Cybercriminals use evasion techniques to extend the life of phishing campaigns. In this post we discuss active evasion, restricting non-targets by device.
PhishLabs is monitoring payload families reported in user inboxes. In this piece, we break down the top malware targeting enterprises in Q2.
Evasion techniques are methods attackers deploy to extend the life of phishing campaigns. In this post, we take a look at active evasion techniques restricting non-targets by location.
In Q1, nearly all detected phishing sites used either a Legacy gTLD (54.7%) or ccTLD (41.5%). New gTLDs were seen substantially less, identified in only 3.9% of attacks.
In Q1, PhishLabs analyzed hundreds of thousands of phishing attacks and found more than 62% abused legitimate no-cost tools or services.
In Q1, PhishLabs analyzed and mitigated hundreds of thousands of phishing attacks that targeted corporate users. In this post, we break down these attacks and shed light on the phishing emails that are making it into corporate inboxes.
Phishing is on the rise. PhishLabs identified 47% more phishing sites in Q1 of 2021 than there were in Q1 of 2020. This trend is continuing as Q2 attacks are also up significantly year-over-year.
Phishing attacks in Q1 have increased 47% compared to last year, according to PhishLabs newly released Q1 2021 Threat Trends & Intelligence Report.
Threat actors routinely impersonate brands as part of their attacks. Brand abuse can occur anywhere online, and impersonating a reputable company automatically gives credibility to a threat.
Digital brand protection is defined as comprehensive intelligence sourcing and mitigation into external threats targeting your brand.
Access our Ransomware Playbook: Defense in Depth Strategies to Minimize Impact where we address actions that will minimize the impact of a ransomware attack.
PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan.
Malicious payloads delivered via email phishing continue to drive access to sensitive infrastructures and result in data compromise for enterprises.
Today, we are highlighting a recent O365 campaign, and breaking down the techniques used to enhance the threat actor's odds of success. This particular lure uses many of the tactics you will see in an O365 phish, and is a good example of what an end user will encounter if one bypasses enterprise security controls and makes it into their inbox.
PhishLabs recently analyzed more than 100,000 phishing sites to establish how many used compromised domains, free hosting, or maliciously-registered domains.
PhishLabs has observed a spike in malicious emails distributing ZLoader malware.
Investigating a social media threat actor and their account in its entirety is a time-consuming yet imperative task in the process of assessing risk.
While it remains to be seen whether or not Emotet's operations are permanently offline after its recent disruption, we are monitoring any increases in subsequent malware variants and corresponding ransomware attacks.
Recently, PhishLabs mitigated an attack using a fake social media page to steal the credentials of a credit union (CU) customer.
PhishLabs has analyzed these early stage loaders and observed a dramatic increase in ransomware droppers delivered via email.
Investigating true locations of threat actors can evidently turn a seemingly baseless low risk social media threat into something that may be actionable and worthy of escalation.
The activist group known as Distributed Denial of Secrets (DDoSecrets) has published almost one terabyte of data originally leaked to dark web sites by ransomware operators.
If we dissect the construction of a look-alike domain, each step in its creation represents a point where actions can be taken to mitigate the threat.
In 2020, cybercrime has seen a dramatic evolution in ransomware attacks. This threat type has adopted increasingly malevolent tactics and targeted some of the year's most vulnerable industries.
In this post, we show the frequency of common look-alike domain threats, the mechanics of an attack, and resources to minimize risk.
The novel coronavirus has dominated 2020, and in the cyber community, threat actors have capitalized on its impact from the beginning.
Highlights from the report include more than two hundred thousand unique phishing websites detected in August and September, SSL encryption for phishing sites overtaking SSL deployment for general websites, and a 10 percent increase in BEC attacks originating from free webmail accounts.
Impersonation is a highly effective tactic for threat actors because it piggybacks on the credibility of a brand to legitimize a malicious objective. As a result, it is one of the most common components of a cyber attack.
