The PhishLabs Blog

Cyber Defense Magazine: New PhishLabs Research Details .ZIP Abuse

Fortra’s PhishLabs has identified two separate incidents of new Google top-level domain (TLD) .zip used in phishing attacks.

Dark Web Attacks on Credit Unions Exceed All Other Industries in Q2

According to Forta’s Phishlabs, credit unions became the top targeted industry on the dark web in Q2, surpassing banking institutions for the first time since we began reporting on this data in 2021.

Social Media Attacks Targeting Banks See Greatest Increase Since 2021

PhishLabs analyzes hundreds of thousands of social media attacks every quarter to identify the top threats targeting enterprises, their brands, and their employees. In this post, we take a look at the top confirmed threats detected on social media and industries most prone to attack.

QBot Operations Peak Pre-Takedown, O365 Attacks Increase in Q2

Cybercriminals doubled down on popular threat types and preferred malicious software in Q2, with O365 phish and QBot malware dominating inboxes by significant margins.

The Top Three Domain Protection Best Practices

Learn about domain impersonation and the best practices for domain protection to combat email spoofing and look-alike domains.

Original Research from Fortra Reveals Pervasiveness, Types of Look-Alike Domains Targeting Brands

Original research conducted by Fortra’s PhishLabs looks at the vast scale of look-alike domains during the first half of 2023 and how they were most used to target unsuspecting victims.

The Use of Natural Language Processing for Identifying and Mitigating Threats

In cyber threat intelligence, Natural Language Processing (NLP), which seeks to identify and analyse the motives and operations of threat actors, has emerged as a powerful tool for fighting back against cyber attacks.

Phishing Sites Impersonating Social Media Jump in Q2

In Q2, phishing attacks targeting social media platforms increased more than 23%, according to Fortra’s PhishLabs.

Social Media Security Awareness: What you Should Know

One area where many exploits take place is on social media platforms. It is essential to exercise caution while using social media platforms by observing security best practices such as using strong passwords, enabling two-factor authentication, and being vigilant about suspicious activities and messages.

Q2 Payload Report

QBot dominated as the top payload in Q2 with more than 95% of reported volume, according to Fortra’s PhishLabs.

The Science Behind the Scenes: How Machine Learning Combats Phishing Attacks and BEC

Over the last few years, cybercriminals have shifted their focus from sending “trusted” content to deceive a system to practicing identity deception to deceive a person into thinking an email message is trusted. Existing approaches focus largely on inspecting message content and assessing the reputation of the servers the message came from. Cybercriminals understand this paradigm and changed the primary vector of attack to use impersonation tactics to convince the recipient to take the requested action.

Common Social Media Scams and How to Avoid Them

Social media attacks and scams have become pervasive problems, with threat actors finding innovative new ways to deceive users and steal their information.

The Royal & BlackCat Ransomware: What you Need to Know

The US healthcare sector continues to be aggressively targeted by ransomware operators. Royal and BlackCat are two of the more recent – and highly sophisticated – ransomware threats. These two new flavors of ransomware pose serious potential impacts on the healthcare sector, but there are appropriate mitigation and defense strategies that organizations can take to protect against them.

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

After you've generated your DMARC record, the question thus becomes, which policy will you choose? Do you go immediately to p=reject, or do you dabble with p=quarantine? Which is truly the better option for your organization? Before making this lofty decision, you need to understand what happens when you implement either policy.

Understanding how Polymorphic and Metamorphic malware evades detection to infect systems

Polymorphic and metamorphic malware constantly changes itself in order to avoid detection and persistently remain on the system. This adaptive behavior is the main distinctive attribute of these types of malware, which is also why they are harder to detect; it is also why they pose a great threat to systems.

99% of User-Related Threats Are Email Impersonation Attempts

In the 2023 BEC Trends, Targets, and Changes in Techniques report, data from Fortra’s Agari and PhishLabs email security solutions illuminates current attack techniques and infrastructure used in email impersonation threats.

Dark Web Focus on Credit Unions Increases in Q1

In Q1, Credit Unions nearly surpassed Banking Institutions as the top targeted industry on the dark web.

Social Media Attacks Targeting Banks and Retail Climb in Q1

Social media attacks targeting businesses have jumped 12.2% in Q1 from the previous quarter, according to Fortra’s PhishLabs. Attacks on social channels are also trending higher than Q1 2022, with the average business experiencing more than 81 attacks per month.

Untrustworthy Email in Inboxes Reaches All-Time High

In Q1, the volume of emails classified as malicious or do not engage reached nearly a quarter of all reported emails.

Free Domain Abuse Plummets in Q1 as Staging Methods Shift

Free domain registrations used to stage phishing sites have experienced a significant drop in activity, contributing to just under 2% of phishing abuse in Q1.

Top Fraudulent Activity Targeting Retail on the Dark Web – Part Two

To effectively protect against abuse targeting your organization, security teams should prioritize dark web threat intelligence including understanding of the types dark web threats relevant to your brand and where they live.

Top Fraudulent Activity Targeting Retail on the Dark Web

In this piece, we highlight Promotions Fraud and Account Credentials targeting retail brands on the dark web.

Top Tactics of BEC Attacks in 2023

In this series, we look at the top email impersonation threats based on the reported volume in user inboxes through Fortra’s PhishLabs’ SEA solution. Below, we focus on Business Email Compromise (BEC), common tactics, and real attacks associated with the highest volume campaigns so far in 2023.

The Rise in Hybrid Vishing: How Spoofed Phone Numbers Are the Top Email Threat to Bypass SEGs

In this series, we look at the top email impersonation threats based on the reported volume in user inboxes through Fortra’s PhishLabs’ SEA solution.

Emotet Returns from Hiatus, Trails QBot in Q1 Volume

PhishLabs’ Suspicious Email Analysis solution continuously monitors payload families reported in corporate inboxes to help mitigate attacks targeting their businesses. Below are the top payload threats to enterprises in Q1.

The Fortra Identity Graph: Continuing to Combat Phishing and BEC with Fidelity

Instead of focusing on email content and infrastructure reputation, the Fortra Identity Graph utilizes advanced machine learning techniques to focus on people, known relationships, and predictable human behavior.

What to Know About Business Email Compromise (BEC) Scams

Business email compromise (BEC) is a dangerous type of email spoofing that targets businesses, aiming to damage them in some way.

What is the Relationship Between Ransomware and Phishing?

Ransomware operators are increasingly leveraging phishing tactics to deploy their malicious payloads, and the potential for compromise is exponentiating as a result.

DRP Solutions Market Guide

In this piece, we use insights from the Frost Radar Report to discuss why DRP platforms are becoming a priority for businesses and best practices to implementing a DRP strategy that all organizations can apply.

Stolen Credit Union Data on Dark Web Hits High in Q4

In this blog, we identify the most recent threats on the Dark Web and who they are targeting by analyzing a sample set of client data representative of the underground landscape.

Impersonation Represents the Top Social Media Threat in Q4

Social media attacks targeting organizations closed out 2022 nearly 19% higher than Q4 of 2021, according to Fortra’s PhishLabs. Social platforms continue to act as a hotbed for malicious activity, leaving organizations of all sizes vulnerable to brand and executive abuse.

Response-Based Email Attacks Reach Inboxes More Than Any Other Threat in Q4

In Q4, Response-Based phishing attacks were the top reported threat by end users, according to Fortra’s PhishLabs.

More than Half of All Phishing Sites Impersonate Financials in Q4

Phishing sites impersonating reputable organizations continue to represent the top online threat to businesses and their brands. In Q4, cybercriminals impersonated Financial Institutions on more than half of all phishing sites.

Digital Journal: Hackers Using Steganography Tactics for Malware Attacks

Read Digital Journal’s interview to learn why steganography is increasingly used in phishing campaigns and how security teams can protect against these attacks.

What is Whaling Phishing & How Does it Work?

“Whaling” phishing fraud attacks target the C-suite of a company which creates high risk of extremely sensitive, mission-critical data being stolen and exposed. Fortunately, protecting the organization from these attacks is possible.

Ransomware Attacks: Why Email Is Still THE Most Common Delivery Method

In this blog, we take a look at why phishing is the top delivery method of ransomware attacks and what your organization can do to defend your data and your brand.

What Is the Meaning of the SPF Email Standard and How Does It Work?

When it comes to being a domain owner, you need to know the meaning of SPF, or Sender Policy Framework, email standard for specifying your sending email servers. Learn how Fortra's Agari can automate this intricate process for you.

