors that lack the skillset to write their own malware the capacity to infect people’s computers with ransomware through a service, holding the victims’ files hostage for Bitcoin payments. One of the latest RaaS offerings is Satan, a ransomware variant that is easily accessible on a hidden website when browsing with the TOR browser. The website allows anyone to create a ransomware sample which in turn takes a cut of the ransom proceeds from its victims’ payments. Builder The TOR hidden service website allows for anyone to create a Satan loader sample…

READ MORE

0 comments

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

BY PhishMe IN Internet Security Awareness, Phishing

BY BRENDAN GRIFFIN AND GARY WARNER Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

READ MORE

0 comments

Kovter Ad Fraud Trojan Now Shipping with Locky Ransomware

BY phishme IN Phishing

Over the past couple of months, the PhishMe Research Team has observed Locky ransomware being distributed alongside the Kovter ad fraud trojan. We have looked at this malware distribution channel in the past, and since then, the threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky. In this post we will examine the history of the Kovter actors’ experimentation with ransomware and walk through a sample campaign that our PhishMe Threat Intelligence Team captured. Ransomware Evolution The distributors behind Kovter have been experimenting with “ransomware” since as early as January 2016. We place the word…

READ MORE

0 comments

With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

BY Heather McCalley IN Phishing

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world. Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s…

READ MORE

0 comments

Fortifying Defenses with Human-Verified Phishing Intelligence

BY Mike Saurbaugh IN Cyber Incident Response, Phishing, Threat Intelligence

Mining Phish in the IOCs PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks. The challenge of operationalizing threat intelligence Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it…

READ MORE

0 comments

An Open Enrollment Reminder – Phishers Want Your HSA Money!

BY Gary Warner IN Internet Security Awareness, Phishing

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s…

READ MORE

0 comments

A Warning on Christmas Delivery Scams

BY PhishMe IN Internet Security Awareness, Threat Intelligence

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world. Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being…

READ MORE

0 comments

Beware: Encryption Ransomware Varieties Pack an Extra Malware Punch

BY Brendan Griffin IN Threat Intelligence

As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways…

READ MORE

0 comments

Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

BY Brendan Griffin IN Threat Intelligence

Update 2016-11-11: It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals. PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor…

READ MORE

0 comments

Viotto Keylogger: Freemium Keylogger for the Skids

BY phishme IN Phishing

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration. Campaign The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable. Although Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications,…

READ MORE

0 comments

The PhishMe Advantage – ROI

BY PhishMe IN Phishing

Return on Investment Measuring the return on investment (ROI) from your PhishMe solution is simple and easy. The most obvious and significant impact is the dramatic reduction you will see in the overall risk of a phishing attack both getting past your perimeter protection and your skilled users but there are other ways to measure your investment: Monetary ROI Customers can realize monetary ROI from PhishMe by reducing their overall risk to phishing and other security threats. Adversaries have successfully employed phishing tactics to steal intellectual property, personally identifiable information, and other sensitive information that can harm an organization’s competitive advantage…

READ MORE

0 comments