By definition, a look-alike domain is a nearly identical, slightly altered domain name, registered with intent to deceive. In this post, we'll describe how domains help us communicate on the Internet, the anatomy of a look-alike domain and why we fall for them, how attackers create them, and the best place to begin when facing this common threat.
New phishing technique discovered that abuses Microsoft Office 365's add-in feature. Threat actor then gains full control of everything, including files.
Digital evolution is leaving enterprises increasingly susceptible to attacks outside the network perimeter.In order to detect and respond to today's most relevant threats, security teams are investing in operational Digital Risk Protection (DRP) capabilities.
Data stolen in ransomware attacks is frequentlybecoming public even after the victim has paid.
As apps continue to be an integral part of how we conduct business and perform sensitive tasks, bad actors are using fake and unethical appsto engage with unassuming mobile users.
Malicious domains are attributed to a wide variety of cyber attacks capable of undermining a brand's credibility. A spoofed domain is easy and quick to create, and can act as the catalyst for malicious email campaigns and phishing sites. In order to detect and action domain threats targeting your organization, security teams need to implement mature and progressive processes for collection and curation.
Data leaks and ransomware - once considered two distinct threats - are overlapping into a hybrid ransomware tactic known as double extortion.
The life of a phishing site is brief, but impactful. A recent study found that by the time phishing URLs show up in blocklists, most damage is done.
$2.3M in election funds were recently stolen from the Wisconsin GOP by a BEC scam that altered vendor invoices.
As if the COVID-19 pandemic were not enough, the healthcare sector is now being actively targeted by threat actors using Ryuk ransomware. Yesterday, the FBI issued an increased and imminent cyber threat warning amid growing reports of healthcare providers falling victim to the campaign. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk.
Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads' tracking system to evade email filters.
PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef.
There are many ways look-alike domains can be used by threat actors. This, in addition to diverse registrar requirements for removal, can make mitigation complex and often ineffective.
Today's enterprise attack surface is not limited to the corporate network. In fact, the network is just a small slice. When it comes to deciding how and where to attack an enterprise, threat actors have ample opportunity beyond the network perimeter. As a result, enterprises are investing in operational capabilities to detect and respond to external threats across the digital risk landscape. This is Digital Risk Protection (DRP).
Digital Risk Protection (DRP) continues to gain momentum and attention among CISOs and security professionals. DRP, an operational security function once classified under Threat Intelligence (TI), has been elevated by the Gartner Hype Cycle and other analyst research as an emerging security function that security teams rely on to address multiple external cyber threat use cases.
Threat actors increasingly use social media to attack brands, VIPs, and customers. The types of threats on these platforms are diverse and each social network has different policies in place for how they respond to reported attacks. As a result, mitigating threats on social media can be a frustrating and time-consuming process for security teams.
Social media is rapidly becoming the preferred online channel for threat actors. Almost four billion people use some form of social media, and organizations are increasingly reliant on company pages, executive presence, and positive customer interaction to build a strong brand. As a result, a malicious post or tweet can cause irreversible damage to an enterprise.
Key highlights of the report include a significant increase in wire transfer loss attributed to business email compromise (BEC) attacks from the first quarter and a 20% increase in BEC attacks targeting the social media sector.
PhishLabs is monitoring a multi-stage phishing campaign that impersonates government entities and telecoms to target financial institutions and their customers.
Social media is rapidly growing as a preferred channel for threat actors targeting enterprises with malicious campaigns. Half of the global population uses social media, and a post containing sensitive data or impersonating a high-level executive can be shared instantly, for 3.8 billion people to see.
The digital presence of today's enterprise looks very different than it did earlier in the year. The COVID-19 pandemic is forcing rapid change on how many businesses use technology. From transitioning to remote workforces to delivering new online services, digital transformation initiatives that would normally span years are happening in weeks and months. Under these conditions, the likelihood of experiencing a major incident due to data leakage is very high. So much so that a recent Gartner Emerging Technologies Report highlighted data leakage as a primary concern.