How to Gain Stakeholder Support for Email Security Investment

Investing in email protection beyond basic anti-spam is vital to protecting an organization. Persuading leadership and stakeholders of this can be complicated. We take a look at ways to obtain comprehensive email security buy-in.

What Is an Enterprise’s Secondary Line of Defense Against Phishing Emails?

Following a multi-layered approach to phishing defense is a good idea, but using what you have close to home is best when it comes to a sensible security posture. In practice, a robust security awareness training program is key to instruct employees on what to look for when trying to spot phishing emails that may have landed in their inboxes.

DKIM vs. SPF Email Standards: Do I Need Them Both?

When it comes to email authentication standards, should you use DKIM, SPF, or both? We’re going to cover these terms, when you should use them, what they do—and how best to protect your email domains.

What Is an Enterprise’s Primary Line of Defense Against Phishing Emails?

Managing email security is becoming untenable because too many threats are getting into inboxes. Fortra is your first defense against phishing emails.

QBot Campaigns Overwhelmingly Lead Reported Payloads in Q4

QBot was the most reported payload targeting employee inboxes in Q4, according to Fortra’s PhishLabs. This is the fourth consecutive month QBot has led malware activity as bad actors target organizations with a steady stream of high-volume attack campaigns.

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy feat in itself and now, after DNS requests, third-party conference calls and writing internal policies, you are ready... It’s time for a stricter DMARC policy.

What to do with Suspicious Emails (Don’t Reply!)  

Sometimes when sending phishing simulations to our clients, we setup a reply-to address to see if people will reply to suspicious emails and many do.  Many people interpret our simulations as scams and articulate that in colorful language. Others provide information that would be dangerous in the hands of a threat actor, such as contact information for […]

DKIM Guide: How to Set Up the Email Standard Step by Step

In this DKIM setup guide, we’ll walk you through the steps on how to set up DKIM correctly, test it, avoid common pitfalls, and fix common mistakes.

What is a DMARC Policy?: The 3 Types & Which to Use

In this post, we’ll briefly explain what a DMARC policy is, how to set up your DMARC email record, what the three types of DMARC policies are and when to implement each one, and how to diagnose and fix any issues associated with it.

A Spotlight on Cybersecurity: 2022 Trends and 2023 Predictions

Looking ahead to 2023, Fortra’s security experts anticipate new cyber challenges will emerge. In return, organizations and authorities will work more closely together to better strengthen their security posture and response to threats. In this blog, we take a look at what our cybersecurity experts predict for 2023.

How to Recognize and Respond to Emerging Social Media Cybersecurity Threats

Whether you love or loathe social media, these platforms have become integral to how we communicate as individuals and businesses. Cybercriminals have also taken note, embracing these communication channels wholeheartedly to reach vast audiences quickly, anonymously, and cheaply, successfully defrauding targets of all stripes.

Holiday Season Triggers Rise in Counterfeit Activity

Criminals are capitalizing on the urgency behind gift-giving celebrations such as Black Friday, Cyber Monday, Christmas, and Hanukkah. Counterfeit activity has grown more than 50% from September through November, with a 27% increase over the course of November alone, according to Fortra’s PhishLabs.

Financials and Card Data Top Q3 Targets on the Dark Web

In Q3, Credit Unions nearly overtook National Banks as the top targeted industry on the Dark Web, according to recent data from Fortra’s PhishLabs.

Attacks Targeting Businesses on Social Media Jump 40% YoY

In Q3, the volume of social media attacks targeting the average business was 40.4% higher than the same time last year, according to the latest data from Fortra’s PhishLabs.

Emails Reported as Malicious Reach Four-Quarter High in Q3

The volume of malicious emails reported in corporate inboxes has reached a four-quarter high, according to the latest data from Fortra’s PhishLabs.

Financials See Increase in Phishing Attacks, Compromised Sites Lead Staging Methods in Q3

In Q3, nearly 80% of threat actors opted to compromise existing websites or abuse free tools when staging phishing sites, according to the latest data from Fortra’s PhishLabs.

Social Media Mitigation Best Practices for All Financial Institutions

The financial industry continues to experience the largest volume of abuse among all industries on social media.

RedLine Stealer Leads Payloads in Q3

In Q3, Redline Stealer represented nearly half of all malware attacks targeting corporate user inboxes. This is the first quarter Redline has led payload volume since PhishLabs began reporting on malware activity.

What is Email Spoofing?

Email spoofing is one of the most common forms of cybercriminal activity, specifically a form of identity deception that's widely used in phishing and spam attacks.

Crucial Tech Podcast with Agari: Hybrid Vishing Attacks

Listen as Agari’s John Wilson discusses the latest research from Agari and PhishLabs by Fortra.

How to Mitigate Online Counterfeit Threats

The broad scope of counterfeit campaigns and unclear boundaries of abuse make it challenging to successfully mitigate online threats targeting retail brands.

How to Collect Intelligence on Threats Targeting Retail Brands

Retail brands are increasingly targeted with fraudulent advertisements, fake social accounts, and falsely branded websites. These multipronged counterfeit campaigns redirect sales and compromise consumer data using brand recognition, the same component critical to driving sales within the retail industry.

Chat-Based Services, Finance, Heavily Abused on the Dark Web in Q2

Nearly half of stolen data on the Dark Web was marketed through Chat-Based Services in Q2 after a sharp increase in illegal transactions, according to the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.

Q2 Phishing Volume Up, Compromised Sites Lead Staging Methods

In Q2, four out of five phishing sites were staged using infrastructure that required no investment on the part of threat actors, including Compromised Sites and Free Tools and Services, according to the Agari & PhishLabs Quarterly Threat Trends & Intelligence Report.

Old Threats, New High: Response-Based Emails Increase in Q2

In Q2, Response-Based emails targeting corporate users reached the highest volume since 2020, according to Agari and PhishLabs Quarterly Threat Trends & Intelligence Report. Malicious and potentially damaging emails targeting corporate inboxes have climbed to a three-quarter high, and include Response-Based scams, Credential Theft, and Malware.

Fraud, Impersonation Fuel Q2 Increase in Social Media Attacks

In Q2, malicious attacks targeting organizations on social media have increased more than 20% over Q1, according to the latest Agari and PhishLabs’ Quarterly Threat Trends & Intelligence Report.

New Report Documents Highest Volume of Response-Based Email Threats Since 2020

In Q2, Response-Based attacks targeting corporate inboxes climbed to their highest volume since 2020, according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs.

Top 10 Ways To Recognize a Phishing Email

Attackers continue to find clever new ways to disguise phishing emails. Here are 10 different ways you can identify a phishing email.

The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails

Have you ever received a blank email from someone you don’t know? If you have, it may have been from a cybercriminal making sure your email account is legitimate prior to a BEC attack.

Top 4 Threats to Retail Brands

Cyber attacks targeting retail brands have increased dramatically over the last year. Since Q3 2021, retail has experienced a nearly 500% increase in attacks on social media alone. Counterfeit websites and look-alike domains are also among the top threats to online retailers.

10,000 organisations targeted by phishing attack that bypasses multi-factor authentication

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.

Interview: How Organizations Can Proactively Tackle Phishing Attacks

Billy Smith, Managing Director at PhishLabs by Fortra, and Mike Jones, Senior Director of Product Management at Agari by Fortra, discuss the evolution of social engineering attacks, and how organizations can proactively fight back against phishing.

Emotet Tops Payload Attack Volume in Q2

Emotet contributed to just over 47% of all attacks targeting corporate users in Q2, narrowly surpassing the former leader QBot.

What Is Email Spoofing and How Do You Protect Against It?

Email spoofing is one of the most common forms of cybercriminal activity, specifically a form of identity deception that’s widely used in phishing and spam attacks.

Customer Phishing Protection Couldn’t Be Easier with PhishLabs

Despite billions having been invested into perimeter and endpoint security since the onset of the pandemic and the birth of remote or hybrid work environments, phishing and business email compromise (BEC) scams have become primary attack vectors into organizations, often giving threat actors the toehold they need to wreak havoc on companies and their customers.

Building Cybersecurity Resilience in Financial Services

Despite paying significant attention to security, many organizations continue to be the targets of advanced persistent threats, fraud, sophisticated phishing campaigns, and other bold efforts to access the personally identifiable information (PII) and other sensitive IP they maintain.

Dark Web Disruptions in Q1 Trigger Shift in Illicit Exchanges

In Q1, the exchange of sensitive data on Carding Marketplaces and Forums increased as government seizure of multiple Dark Web sites prompted a shift in where actors conduct illegal activities, according to the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.

Q1 Phishing Volume Consistent, Up Over Q4

In Q1, more than 51% of phishing sites abused paid services, according to the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.