Demand for Digital Risk Protection has grown due to the need for better visibility and remediation of threats targeting enterprises' digital assets.
On Tuesday afternoon, dozens of high-profile Twitter accounts were hijacked. Threat actors took over the accounts of Elon Musk, Bill Gates, Barack Obama, Jeff Bezos, and many others. Corporate Twitter accounts were also hijacked. What does this mean for enterprises and their security teams?
Digital Risk Protection has emerged as a critical new capability for security teams according to Gartner.
Threat actors are increasingly registering new domains to launch malicious campaigns against enterprises. Identifying suspicious domains, as well as monitoring existing ones for changes, is an overwhelming and reactive task for many organizations. In order to minimize the risk spoofed domains pose, security teams must be able to efficiently detect abuse and understand what is required to mitigate threats.
Threat actors are masquerading as executives on social media for purposes of stealing credentials and damaging popular brands. Today, many VIP's have accounts on these platforms to network as well as post content promoting their companies.
Threat actors hit a new milestone in their abuse of HTTPS or SSL Certs: Nearly 3/4 of all phishing sites now use it.
The Federal Bureau of Investigation (FBI) published a public service announcement Wednesday warning the public of anticipated cyber attacks that exploit increased usage of mobile banking apps.
When the term data leak comes to mind, most enterprises think of the dark web. Although compromised information can damage an organization when distributed through gated and anonymous platforms, we are seeing social channels being used to allow for a more rapid and potentially destructive outcome.
Threat actors are using social media accounts to expose and sell data that has been compromised. While information found on many of these platforms has traditionally been disclosed by enterprises and individuals with intent, cyber criminals are taking information acquired by means of scams and data breaches and promoting their sale on various social mediums not always monitored by security teams.
With more than 2.95 billion people now estimated to use social media, an organization's online presence directly relates to the satisfaction of its customers, as well as its profits. False or misleading images or comments connected with a brand on online platforms can swiftly impact the reputation or even financials of an otherwise successful company.
Every industry and organization is targeted differently, but typically data sets group them all together. Here's a detailed look at one specific executive.
As enterprise workforces continue to transition to work from home environments, online file sharing and cloud storage tools are becoming a frequent, if not necessary means of collaboration. While abusing these types of platforms is nothing new to threat actors, the lures they use are now taking advantage of the novel coronavirus. The two examples below demonstrate how.
Cyber criminals are using COVID-19 to manipulate users on Twitter and steal funds through payment applications. Our latest example demonstrates how victims are being targeted with fake credential dumps.
Threat actors are using the novel coronavirus to add credibility in recent Business Email Compromise (BEC) attacks. Below are three examples of how they are doing it.
As job losses grow due to the coronavirus pandemic, cybercriminals are taking advantage of the situation to recruit individuals into money mule scams. Below are two examples that reference work-from-home opportunities.
Threat actors are using the novel coronavirus to impersonate accounts on social media. The example below targets members of a credit union.
Threat actors are using social media to engage in money-flipping scams abusing the novel coronavirus. The two examples below demonstrate how they are doing it.
In response to the financial difficulties resulting from COVID-19, many utilities have announced policy changes to suspend disconnects and provide relief to customers. As a result, many people are uncertain about what will happen should they be unable to pay their utility bills during the pandemic. As our latest example shows, this uncertainty is being exploited by threat actors.
With many U.S. citizens still waiting to receive their government-mandated stimulus, we are again seeing cyber criminals shift their tactics in accordance with the news cycle. Below is one example of a lure abusing access to an undeliverable stimulus payment.
Cyber criminals are using coronavirus-themed voicemail notifications in the latest efforts to act on pandemic fears and steal credentials. The example below shows how they are doing it.
In recent efforts to deliver attacks that abuse the novel coronavirus, threat actors are exploiting workplace concerns about outbreak prevention and shipment delays. Below are two examples sent with the intent of delivering malware.