Hybrid Vishing Attacks Soar YoY, Achieve All-Time High In March

Vishing reports in Q1 2022 increased nearly 550% over Q1 2021, according to Agari and PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Social Media Attacks Targeting Businesses Increase 105%

Social media attacks targeting enterprises have increased 105% from Q1 2021 to Q1 2022 according to Agari and PhishLabs’ latest Quarterly Threat Trends & Intelligence Report.

Dramatic Increase Detected in Impersonation Attacks on Social Media

Impersonations of brands and executives on social media have grown more than 300% and 250% year-over-year, respectively, according to the Agari and PhishLabs Quarterly Threat Trends & Intelligence Report.

Vishing Attacks Are at an All-Time High, Report Finds

Vishing attacks have increased almost 550 percent over the last twelve months, according to Agari and PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Advanced Cyber Threat Intelligence

This guest blog by Dr. Edward Amoroso, TAG Cyber, provides a high-level overview of modern advances in cyber threat intelligence and how the Fortra cybersecurity portfolio supports this important method for reducing information risk in enterprise at various levels of the intelligence process starting with data security.

Why BitB Attacks are Concerning

PhishLabs has identified a Browser-in-the-Browser (BitB) campaign targeting financial institutions with a fake Office 365 (O365) authorization protocol.

Qbot Payloads Dominate Q1

Qbot payloads targeting enterprises contributed to almost three quarters of all email-based malware since the beginning of 2022.

Social Media as a Threat Channel

In this episode of the EM360 podcast, Head of Content Max Kurton talks to John LaCour, Founder & CTO of Phishlabs and Principal Strategist at parent company Fortra, about Social Media as a threat channel.

What is the Fortra Value Proposition for Cybersecurity?

In this guest blog, Dr Ed Amoroso, CEO, Tag Cyber, provides a high-level overview of the Fortra cybersecurity portfolio value proposition based on a mapping of its component solution offerings to the NIST Cybersecurity Framework (CSF) phases.

Cybercrime Cost U.S. $6.9 Billion in 2021

The FBI's annual look at phishing, scam, and personal data breach statistics is out.

Understanding the What, How, and Why of DMARC

What can you do to keep your email secure, ensure only authentic emails reach your contacts’ inboxes, and keep the bad guys out? Follow the lead of companies around the world and implement DMARC.

PhishLabs Q4 Report Documents Shifts in Dark Web Activity

In Q4, Carding Marketplaces experienced a dramatic increase in activity, representing 32.9% of criminal exchanges on the Dark Web and signaling a shift away from web forums.

Erratic Phishing Volume Increases 28% in 2021

Phishing site volume increased 28% over the course of 2021, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

Average Organization Sees Two-Fold Increase in Social Media Attacks in 2021

Social Media attacks targeting enterprises increased 103% in 2021, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

Vishing Volume Increases 554% in 2021

Hybrid Vishing attacks have increased 554% in volume, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Top Social Media Threats Targeting the Retail Industry

In this post, we take a look at impersonation and counterfeit ad campaigns targeting retail on social media.

Social Media Attacks Double in 2021 According to Latest PhishLabs Report

Social Media attacks targeting organizations increased 103% in 2021, according to PhishLabs’ Threat Trends & Intelligence Report.

Qbot, ZLoader Represent 89% of Payload Volume in Q4

Qbot and ZLoader payloads targeting enterprises contributed to almost 89% of email-based malware volume in Q4.

Stolen Card Data Leads Dark Web Threats

In Q3, more than 75% of threats observed on the Dark Web were related to stolen credit card and debit card data, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Social Media Attacks Increase 82%

Attacks targeting enterprises on Social Media have increased 82% since January, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

Despite their Simplicity, New Emotet Attacks Forecast Threatening Future

PhishLabs has recently observed attacks targeting enterprises with Emotet payloads for the first time since January, when coordinated efforts by authorities to disrupt operations led this family of threat actors to halt activity.

Phishing Increases as Industries New and Old Face a Barrage of Threats

Phishing attacks targeting consumers during 2021 have increased nearly 32% from 2020, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Vishing Hybrid, Response-Based Attacks on the Rise

Vishing attacks targeting corporate users have more than doubled for the second consecutive quarter, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Initial Access Brokers: Selling Entry into Your Network

In this post, we take a look at Initial Access Brokers (IABs), popular ransomware affiliates that sell access to compromised networks.

New Quarterly Threat Trends & Intelligence Report Available

Vishing attacks have more than doubled for the second consecutive quarter, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

Advanced Banking Trojan Sets New Standard for Android Malware

A new Android banking trojan is targeting financial institutions, crypto-wallets, and the retail industry.

Multi-Stage Vishing Attacks Skyrocket

Multi-stage vishing attacks have more than doubled since Q2, overtaking BEC attacks as the second most reported response-based threat.

BazaLoader Leads Payloads as Families Fluctuate, Players Broaden

As ransomware continues to improve its tactics and break records, PhishLabs is monitoring payload families reported in user inboxes that are used to facilitate these attacks.

Fake Mobile Apps Leave Users Vulnerable, Damage Brands

Cloned and spoofed mobile applications can damage a brand’s reputation and compromise user data.

Financial Services: The Top Tools and Tactics Used to Execute Phishing Attacks

In this post, we take a look at the tools and infrastructure used by threat actors to target financial services.

Free Tools and Services Fuel Phishing Increase

Phishing volume continues to outpace 2020 by 22%, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.

Top 10 TLDs Abused

In the latest PhishLabs Quarterly Threat Trends & Intelligence report, we break down how actors are abusing Legacy Generic (gTLD) and Country Code (ccTLD) Top-level domains, HTTPS, and free security certificates to target enterprises.

Social Media Attacks Increase 47%

Social media threats targeting enterprises have increased 47% since January 2021, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

The Most Prevalent Threats to Corporate Inboxes

In this post, we discuss the top threat types reaching corporate inboxes, and what these attacks mean for security teams.

3 Strategies to Enhance Brand Threat Intelligence

In order to protect their organizations, security teams should prioritize efforts to proactively detect brand abuse.

New Quarterly Threat Trends & Intelligence Report Now Available

Phishing volume in 2021 continues to outpace last year by 22%, according to PhishLabs Quarterly Threat Trends & Intelligence Report.

OSINT: How Usernames Unlock Investigations

Usernames can hold meaning to the individual, and as a result provide useful information when expanding investigations to different social platforms.

Threat Evasion Techniques: Restricting by Interaction

Threat actors improve the resiliency of phishing campaigns by concealing malicious content from security teams. In this post we discuss active evasion, restricting by interaction.

Threat Evasion Techniques: Restricting By Device

Cybercriminals use evasion techniques to extend the life of phishing campaigns. In this post we discuss active evasion, restricting non-targets by device.

Qbot Leads Payload Volume in Q2

PhishLabs is monitoring payload families reported in user inboxes. In this piece, we break down the top malware targeting enterprises in Q2.

Threat Evasion Techniques: Restricting by Location

Evasion techniques are methods attackers deploy to extend the life of phishing campaigns. In this post, we take a look at active evasion techniques restricting non-targets by location.

Breaking Down Phishing Site TLDs and Certificate Abuse in Q1

In Q1, nearly all detected phishing sites used either a Legacy gTLD (54.7%) or ccTLD (41.5%). New gTLDs were seen substantially less, identified in only 3.9% of attacks. 

62% of Phishing Sites Abuse Free Tools or Services

In Q1, PhishLabs analyzed hundreds of thousands of phishing attacks and found more than 62% abused legitimate no-cost tools or services. 

Credential Theft, O365 Lures Dominate Corporate Inboxes in Q1

In Q1, PhishLabs analyzed and mitigated hundreds of thousands of phishing attacks that targeted corporate users. In this post, we break down these attacks and shed light on the phishing emails that are making it into corporate inboxes.

47% Phishing Increase in Q1

Phishing is on the rise. PhishLabs identified 47% more phishing sites in Q1 of 2021 than there were in Q1 of 2020. This trend is continuing as Q2 attacks are also up significantly year-over-year.

Q1 2021 Threat Trends & Intelligence Report

Phishing attacks in Q1 have increased 47% compared to last year, according to PhishLabs newly released Q1 2021 Threat Trends & Intelligence Report.

Top 4 Digital Brand Threats

Threat actors routinely impersonate brands as part of their attacks. Brand abuse can occur anywhere online, and impersonating a reputable company automatically gives credibility to a threat.

What is Digital Brand Protection?

Digital brand protection is defined as comprehensive intelligence sourcing and mitigation into external threats targeting your brand.