In our continued effort to provide the most relevant cyber threat intelligence, we are launching two initiatives: a daily intel download and a web event.
Cyber criminals are using the stimulus bill and relief payments to exploit growing concerns about financial security. The examples below are impersonating financial institutions.
Threat actors are repurposing Nigerian Prince or 419 lures with novel coronavirus messaging to capitalize on the current pandemic. Today's examples demonstrate how they are doing it.
Threat actors are exploiting employee concerns about infected colleagues. Our latest example targets Office 365 accounts at a large Canadian company by falsely claiming a colleague has died from the virus.
The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today's example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it's also a scam.
Threat actors continue using COVID-19 fears to exploit individuals on a variety of channels. Today we are taking a look at two new, related SMS lures.
As COVID-19 continues to spread, we are seeing an increase in threat actors impersonating public health organizations and luring victims in with fake links to government agencies. The four examples below impersonate the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO) using lures we have recently observed.
We continue to see a wide range of lures exploiting coronavirus fears. In this post, we take a look at three recently observed lure samples that use the possibility of a cure to entice victims.
As COVID-19 cases have further spread over the past few weeks, our team has come across new lures that target an individual's fear of coronavirus as it relates to their health insurance coverage. Both examples lead to malicious sites that attempt to steal Microsoft Office 365 login credentials.
A few weeks ago we noted some early examples of Coronavirus campaigns. Since then, the pandemic has spread and we've seen a dramatic uptick in COVID-19-themed malicious activity, with everything from domain registration to phishing emails and even malware campaigns. Going forward, we will be publishing more examples as we find additional methods cybercriminals are using to exploit the crisis.
As Phishing attacks get more sophisticated on the social engineering front, so to does the technology and techniques behind keeping them online longer.
As the coronavirus becomes a global pandemic, threat actors have begun abusing the fear surrounding it. One lure we have spotted even mimics the CDC.
APWG's Q4 report shows ups and downs for 2019 phishing attacks, with SSL sites, web email, social media and BEC as the top trends.
Not all phish are designed to target everyone, especially not analysts. Here's how threat actors use geoblocking to ensure their targets see it first.
Heading to RSA? Spend some time with PhishLabs while you're there. We're hosting several events. Relax with a quality bourbon, get a break from the crowds, and catch up with friends.
Credential theft is a common goal for threat actors, but big losses come from romance scams, abuse of social brands, and even source code dumps.
Much like a threat actor can pose as an executive in BEC attacks, they can take over a social media account and abuse the inherent trust we have with it.
SMS-based two-factor authentification is accessible and improves security, but unfortunately, social engineering can allow threat actors to skip through through it with SIM swapping.
Attend our upcoming webinar to learn about the latest techniques threat actors use to abuse social media for phishing attacks.
A unique mobile obfuscation technique discovered to help threat actors keep their attacks alive longer.
Download our latest white paper to understand BEC attacks are the most costly form of phishing.
Security awareness training programs often miss the mark about evaluating the success of the programs. Training leaders need to focus on long-term change.
For many organizations, branding is managed by marketing teams and possibly general council; however, some challenges are considered a cyber threat.
In a world where it only takes moments to create a profile on social media, there is a difference between parody and malicious attacks.
This active campaign combines a variety of techniques with a non-text-based email body in order to evade email security technologies.
We have observed an active TrickBot campaign targeting employees of multiple organizations. Unlike traditional BankBot attacks, it uses malicious links instead of attachments.
Want to protect your brands, employees, and customers from threats originating from social media? Your marketing team and their tools are not sufficient.
An ongoing phishing campaign has been observed targeting the administrative accounts that manage Microsoft Office 365. Here's what you need to know.
APWG's Q3 report shows phishing increasing, 68% of phishing sites use HTTPS.
At the height of social media adoption, users willingly shared everything from the lunch they just ate to the exact places they visited throughout the day. While some of this has been reduced as consumers learned how sharing private information could impact their privacy, many people still hide these kinds of updates behind basic security controls.
This year organizations are estimated to have spent more than $124 billion on security, yet phishing attacks continue to bypass email security technology. Is it possible to proactively stop threats that would otherwise make it past your infrastructure? If you attended our most recent webinar, you know the answer is yes.
It is important to remember that these scammers are in fact criminals and engaging with them is like catching a tiger by the tail.
Social media-based phishing attacks have taken off in a big way. According to some estimates, social media now accounts for as much as 5% of all phishing attacks globally. When you consider that phishing volume has grown consistently every year for more than a decade (up 40% last year alone), that 5% constitutes a lot of attacks.
A successful motivational and behavior change strategy requires thoughtful intervention designed for the way people learn.
However, not all phishing emails come from a fake email account that is trying to impersonate a company or a user.
Take a step back from your program to consider whether the organizational climate is ripe for its success.
Today we're kicking off National Cybersecurity Awareness Month (NCSAM).
The new spear phishing campaign is targeting Office 365 credentials of high-value targets.
APWG's Q2 report shows phishing increasing, SaaS industry prime target, and threat actors are after gift cards.
Threat actors can and will abuse the largest social media sites; but what about blogs, forums, and even gripe sites? Those too can be phishing risks.
For more than a decade the use of social media has grown, and along with it, so have the tactics used by threat actors to abuse each kind.
Users often catch the most frequently used phishing lures. Though elements from these attacks are helpful, simulations need to go well beyond them.
When it comes to impersonating employees for phishing attacks, CEOs and executives are most at risk.
Losing 75% of your training investment? Take a nano approach to a big problem.
Why do Invoice Scams, a form of phishing attack, constantly bypass email security technology? The lack of attachments and links.
When threat actors research their victims and use that intelligence, it makes their phishing attacks just that much more effective.
After our team worked with federal law enforcement officials, three Romanian threat actors have been sentenced for their role in SMiShing and Vishing campaigns.
BEC or Business Email Compromise Attacks are some of the most effective and costly forms of phishing.
The majority of phishing sites are hosted on compromised sites, but in the past year, threat actors have doubled their use of free hosting.
For the fourth consecutive year, PhishLabs has been named a top company to work for in the state of South Carolina.
Verizon's annual Data Breach Investigations Report has just been released. What does it have to say about Phishing?
Threat actors are officially using sites with HTTPS or an SSL cert more times than they don't.
Today we are releasing an enhancement to the Email Incident Response Service. The upgrade will include the addition of SOAR and overall enhancements.
Phishing: Social engineering using digital methods for malicious purposes.
For years, Microsoft had a policy suggesting users to change their password every 45 days. That policy is no more and our team has a few thoughts to share.
PhishLabs' latest webinar will focus on the threats that make it past technology and into user inboxes.
Now that mobile web use is the primary source of traffic, threat actors have shifted their attention to the smaller screens.
The U.S. is once again the top most targeted country by threat actors who use malicious social engineering.
These are the top most targeted industries by phishing attacks, but that doesn't mean those who work in other areas are not at risk.
Phishing volume grew 40.9% in 2018.
Well trained users know that reporting suspicious content is important. Here's what we learned from more than 500,000 of those reported emails.
Today we are releasing the key findings from this year's annual Phishing Trends and Intelligence report.
Last month our Director of Product Management discussed why modern enterprise organizations need a digital risk protection plan in place. Here are a few tips to get you started.
Humans are a creature of patterns and routine. Because of this, we tend to simplify things that are familiar to our every day life. Unfortunately, this is also how threat actors abuse us.
Three Romanian threat actors were taken down with the support of PhishLabs. All three have now pled guilty of creating more than $21 million in losses to their victims.
A single user can impact your network for better or worse. By training employees to detect and report phishing threats, it can offset some of even the most vicious attacks.
Sometimes, what you are seeing is in fact not true or accurate. Don't let symbols deter you from safe email best practices.
Social engineering isn't limited to information security; it's something we all experience, every day.