Ransomware Playbook: Defense in Depth Strategies to Minimize Impact

Access our Ransomware Playbook: Defense in Depth Strategies to Minimize Impact where we address actions that will minimize the impact of a ransomware attack.

Alien Mobile Malware Evades Detection, Increases Targets

PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan.

ZLoader Dominates Email Payloads in Q1

Malicious payloads delivered via email phishing continue to drive access to sensitive infrastructures and result in data compromise for enterprises.

Example of a Phishing Email: Breaking Down the Latest O365 Phishing Techniques

Today, we are highlighting a recent O365 campaign, and breaking down the techniques used to enhance the threat actor's odds of success. This particular lure uses many of the tactics you will see in an O365 phish, and is a good example of what an end user will encounter if one bypasses enterprise security controls and makes it into their inbox.

Most Phishing Attacks Use Compromised Domains and Free Hosting

PhishLabs recently analyzed more than 100,000 phishing sites to establish how many used compromised domains, free hosting, or maliciously-registered domains.

Surge in ZLoader Attacks Observed

PhishLabs has observed a spike in malicious emails distributing ZLoader malware.

OSINT: Mapping Threat Actor Social Media Accounts

Investigating a social media threat actor and their account in its entirety is a time-consuming yet imperative task in the process of assessing risk.

Emotet Dismantled, Trickbot, ZLoader, and BazarLoader Step In

While it remains to be seen whether or not Emotet's operations are permanently offline after its recent disruption, we are monitoring any increases in subsequent malware variants and corresponding ransomware attacks.

Threat Actor using Social Media to Scam Credit Union Members

Recently, PhishLabs mitigated an attack using a fake social media page to steal the credentials of a credit union (CU) customer.

Sharp Increase in Emotet, Ransomware Droppers

PhishLabs has analyzed these early stage loaders and observed a dramatic increase in ransomware droppers delivered via email.

Using Social Media OSINT to Determine Actor Locations

Investigating true locations of threat actors can evidently turn a seemingly baseless low risk social media threat into something that may be actionable and worthy of escalation.

Activists Leak Data Stolen in Ransomware Attacks

The activist group known as Distributed Denial of Secrets (DDoSecrets) has published almost one terabyte of data originally leaked to dark web sites by ransomware operators.

Look-alike Domain Mitigation: Breaking Down the Steps

If we dissect the construction of a look-alike domain, each step in its creation represents a point where actions can be taken to mitigate the threat.

Year In Review: Ransomware

In 2020, cybercrime has seen a dramatic evolution in ransomware attacks. This threat type has adopted increasingly malevolent tactics and targeted some of the year's most vulnerable industries.

The Anatomy of a Look-alike Domain Attack

In this post, we show the frequency of common look-alike domain threats, the mechanics of an attack, and resources to minimize risk.

The Year In Review: How COVID-19 Has Changed Cyber Security

The novel coronavirus has dominated 2020, and in the cyber community, threat actors have capitalized on its impact from the beginning.

APWG Q3 Report:Four Out of Five Criminals Prefer HTTPS

Highlights from the report include more than two hundred thousand unique phishing websites detected in August and September, SSL encryption for phishing sites overtaking SSL deployment for general websites, and a 10 percent increase in BEC attacks originating from free webmail accounts.

Easy to Deceive, Difficult to Detect, Impersonation Dominates Attacks

Impersonation is a highly effective tactic for threat actors because it piggybacks on the credibility of a brand to legitimize a malicious objective. As a result, it is one of the most common components of a cyber attack.

What is a Look-alike Domain?

By definition, a look-alike domain is a nearly identical, slightly altered domain name, registered with intent to deceive. In this post, we'll describe how domains help us communicate on the Internet, the anatomy of a look-alike domain and why we fall for them, how attackers create them, and the best place to begin when facing this common threat.

Phishing Campaign Uses Malicious Office 365 App

New phishing technique discovered that abuses Microsoft Office 365's add-in feature. Threat actor then gains full control of everything, including files.

Top 7 Use Cases for Digital Risk Protection

Digital evolution is leaving enterprises increasingly susceptible to attacks outside the network perimeter.In order to detect and respond to today's most relevant threats, security teams are investing in operational Digital Risk Protection (DRP) capabilities.

Ransomware Groups Break Promises, Leak Data Anyway

Data stolen in ransomware attacks is frequentlybecoming public even after the victim has paid.

As Screen Time Skyrockets, So Does Threat of Fake Apps

As apps continue to be an integral part of how we conduct business and perform sensitive tasks, bad actors are using fake and unethical appsto engage with unassuming mobile users.

How to Detect Look-alike Domain Registrations

Malicious domains are attributed to a wide variety of cyber attacks capable of undermining a brand's credibility. A spoofed domain is easy and quick to create, and can act as the catalyst for malicious email campaigns and phishing sites. In order to detect and action domain threats targeting your organization, security teams need to implement mature and progressive processes for collection and curation.

Encryption to Double Extortion: Ransomware’s Rapid Evolution

Data leaks and ransomware - once considered two distinct threats - are overlapping into a hybrid ransomware tactic known as double extortion.

Limited Impact of Phishing Site Blocklists and Browser Warnings

The life of a phishing site is brief, but impactful. A recent study found that by the time phishing URLs show up in blocklists, most damage is done.

$2.3M Stolen from Wisconsin GOP via BEC Attack

$2.3M in election funds were recently stolen from the Wisconsin GOP by a BEC scam that altered vendor invoices.

Ryuk Ransomware Targeting Healthcare

As if the COVID-19 pandemic were not enough, the healthcare sector is now being actively targeted by threat actors using Ryuk ransomware. Yesterday, the FBI issued an increased and imminent cyber threat warning amid growing reports of healthcare providers falling victim to the campaign. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk.

How URL Tracking Systems are Abused for Phishing

Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads' tracking system to evade email filters.

Planetary Reef: Cybercriminal Hosting and Phishing-as-a-Service Threat Actor

PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef.

Eliminating the Threat of Look-alike Domains

There are many ways look-alike domains can be used by threat actors. This, in addition to diverse registrar requirements for removal, can make mitigation complex and often ineffective.

What is Digital Risk Protection?

Today's enterprise attack surface is not limited to the corporate network. In fact, the network is just a small slice. When it comes to deciding how and where to attack an enterprise, threat actors have ample opportunity beyond the network perimeter. As a result, enterprises are investing in operational capabilities to detect and respond to external threats across the digital risk landscape. This is Digital Risk Protection (DRP).

Digital Risk Protection vs. Threat Intelligence

Digital Risk Protection (DRP) continues to gain momentum and attention among CISOs and security professionals. DRP, an operational security function once classified under Threat Intelligence (TI), has been elevated by the Gartner Hype Cycle and other analyst research as an emerging security function that security teams rely on to address multiple external cyber threat use cases.

How to Take Down Social Media Threats

Threat actors increasingly use social media to attack brands, VIPs, and customers. The types of threats on these platforms are diverse and each social network has different policies in place for how they respond to reported attacks. As a result, mitigating threats on social media can be a frustrating and time-consuming process for security teams.

Social Media Intelligence: Cutting Through the Noise

Social media is rapidly becoming the preferred online channel for threat actors. Almost four billion people use some form of social media, and organizations are increasingly reliant on company pages, executive presence, and positive customer interaction to build a strong brand. As a result, a malicious post or tweet can cause irreversible damage to an enterprise.

APWG: SSL Certificates No Longer Indication of Safe Browsing

Key highlights of the report include a significant increase in wire transfer loss attributed to business email compromise (BEC) attacks from the first quarter and a 20% increase in BEC attacks targeting the social media sector.

Royal Ripper: Multi-Stage Phishing Attack Adapts to Victim Input

PhishLabs is monitoring a multi-stage phishing campaign that impersonates government entities and telecoms to target financial institutions and their customers.

Navigating Social Media Threats : A Digital Risk Protection Playbook

Social media is rapidly growing as a preferred channel for threat actors targeting enterprises with malicious campaigns. Half of the global population uses social media, and a post containing sensitive data or impersonating a high-level executive can be shared instantly, for 3.8 billion people to see.

Data Leaks in 2020: Accelerated Digital Transformation Exposes Enterprises

The digital presence of today's enterprise looks very different than it did earlier in the year. The COVID-19 pandemic is forcing rapid change on how many businesses use technology. From transitioning to remote workforces to delivering new online services, digital transformation initiatives that would normally span years are happening in weeks and months. Under these conditions, the likelihood of experiencing a major incident due to data leakage is very high. So much so that a recent Gartner Emerging Technologies Report highlighted data leakage as a primary concern.

Gartner Releases Emerging Tech Report: Critical Insights into Digital Risk Protection

Demand for Digital Risk Protection has grown due to the need for better visibility and remediation of threats targeting enterprises' digital assets.

Account Takeover Attacks Cause Chaos @ Twitter

On Tuesday afternoon, dozens of high-profile Twitter accounts were hijacked. Threat actors took over the accounts of Elon Musk, Bill Gates, Barack Obama, Jeff Bezos, and many others. Corporate Twitter accounts were also hijacked. What does this mean for enterprises and their security teams?

Gartner Releases 2020 Hype Cycle for Security Operations

Digital Risk Protection has emerged as a critical new capability for security teams according to Gartner.

Spoofed Domains Present Multifaceted, Growing Problems for Enterprises

Threat actors are increasingly registering new domains to launch malicious campaigns against enterprises. Identifying suspicious domains, as well as monitoring existing ones for changes, is an overwhelming and reactive task for many organizations. In order to minimize the risk spoofed domains pose, security teams must be able to efficiently detect abuse and understand what is required to mitigate threats.

Executive Impersonation Techniques on Social Media

Threat actors are masquerading as executives on social media for purposes of stealing credentials and damaging popular brands. Today, many VIP's have accounts on these platforms to network as well as post content promoting their companies.

Abuse of HTTPS on Nearly Three-Fourths of all Phishing Sites

Threat actors hit a new milestone in their abuse of HTTPS or SSL Certs: Nearly 3/4 of all phishing sites now use it.

FBI Warns of Growing Mobile Banking App Threats

The Federal Bureau of Investigation (FBI) published a public service announcement Wednesday warning the public of anticipated cyber attacks that exploit increased usage of mobile banking apps.

Data Leakage on Social Media: Credit Card Info, Confidential Docs

When the term data leak comes to mind, most enterprises think of the dark web. Although compromised information can damage an organization when distributed through gated and anonymous platforms, we are seeing social channels being used to allow for a more rapid and potentially destructive outcome.

Social Media Platforms Latest Channels used to Leak Sensitive Data

Threat actors are using social media accounts to expose and sell data that has been compromised. While information found on many of these platforms has traditionally been disclosed by enterprises and individuals with intent, cyber criminals are taking information acquired by means of scams and data breaches and promoting their sale on various social mediums not always monitored by security teams.

Threat Actors Impersonate Brands on Social Media for Malicious Purposes

With more than 2.95 billion people now estimated to use social media, an organization's online presence directly relates to the satisfaction of its customers, as well as its profits. False or misleading images or comments connected with a brand on online platforms can swiftly impact the reputation or even financials of an otherwise successful company.

Reporting Cyber Threats: Executives at Risk

Every industry and organization is targeted differently, but typically data sets group them all together. Here's a detailed look at one specific executive.

COVID-19 Phishing Update: File Sharing Services Abused to Steal Credentials

As enterprise workforces continue to transition to work from home environments, online file sharing and cloud storage tools are becoming a frequent, if not necessary means of collaboration. While abusing these types of platforms is nothing new to threat actors, the lures they use are now taking advantage of the novel coronavirus. The two examples below demonstrate how.

COVID-19 Phishing Update: Threat Actors on Twitter Want You to Pay for Your Stolen Passwords

Cyber criminals are using COVID-19 to manipulate users on Twitter and steal funds through payment applications. Our latest example demonstrates how victims are being targeted with fake credential dumps.

COVID-19 Phishing Update: BEC Lures use Pandemic to Enhance Attacks

Threat actors are using the novel coronavirus to add credibility in recent Business Email Compromise (BEC) attacks. Below are three examples of how they are doing it.

COVID-19 Phishing Update: Money Mule Scams Use Remote Opportunities to Entice Victims

As job losses grow due to the coronavirus pandemic, cybercriminals are taking advantage of the situation to recruit individuals into money mule scams. Below are two examples that reference work-from-home opportunities.

COVID-19 Phishing Update: Scammers Impersonating Financial Institutions on Instagram

Threat actors are using the novel coronavirus to impersonate accounts on social media. The example below targets members of a credit union.

COVID-19 Phishing Update: Money-Flipping Schemes Promise Coronavirus Cash

Threat actors are using social media to engage in money-flipping scams abusing the novel coronavirus. The two examples below demonstrate how they are doing it.

COVID-19 Phishing Update: Threat Actors Abusing Utility Concerns

In response to the financial difficulties resulting from COVID-19, many utilities have announced policy changes to suspend disconnects and provide relief to customers. As a result, many people are uncertain about what will happen should they be unable to pay their utility bills during the pandemic. As our latest example shows, this uncertainty is being exploited by threat actors.

COVID-19 Phishing Update: Bad Actors Use Stimulus Payment Delays to Capture Banking Credentials

With many U.S. citizens still waiting to receive their government-mandated stimulus, we are again seeing cyber criminals shift their tactics in accordance with the news cycle. Below is one example of a lure abusing access to an undeliverable stimulus payment.

COVID-19 Phishing Update: Voicemail Attacks Surface Targeting Office 365 Users

Cyber criminals are using coronavirus-themed voicemail notifications in the latest efforts to act on pandemic fears and steal credentials. The example below shows how they are doing it.

COVID-19 Phishing Update: Workplace Concerns Exploited to Distribute Malware

In recent efforts to deliver attacks that abuse the novel coronavirus, threat actors are exploiting workplace concerns about outbreak prevention and shipment delays. Below are two examples sent with the intent of delivering malware.

COVID-19: New Daily Intel Download and Webinar Next Week

In our continued effort to provide the most relevant cyber threat intelligence, we are launching two initiatives: a daily intel download and a web event.

COVID-19 Phishing Update: Promise of Payments Fuel Financial Fraud

Cyber criminals are using the stimulus bill and relief payments to exploit growing concerns about financial security. The examples below are impersonating financial institutions.

COVID-19 Phishing Update: Nigerian Prince Lures Evolve with Crisis

Threat actors are repurposing Nigerian Prince or 419 lures with novel coronavirus messaging to capitalize on the current pandemic. Today's examples demonstrate how they are doing it.

COVID-19 Phishing Update: Infected Coworker Email Targets Enterprise O365 Credentials

Threat actors are exploiting employee concerns about infected colleagues. Our latest example targets Office 365 accounts at a large Canadian company by falsely claiming a colleague has died from the virus.

COVID-19 Phishing Update: Email Posing as Scam Guidance Delivers Malware Instead

The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today's example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it's also a scam.

COVID-19 Phishing Update: Your Bank is Not Texting You About Coronavirus

Threat actors continue using COVID-19 fears to exploit individuals on a variety of channels. Today we are taking a look at two new, related SMS lures.

COVID-19 Phishing Update: Threat Actors Impersonating CDC, WHO

As COVID-19 continues to spread, we are seeing an increase in threat actors impersonating public health organizations and luring victims in with fake links to government agencies. The four examples below impersonate the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO) using lures we have recently observed.

COVID-19 Phishing Update: Campaigns Exploiting Hope for a Cure

We continue to see a wide range of lures exploiting coronavirus fears. In this post, we take a look at three recently observed lure samples that use the possibility of a cure to entice victims.

COVID-19 Phishing Update: Insurance Coverage Lures

As COVID-19 cases have further spread over the past few weeks, our team has come across new lures that target an individual's fear of coronavirus as it relates to their health insurance coverage. Both examples lead to malicious sites that attempt to steal Microsoft Office 365 login credentials.

COVID Phishing Update – Coronavirus wants your Bonus, too

A few weeks ago we noted some early examples of Coronavirus campaigns. Since then, the pandemic has spread and we've seen a dramatic uptick in COVID-19-themed malicious activity, with everything from domain registration to phishing emails and even malware campaigns. Going forward, we will be publishing more examples as we find additional methods cybercriminals are using to exploit the crisis.

Evasion Techniques: User-Agent Blocking

As Phishing attacks get more sophisticated on the social engineering front, so to does the technology and techniques behind keeping them online longer.

How Threat Actors are Abusing Coronavirus Uncertainty

As the coronavirus becomes a global pandemic, threat actors have begun abusing the fear surrounding it. One lure we have spotted even mimics the CDC.

APWG Year-End Report: 2019 A Roller Coaster Ride for Phishing

APWG's Q4 report shows ups and downs for 2019 phishing attacks, with SSL sites, web email, social media and BEC as the top trends.

Evasion Techniques: Geoblocking by IP

Not all phish are designed to target everyone, especially not analysts. Here's how threat actors use geoblocking to ensure their targets see it first.