In the past, phishing threat actors did little to hide their tracks. Now that there is pushback on their attacks, they've evolved and started to use blocking techniques to avoid detection and shutdowns.
A strong security awareness training program that encourages users to report more suspicious content can drastically reduce the amount of cyber security incidents.
Mobile malware BankBot Anubis recently began using Chinese characters to encode C2 information and added Telegram as a method for distributing C2 communications. This post details these changes.
This month Collection #1 made the rounds for being the largest data dump of private user information. Fortunately, it's old data. Unfortunately, there is a larger story to tell.
When bad social media posts go viral, there is a good chance the press will pick up on it. However, how damaging is it to a brand? Let's look at some numbers.
A single word can have far more meaning than intended, and in the case of Secure appearing on Google's Chrome browser, it may be misleading users.
If users are going to fail, it's better in a simulation than against a real world phishing threat.
Since September 21, PhishLabs analysts have detected a number of phishing sites hosted on emoji domains. Here's what we've learned so far.
Is the dark web purely a place for malicious activity? Of course not. Let's dig into a few myths.
Each week our inboxes get at least a few phishing attacks that pass through our spam filters, but they often are easy to spot. A targeted phishing attack on the other hand is far more effective.
In the wake of the Associated Press coverage highlighting Google's location tracking fiasco, now is a good time for a refresher on why geolocation tracking is an issue.
BankBot Anubis continues to evolve and has now been spotted using Twitter to host it's C2 URLs.
Unlike your common bulk phishing attacks that target anyone and everyone, spear phishing attacks are highly effective and personally crafted for their targets.
Social media isn't just likes and memes, it's a platform designed for communication. Unfortunately, that can pose threats to your brand.
Everybody knows that reported phishing emails are a valuable resource. But are you making maximum use of yours? This is how you can use reported phish to aid your threat hunting capability.
User errors are a huge cause of data breach... so why is most security awareness training so bad? Here's what you can do to really change security behaviors.
Social media is about more than likes and memes, the content on each platform can potentially threaten any brand, their employees, customers, or executives.
WannaCry and NotPetya stole the headlines, but what happened to the overall ransomware landscape in 2017?
User-reported phishing emails are a huge asset in the fight against phishing. Here are six steps you can take to maximize the value of every reported phish.
Following the formal indictment of nine Iranian threat actors on March 23, 'Silent Librarian' attacks against universities and other research organizations have continued unabated.
PhishLabs began compiling attacks, lures, and other information tied to Mabna Institute threat actor group Silent Librarian starting in December 2017.
BankBot Anubis takes mobile threats to the next level incorporating ransomware, keylogger abilities, remote access trojan functions, SMS interception, call forwarding, and lock screen functionality.
Reported phishing emails are the backbone of any anti-phishing program. But actually getting those emails? Not as easy as you'd think.
Reporting an email to your IT team is incredibly important, and it's because these 11 email types each have different impacts.
As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases.
Job scams represent only one of the many techniques deployed by criminals, who are growing increasingly creative and sophisticated in luring their victims.
Adwind Remote Access Trojan, a malware-as-a-service tool, has been observed sending spam emails containing a malicious JAR file.
Nigerian 419 scams are as old as the internet, and they're still going. Here's our #CyberAware take on this phishing classic.
In aid of national #CyberAware month, we take a close look at BEC phishing lures, how they work, and why they're so effective
With all the attention given to more "exciting" attack vectors, phishing is often ignored. But when you look at the facts, that just doesn't make sense at all.
In the last few months, a new mobile threat has taken off: URL padding. Here's what we've learned about it, and what you can do to defend against it.
Find out how URL pattern analysis can dramatically reduce the time and energy required to produce actionable phishing intelligence
The right hardware and software is essential to the long-term success of any SOC. In this post, we consider the most important components.
As cyber security becomes a top priority for businesses of all sizes, organizations are increasingly looking to set up their own security operations centers.