Breakfast, Lunch, and Bourbon at RSA Conference 2020

Heading to RSA? Spend some time with PhishLabs while you're there. We're hosting several events. Relax with a quality bourbon, get a break from the crowds, and catch up with friends.

Social Media Phishing: Beyond Credential Theft

Credential theft is a common goal for threat actors, but big losses come from romance scams, abuse of social brands, and even source code dumps.

Why You Should Take Social Media Account Takeover as Seriously as a BEC Attack

Much like a threat actor can pose as an executive in BEC attacks, they can take over a social media account and abuse the inherent trust we have with it.

SIM Swap Attacks are making SMS Two-Factor Authentication Obsolete

SMS-based two-factor authentification is accessible and improves security, but unfortunately, social engineering can allow threat actors to skip through through it with SIM swapping.

New Webinar: Inside the World of Social Media Phishing: Financial Scams

Attend our upcoming webinar to learn about the latest techniques threat actors use to abuse social media for phishing attacks.

Threat Actor Abuses Mobile Sensor to Evade Detection

A unique mobile obfuscation technique discovered to help threat actors keep their attacks alive longer.

New White Paper: BEC Attacks are the Most Costly Form of Phishing

Download our latest white paper to understand BEC attacks are the most costly form of phishing.

The Training Evaluation Conundrum

Security awareness training programs often miss the mark about evaluating the success of the programs. Training leaders need to focus on long-term change.

Beyond Marketing: Getting Ahead of Brand Protection Issues

For many organizations, branding is managed by marketing teams and possibly general council; however, some challenges are considered a cyber threat.

How to Handle Brand Impersonation on Social Media

In a world where it only takes moments to create a profile on social media, there is a difference between parody and malicious attacks.

Unique Countermeasures in Active Phishing Campaign Avoids Security Tools

This active campaign combines a variety of techniques with a non-text-based email body in order to evade email security technologies.

Active TrickBot Campaign Observed Abusing SendGrid and Google Docs

We have observed an active TrickBot campaign targeting employees of multiple organizations. Unlike traditional BankBot attacks, it uses malicious links instead of attachments.

Marketing Teams Are Not Equipped to Monitor Social Media Threats

Want to protect your brands, employees, and customers from threats originating from social media? Your marketing team and their tools are not sufficient.

Active Office 365 Credential Theft Phishing Campaign Targeting Admin Credentials

An ongoing phishing campaign has been observed targeting the administrative accounts that manage Microsoft Office 365. Here's what you need to know.

APWG: Two-Thirds of all Phishing Sites Used SSL protection in Q3

APWG's Q3 report shows phishing increasing, 68% of phishing sites use HTTPS.

Social Media Account Takeover is as Vicious as a BEC Attack

At the height of social media adoption, users willingly shared everything from the lunch they just ate to the exact places they visited throughout the day. While some of this has been reduced as consumers learned how sharing private information could impact their privacy, many people still hide these kinds of updates behind basic security controls.

Recap: How to Proactively Protect Users with Email Incident Response

This year organizations are estimated to have spent more than $124 billion on security, yet phishing attacks continue to bypass email security technology. Is it possible to proactively stop threats that would otherwise make it past your infrastructure? If you attended our most recent webinar, you know the answer is yes.

What to do with Suspicious Emails (Don’t Reply!)

It is important to remember that these scammers are in fact criminals and engaging with them is like catching a tiger by the tail.

Best Practices for Defanging Social Media Phishing Attacks

Social media-based phishing attacks have taken off in a big way. According to some estimates, social media now accounts for as much as 5% of all phishing attacks globally. When you consider that phishing volume has grown consistently every year for more than a decade (up 40% last year alone), that 5% constitutes a lot of attacks.

More Bees with Honey? Reinforcement vs. Punishment in a Security Training Program

A successful motivational and behavior change strategy requires thoughtful intervention designed for the way people learn.

Beware of Account Takeover

However, not all phishing emails come from a fake email account that is trying to impersonate a company or a user.

Grease the Skids: Improve Training Successes by Optimizing the Environment

Take a step back from your program to consider whether the organizational climate is ripe for its success.

Training Not Sinking In? Try a Programmatic Approach

Today we're kicking off National Cybersecurity Awareness Month (NCSAM).

New Spear Phishing Campaign Impersonates VCs and PE Firms

The new spear phishing campaign is targeting Office 365 credentials of high-value targets.

APWG: Phishing Continues to Rise, Threat Actors Love Gift Cards

APWG's Q2 report shows phishing increasing, SaaS industry prime target, and threat actors are after gift cards.

The Vast Social Media Landscape for Phishing Threats

Threat actors can and will abuse the largest social media sites; but what about blogs, forums, and even gripe sites? Those too can be phishing risks.

Why Social Media is Increasingly Abused for Phishing Attacks

For more than a decade the use of social media has grown, and along with it, so have the tactics used by threat actors to abuse each kind.

Phishing Simulations: Should they Reflect Real-World Attacks?

Users often catch the most frequently used phishing lures. Though elements from these attacks are helpful, simulations need to go well beyond them.

BEC Attacks: How CEOs and Executives are Put at Risk

When it comes to impersonating employees for phishing attacks, CEOs and executives are most at risk.

Low Appetite for Long Security Training? Use a Bite Sized Approach

Losing 75% of your training investment? Take a nano approach to a big problem.

BEC Attacks: A Closer Look at Invoice Scams

Why do Invoice Scams, a form of phishing attack, constantly bypass email security technology? The lack of attachments and links.

How Spear Phishing Makes BEC Attacks So Effective

When threat actors research their victims and use that intelligence, it makes their phishing attacks just that much more effective.

Romanian Cybercriminals Sentenced for Phishing Campaign

After our team worked with federal law enforcement officials, three Romanian threat actors have been sentenced for their role in SMiShing and Vishing campaigns.

How Business Email Compromise (BEC) Attacks Impact Everyone

BEC or Business Email Compromise Attacks are some of the most effective and costly forms of phishing.

Threat Actors are Increasing Their Use of Free Hosts

The majority of phishing sites are hosted on compromised sites, but in the past year, threat actors have doubled their use of free hosting.

We Are a Best Place to Work Four Years in a Row!

For the fourth consecutive year, PhishLabs has been named a top company to work for in the state of South Carolina.

Phishing Number One Cause of Data Breaches: Lessons from Verizon DBIR

Verizon's annual Data Breach Investigations Report has just been released. What does it have to say about Phishing?

More Than Half of Phishing Sites Now Use HTTPS

Threat actors are officially using sites with HTTPS or an SSL cert more times than they don't.

PhishLabs Enhances Email Incident Response Solution

Today we are releasing an enhancement to the Email Incident Response Service. The upgrade will include the addition of SOAR and overall enhancements.

The Definition of Phishing

Phishing: Social engineering using digital methods for malicious purposes.

Should User Passwords Expire? Microsoft Ends its Policy

For years, Microsoft had a policy suggesting users to change their password every 45 days. That policy is no more and our team has a few thoughts to share.

6/13 Webinar: Handling Threats That Land in User Inboxes

PhishLabs' latest webinar will focus on the threats that make it past technology and into user inboxes.

The Rise in Mobile Phishing Attacks

Now that mobile web use is the primary source of traffic, threat actors have shifted their attention to the smaller screens.

These Are the Top Most Targeted Countries by Phishing Attacks

The U.S. is once again the top most targeted country by threat actors who use malicious social engineering.

Beyond the Top 5 Industries Most Impacted by Social Engineering

These are the top most targeted industries by phishing attacks, but that doesn't mean those who work in other areas are not at risk.

Phishing Volume Continues to Rise

Phishing volume grew 40.9% in 2018.

The Most Common Types of Reported Emails

Well trained users know that reporting suspicious content is important. Here's what we learned from more than 500,000 of those reported emails.

2019 Phishing Trends & Intelligence Report: The Growing Social Engineering Threat

Today we are releasing the key findings from this year's annual Phishing Trends and Intelligence report.

5 Tips for Smarter Detection and Collection of Digital Risks

Last month our Director of Product Management discussed why modern enterprise organizations need a digital risk protection plan in place. Here are a few tips to get you started.

Brain-Hacking Part 2: Ain’t Nobody Got Time for That!

Humans are a creature of patterns and routine. Because of this, we tend to simplify things that are familiar to our every day life. Unfortunately, this is also how threat actors abuse us.

Romanian Vishing/SMiShing Threat Actors Plead Guilty

Three Romanian threat actors were taken down with the support of PhishLabs. All three have now pled guilty of creating more than $21 million in losses to their victims.