Holiday themed phishing attacks can fool even the best trained users. But that doesn't mean you should just give up. Here are some tactics for dealing with them
This PhishLabs blog post explores pharming and wildcard DNS attacks, provides examples of these method, and describes in detail how phishers use them in their attacks.
A deep-dive malware analysis of the Qadars Banking Trojan and how it works.
From planning to post-game analysis, here are the best practices for managing an effective security awareness training program.
It's notoriously hard to evidence the need for investment in security awareness. But with a concrete ROI forecast, the task becomes must easier.
With so many variables and conflicting claims calculating the cost of phishing can be difficult. Let us make it easy for you.
As cybercriminals evolve their attack methodologies, they have learned from their mistakes and BEC is an unfortunate example of how they are circumventing technology defenses and exploiting organizations' greatest vulnerability: employees.
If you've ever configured a spam filter, you know how frustrating it can be. Here's why some phishing emails always get through.
Phishing has become a huge concern in recent years, and it can be frustrating when users continue to fall for them. Here's why it happens.
Compromised websites are an integral part of the cybercrime ecosystem. PhishLabs recommends these steps to help prevent this kind of exploit.
PhishLabs recently observed a new type of ransomware, called Alma Ransomware, being delivered via exploit kit. PhishLabs has written a decrypter / decryptor.
Hackers targeting bitcoin wallet users are leveraging Google's AdWords. Phishlabs has previously seen similar attacks over the past year.
PhishLabs' phishing research and analysis have shown that phishers are continually developing new methods to facilitate their malicious activities.
The number of organizations whose customers are targeted by the Android banking Trojan known as “Marcher” has increased considerably over the past period, but PhishLabs researchers said the latest samples they have analyzed don’t target the United States. Marcher, a threat offered on Russian underground forums since late 2013, currently retails for roughly $5,000. The […]
The ease of buying low cost, pre-built tools broadens the range of potential targets in BEC attacks. This blog discusses one of these tools - Olympic Keylogger.
Discussion of components to include in a business case when trying to obtain stakeholder sign off on security awareness training with phishing simulations
Baseline assessment, real-world-simulation, ongoing management, and performance measurement are essential parts of successful security awareness training.
In December 2014, Vawtrak version 0x38 was released including significant code and configuration changes that indicate momentum and an intense focus on development of the crimeware kit.
PhishLabs has discovered an advanced fee scam with a twist - an elaborate but faux bank website.
Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source). Think community financial institutions aren’t in the crosshairs for account takeover? Think again. (PhishLabs) There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta […]
There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta sounded the alarm in a report delivered last year, estimating 69% growth in account takeover fraud and $69 billion in losses from 2011 to 2012.
Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).
Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).
Last week, researchers at Proofpoint reported an attack campaign, which was dubbed “Smash & Grab," targeting customers of JP Morgan Chase. Based on intelligence from the Phishlabs R.A.I.D. (Research, Analysis, and Intelligence Division), the “Smash & Grab" operations have been active since at least mid-June. The attacks use email messages to direct potential victims to a phishing page. Visitors to the phishing page are also exposed to an exploit kit that abuses software vulnerabilities to infect victims with malware.
The full source code of the Dendroid Android RAT was leaked late last week. Analyzing the code has revealed multiple vulnerabilities due to lack of user input including XSS, SQLi, and PHP Code Execution.
Phishing takedown services, anti-phishing services, phishing protection. What's best for stopping phishing attacks? Learn the key distinctions and how they make a big difference.
PhishLabs has observed new Man-in-the-Middle attacks using rogue DNS to takeover accounts and evade fraud detection. Customers of 70+ financial institutions are being targeted.
PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange: While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM. CN.COM isn’t a real top-level domain name, but CentralNic allows registrars to sell third-level domains within […]
Over the last year or so, I’ve frequently been involved in discussions about DDoS botnets and their activities. Many of the security practitioners I talk with have been under pressure to better protect against DDoS threats. And a common question I get is “What else should I be doing that will make a difference?” Which […]
Almost every day I speak with a bank somewhere about phishing. I ask them how much of a threat is it, what are they doing about it, and how does it affect their business. Surprisingly, the answers I get vary quite a bit from one organization to another. Most are concerned about the costs of […]
PhishLabs has discovered a new variant of a common phishing page that prompts users to upload a scanned copy of their driver’s license and telephone bill. The scam detected targets customers of a large US bank. Most likely the phisher is attempting to circumvent additional security measures by the bank such as telephone based authentication […]
PhishLabs has discovered a phishing site targeting Instagram users: It is not clear if the intention of the responsible miscreants is to steal photos, email credentials, or Facebook credentials. It is probably the latter given the phishing site redirects to Facebook after stealing an email address and password. However, it does seem clear that […]
PhishLabs has discovered a new malware campaign which appears to be an alert from NACHA regarding a failed ACH transaction. If a vulnerable user clicks the enclosed link, they will be infected with malware. Users receive an email message which appears as follows: From: [email protected] [mailto:[email protected]] Sent: Thursday, February 24, 2011 9:47 AM To: Denise […]
While investigating an instance of the Zeus Trojan that was using the Avalanche bulletproof hosting botnet, PhishLabs discovered many of the domain names referenced in the Zeus configuration file had not yet been registered including the following four: eitaepiephohthieleibesha.com llakjshbeyrv3421jbs88xc.com nmbnxcbjbh3hbhbdhjb3l4kjbn.com nzytgero34xbhsbc8484kk.com PhishLabs registered the domains and then pointed them to a server under our […]
Xfire “is a free tool that automatically keeps track of when and where gamers are playing PC games online and lets their friends join them easily.” PhishLabs recently discovered a phishing page targeting Xfire users that used a clever trick to warn potential victims. By using cascading style sheets (.css) files that are generated on […]
Almost since the beginning of phishing, attackers have created simple webpages that redirect users to another URL that contains the actual phishing form. They do this for several reasons. In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site. This means that everyone […]
For over a year, the Rock Phish Gang was using the Avalanche botnet to host their various phishing scams and malware distribution sites. Fortunately, the botnet was shutdown last week – how long remains to be seen. Unfortunately, the Rock Phish Gang have not gone away. These criminals continue to distribute their Zeus trojans and […]
The Avalanche botnet, also known as “MS-Redirect”, has been responsible for hosting phishing pages and malware distribution attacks on over 35 organizations, including the IRS, Facebook, MySpace, most recently NACHA, and many more. Unfortunately, there’s a great deal of confusion over how this botnet works and how it’s related to other malware. Let’s clear it […]
Some security problems just never seem to go away. I’m not sure if its because there’s a steady stream of new web developers that have to learn things the hard way, if people forget, or they think that their open programs won’t be found by the bad guys. Unfortunately for those of us that fight […]
There are numerous sites on the Internet where aspiring cybercriminals can download free phishing kits. Despite it being relatively well known that most kits have backdoors in them that cause stolen information to be sent to the kit authors, they’re still used quite frequently. Interestingly, one such free phish kit distribution site added flag counter […]
Nearly a year ago I asserted in a Dark Reading interview that phishers were using Google and other search engines to find vulnerable web sites which they used to launch their scams. By a simple analysis of the web hosts and URLs used in phishing, I estimated that the vast majority of phishing web sites […]
You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ‘spear’ phishing. In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader […]
How do phishers choose their targets? Usually, it is relatively random. Occasionally, phishers will be able to hack into some online web application or ecommerce site and create a dump of the database along with victim email addresses and locations, but that’s not a common scenario. Most of the time, they use tools to extract […]
Over on the Symantec Security Response Online Fraud blog, Antonio Forzieri, follows up to his previous post about reactive phishing defenses. In his post, Antonio discusses the merits and pitfalls of diluting phishing sites with different types of bogus data. The last case, where phishers automatically validate the data from within the phishing site itself […]