It Only Takes One to Detect or Infect

A single user can impact your network for better or worse. By training employees to detect and report phishing threats, it can offset some of even the most vicious attacks.

This message is from a trusted sender, or is it?

Sometimes, what you are seeing is in fact not true or accurate. Don't let symbols deter you from safe email best practices.

Brain-hacking: Why Social Engineering is so effective

Social engineering isn't limited to information security; it's something we all experience, every day.

Hiding in Plain Sight: How Phishing Attacks are Evolving

In the past, phishing threat actors did little to hide their tracks. Now that there is pushback on their attacks, they've evolved and started to use blocking techniques to avoid detection and shutdowns.

How to Cut Healthcare Cyber Incidents by 80 Percent

A strong security awareness training program that encourages users to report more suspicious content can drastically reduce the amount of cyber security incidents.

BankBot Anubis Switches to Chinese and Adds Telegram for C2

Mobile malware BankBot Anubis recently began using Chinese characters to encode C2 information and added Telegram as a method for distributing C2 communications. This post details these changes.

Less Than 3 Percent of ‘Collection #1′ Data Dump Passwords are Unique

This month Collection #1 made the rounds for being the largest data dump of private user information. Fortunately, it's old data. Unfortunately, there is a larger story to tell.

Social Risk Monitoring: All Press Good Press?

When bad social media posts go viral, there is a good chance the press will pick up on it. However, how damaging is it to a brand? Let's look at some numbers.

49 Percent of Phishing Sites Now Use HTTPS

A single word can have far more meaning than intended, and in the case of Secure appearing on Google's Chrome browser, it may be misleading users.

Users Failing Phishing Simulations? That’s ok

If users are going to fail, it's better in a simulation than against a real world phishing threat.

Threat Announcement: Phishing Sites Detected on Emoji Domains

Since September 21, PhishLabs analysts have detected a number of phishing sites hosted on emoji domains. Here's what we've learned so far.

The Light in the Dark: Myths and Truths about the Dark Web

Is the dark web purely a place for malicious activity? Of course not. Let's dig into a few myths.

Phishing 101: Targeted Phishing Attacks

Each week our inboxes get at least a few phishing attacks that pass through our spam filters, but they often are easy to spot. A targeted phishing attack on the other hand is far more effective.

Geolocation Tracking Poses Risks to Your Employees

In the wake of the Associated Press coverage highlighting Google's location tracking fiasco, now is a good time for a refresher on why geolocation tracking is an issue.

BankBot Anubis Still a Threat, Gets Upgrade

BankBot Anubis continues to evolve and has now been spotted using Twitter to host it's C2 URLs.

Understanding Why Spear Phish Are Highly Effective

Unlike your common bulk phishing attacks that target anyone and everyone, spear phishing attacks are highly effective and personally crafted for their targets.

How To Tackle the Hidden Threat of Social Media

Social media isn't just likes and memes, it's a platform designed for communication. Unfortunately, that can pose threats to your brand.

Using Reported Phish to Hunt Threats

Everybody knows that reported phishing emails are a valuable resource. But are you making maximum use of yours? This is how you can use reported phish to aid your threat hunting capability.

How To Change Security Behaviors: Information Security

User errors are a huge cause of data breach... so why is most security awareness training so bad? Here's what you can do to really change security behaviors.

How Social Media Threatens Personal and Corporate Security

Social media is about more than likes and memes, the content on each platform can potentially threaten any brand, their employees, customers, or executives.

WannaCry, NotPetya and the Rest: How Ransomware Evolved in 2017

WannaCry and NotPetya stole the headlines, but what happened to the overall ransomware landscape in 2017?

6 Steps to Quickly Defang Reported Phishing Emails

User-reported phishing emails are a huge asset in the fight against phishing. Here are six steps you can take to maximize the value of every reported phish.

Silent Librarian University Attacks Continue Unabated in Days Following Indictment

Following the formal indictment of nine Iranian threat actors on March 23, 'Silent Librarian' attacks against universities and other research organizations have continued unabated.

Silent Librarian: More to the Story of the IranianMabna Institute Indictment

PhishLabs began compiling attacks, lures, and other information tied to Mabna Institute threat actor group Silent Librarian starting in December 2017.

New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users

BankBot Anubis takes mobile threats to the next level incorporating ransomware, keylogger abilities, remote access trojan functions, SMS interception, call forwarding, and lock screen functionality.

How To Make Reporting a Phish So Easy Even Your Busiest Execs Will Do It

Reported phishing emails are the backbone of any anti-phishing program. But actually getting those emails? Not as easy as you'd think.

The 11 Types of Reported Emails

Reporting an email to your IT team is incredibly important, and it's because these 11 email types each have different impacts.

A Quarter of Phishing Attacks are Now Hosted on HTTPS Domains: Why?

As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases.

Holiday Phishing Scams Target Job Seekers

Job scams represent only one of the many techniques deployed by criminals, who are growing increasingly creative and sophisticated in luring their victims.

Adwind Remote Access Trojan Still Going Strong

Adwind Remote Access Trojan, a malware-as-a-service tool, has been observed sending spam emails containing a malicious JAR file.

Nigerian 419 Scams: How to Spot a Phish

Nigerian 419 scams are as old as the internet, and they're still going. Here's our #CyberAware take on this phishing classic.

BEC Scams: How to Spot a Phish

In aid of national #CyberAware month, we take a close look at BEC phishing lures, how they work, and why they're so effective

The Impact of Phishing, and Why it Should be Your #1 Priority

With all the attention given to more "exciting" attack vectors, phishing is often ignored. But when you look at the facts, that just doesn't make sense at all.

The Mobile Phishing Threat You’ll See Very Soon: URL Padding

In the last few months, a new mobile threat has taken off: URL padding. Here's what we've learned about it, and what you can do to defend against it.

How to Use URL Pattern Analysis for Phishing Detection & Mitigation

Find out how URL pattern analysis can dramatically reduce the time and energy required to produce actionable phishing intelligence

How To Build a Powerful Security Operations Center, Part 2: Technical Requirements

The right hardware and software is essential to the long-term success of any SOC. In this post, we consider the most important components.

How To Build a Powerful Security Operations Center, Part 1: Motivation & Logistics

As cyber security becomes a top priority for businesses of all sizes, organizations are increasingly looking to set up their own security operations centers.

The Phishing Email that Fooled Thousands of Trained Users

Holiday themed phishing attacks can fool even the best trained users. But that doesn't mean you should just give up. Here are some tactics for dealing with them

Phishing with Wildcard DNS Attacks and Pharming

This PhishLabs blog post explores pharming and wildcard DNS attacks, provides examples of these method, and describes in detail how phishers use them in their attacks.

Dissecting the Qadars Banking Trojan

A deep-dive malware analysis of the Qadars Banking Trojan and how it works.

Security Awareness Training: A Recipe for Success

From planning to post-game analysis, here are the best practices for managing an effective security awareness training program.

How to Calculate ROI for Security Awareness Training

It's notoriously hard to evidence the need for investment in security awareness. But with a concrete ROI forecast, the task becomes must easier.

How and Why You Should Calculate Your Organization’s Cost of Phishing

With so many variables and conflicting claims calculating the cost of phishing can be difficult. Let us make it easy for you.

All Phish are Not Created Equal: The Evolving BEC Scam

As cybercriminals evolve their attack methodologies, they have learned from their mistakes and BEC is an unfortunate example of how they are circumventing technology defenses and exploiting organizations' greatest vulnerability: employees.

Why Some Phishing Emails Will Always Get Through Your Spam Filter

If you've ever configured a spam filter, you know how frustrating it can be. Here's why some phishing emails always get through.

Why Your Users Keep Falling for Phishing Scams

Phishing has become a huge concern in recent years, and it can be frustrating when users continue to fall for them. Here's why it happens.

When Good Websites Turn Evil: How Cybercriminals Exploit File Upload Features to Host Phishing Sites

Compromised websites are an integral part of the cybercrime ecosystem. PhishLabs recommends these steps to help prevent this kind of exploit.

Alma Ransomware: Analysis of a New Ransomware Threat (and a decrypter!)

PhishLabs recently observed a new type of ransomware, called Alma Ransomware, being delivered via exploit kit. PhishLabs has written a decrypter / decryptor.

Google AdWords Used in Bitcoin, Banking, and Online Gambling Phishing Campaigns

Hackers targeting bitcoin wallet users are leveraging Google's AdWords. Phishlabs has previously seen similar attacks over the past year.

Recent Phishing Campaign Uses Jabber to Exfiltrate Compromised Information

PhishLabs' phishing research and analysis have shown that phishers are continually developing new methods to facilitate their malicious activities.

Marcher Banking Trojan Targets Over 60 Organizations | Security Week Article

The number of organizations whose customers are targeted by the Android banking Trojan known as “Marcher” has increased considerably over the past period, but PhishLabs researchers said the latest samples they have analyzed don’t target the United States. Marcher, a threat offered on Russian underground forums since late 2013, currently retails for roughly $5,000. The […]

Olympic Vision Keylogger and BEC Scams

The ease of buying low cost, pre-built tools broadens the range of potential targets in BEC attacks. This blog discusses one of these tools - Olympic Keylogger.

Building a Business Case for Effective Security Awareness Training

Discussion of components to include in a business case when trying to obtain stakeholder sign off on security awareness training with phishing simulations

5 Tips for Evaluating Phishing Simulation Solutions

Baseline assessment, real-world-simulation, ongoing management, and performance measurement are essential parts of successful security awareness training.

The unrelenting evolution of Vawtrak

In December 2014, Vawtrak version 0x38 was released including significant code and configuration changes that indicate momentum and an intense focus on development of the crimeware kit.

Fraudsters take advanced fee scams to the next level

PhishLabs has discovered an advanced fee scam with a twist - an elaborate but faux bank website.

Cyberespionage Phishing Attack, Backoff Malware Spreads, Retail Breach and more | TWIC – October 24, 2014

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source). Think community financial institutions aren’t in the crosshairs for account takeover? Think again. (PhishLabs) There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta […]

Think Community Financial Institutions Aren’t in the Crosshairs for Account Takeover? Think Again

There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta sounded the alarm in a report delivered last year, estimating 69% growth in account takeover fraud and $69 billion in losses from 2011 to 2012.

Shellshock Phishing Attacks, Windows Zero-Day Vulnerability, Dropbox Hack and More | TWIC – October 17, 2014

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Dyre Banking Trojan, Tyupkin ATM Malware, iWorm Botnet and More | TWIC – October 10, 2014

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Smash & Grab cybercrime attacks have been active since mid-June

Last week, researchers at Proofpoint reported an attack campaign, which was dubbed “Smash & Grab," targeting customers of JP Morgan Chase. Based on intelligence from the Phishlabs R.A.I.D. (Research, Analysis, and Intelligence Division), the “Smash & Grab" operations have been active since at least mid-June. The attacks use email messages to direct potential victims to a phishing page. Visitors to the phishing page are also exposed to an exploit kit that abuses software vulnerabilities to infect victims with malware.

Vulnerabilities found in Dendroid mobile Trojan

The full source code of the Dendroid Android RAT was leaked late last week. Analyzing the code has revealed multiple vulnerabilities due to lack of user input including XSS, SQLi, and PHP Code Execution.

Phishing Takedown < Anti-Phishing < Phishing Protection

Phishing takedown services, anti-phishing services, phishing protection. What's best for stopping phishing attacks? Learn the key distinctions and how they make a big difference.

New Man-in-the-Middle attacks leveraging rogue DNS

PhishLabs has observed new Man-in-the-Middle attacks using rogue DNS to takeover accounts and evade fraud detection. Customers of 70+ financial institutions are being targeted.

Phishing for Bitcoins

PhishLabs has detected a new phishing attack targeting users of the Mt. Gox bitcoin exchange: While most phishing attacks used hacked legitimate web sites to host phishing pages, this particular attack is using a registered domain name of RAA.CN.COM. CN.COM isn’t a real top-level domain name, but CentralNic allows registrars to sell third-level domains within […]

What’s Next for DDoS Defense?

Over the last year or so, I’ve frequently been involved in discussions about DDoS botnets and their activities. Many of the security practitioners I talk with have been under pressure to better protect against DDoS threats. And a common question I get is “What else should I be doing that will make a difference?” Which […]

Why Phishing Matters

Almost every day I speak with a bank somewhere about phishing. I ask them how much of a threat is it, what are they doing about it, and how does it affect their business. Surprisingly, the answers I get vary quite a bit from one organization to another. Most are concerned about the costs of […]

Phishing Site Asks to Upload Image of Their Driver’s License and Phone Bill

PhishLabs has discovered a new variant of a common phishing page that prompts users to upload a scanned copy of their driver’s license and telephone bill. The scam detected targets customers of a large US bank. Most likely the phisher is attempting to circumvent additional security measures by the bank such as telephone based authentication […]

PhishLabs Discovers Instagram Phishing Site

PhishLabs has discovered a phishing site targeting Instagram users:   It is not clear if the intention of the responsible miscreants is to steal photos, email credentials, or Facebook credentials. It is probably the latter given the phishing site redirects to Facebook after stealing an email address and password. However, it does seem clear that […]

“Your ACH Transaction” Spam Leads to Malware

PhishLabs has discovered a new malware campaign which appears to be an alert from NACHA regarding a failed ACH transaction. If a vulnerable user clicks the enclosed link, they will be infected with malware. Users receive an email message which appears as follows: From: [email protected] [mailto:[email protected]] Sent: Thursday, February 24, 2011 9:47 AM To: Denise […]

Avalanche-Hosted Zeus Trojan Disrupted

While investigating an instance of the Zeus Trojan that was using the Avalanche bulletproof hosting botnet, PhishLabs discovered many of the domain names referenced in the Zeus configuration file had not yet been registered including the following four: eitaepiephohthieleibesha.com llakjshbeyrv3421jbs88xc.com nmbnxcbjbh3hbhbdhjb3l4kjbn.com nzytgero34xbhsbc8484kk.com PhishLabs registered the domains and then pointed them to a server under our […]

David Hasselhoff – Anti-Phishing Educator?

Xfire “is a free tool that automatically keeps track of when and where gamers are playing PC games online and lets their friends join them easily.” PhishLabs recently discovered a phishing page targeting Xfire users that used a clever trick to warn potential victims. By using cascading style sheets (.css) files that are generated on […]

Advancements in Phishing Redirector Scripts

Almost since the beginning of phishing, attackers have created simple webpages that redirect users to another URL that contains the actual phishing form. They do this for several reasons. In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site. This means that everyone […]

Rock Moves to Email Attachments

For over a year, the Rock Phish Gang was using the Avalanche botnet to host their various phishing scams and malware distribution sites. Fortunately, the botnet was shutdown last week – how long remains to be seen. Unfortunately, the Rock Phish Gang have not gone away. These criminals continue to distribute their Zeus trojans and […]

Cleaning up from the Avalanche

The Avalanche botnet, also known as “MS-Redirect”, has been responsible for hosting phishing pages and malware distribution attacks on over 35 organizations, including the IRS, Facebook, MySpace, most recently NACHA, and many more. Unfortunately, there’s a great deal of confusion over how this botnet works and how it’s related to other malware. Let’s clear it […]

PDF Viewer Spoof

A recent Australian Tax Office phish is using an interesting technique to try to appear legitimate: it spoofs the controls for the Adobe Acrobat in-browser PDF viewer.   Would-be victims are seeing a web page form in the browser, but it almost looks like they’re viewing a PDF document that’s making use of javascript forms. […]

Open Formmailers Won’t Die

Some security problems just never seem to go away. I’m not sure if its because there’s a steady stream of new web developers that have to learn things the hard way, if people forget, or they think that their open programs won’t be found by the bad guys. Unfortunately for those of us that fight […]

Top 10 Free Phish Kit Users

There are numerous sites on the Internet where aspiring cybercriminals can download free phishing kits. Despite it being relatively well known that most kits have backdoors in them that cause stolen information to be sent to the kit authors, they’re still used quite frequently. Interestingly, one such free phish kit distribution site added flag counter […]

Evil Searching and Phishing

Nearly a year ago I asserted in a Dark Reading interview that phishers were using Google and other search engines to find vulnerable web sites which they used to launch their scams. By a simple analysis of the web hosts and URLs used in phishing, I estimated that the vast majority of phishing web sites […]

Acrobat 0-Day Used in Targeted Attacks

You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ‘spear’ phishing. In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader […]

Phisher Email Address Harvesting Tools

How do phishers choose their targets? Usually, it is relatively random. Occasionally, phishers will be able to hack into some online web application or ecommerce site and create a dump of the database along with victim email addresses and locations, but that’s not a common scenario. Most of the time, they use tools to extract […]

Phisher Tactics: “True Logins” Phishing Kits

Over on the Symantec Security Response Online Fraud blog, Antonio Forzieri, follows up to his previous post about reactive phishing defenses. In his post, Antonio discusses the merits and pitfalls of diluting phishing sites with different types of bogus data. The last case, where phishers automatically validate the data from within the phishing site itself […]