Blog

Blog

How To Build a Powerful Security Operations Center, Part 1: Motivation Logistics

There’s a certain mystique and excitement surrounding the idea of a security operations center. It puts your in mind of a mission control style room, possibly in an underground bunker, where people in uniforms shout orders and spend all their time responding to imminent threats. And in a world where cyber attacks have become a daily reality, and even midsize organizations are forced to designate...
Blog

The Phishing Email that Fooled Thousands of Trained Users

It’s a sobering moment. You work long and hard to prepare your users. You train them. You test them. And over time, you see amazing results. But then it happens. Just when you think your users are becoming rockstars at identifying phishing emails, threat actors throw a new tactic at you… and everybody falls for it. Of course, this isn’t a new story. Threat actors constantly update their tactics to...
Blog

Phishing with Wildcard DNS Attacks and Pharming

The cyclical relationship between threat actors and security professionals begins with the creation of a new attack technique, followed by the discovery of that technique by the security community, and then a refashioning of the manner of attack or creation of another novel approach by threat actors. Phishers are always seeking better ways to entice victims into providing their personal and/or...
Blog

Dissecting the Qadars Banking Trojan

Qadars is a sophisticated and dangerous trojan used for crimeware-related activities including banking fraud and credential theft. Qadars targets users through exploit kits and is installed using Powershell Scripts. We have observed Qadars targeting multiple well-known banks in UK and Canada and is capable of stealing infected users' two-factor authentication codes and banking credentials through...
Blog

Security Awareness Training: A Recipe for Success

In recent months we’ve written a lot about security awareness and phishing awareness training. It’s an involved topic, clearly, and if you’ve taken away anything we hope it will be this: If you want real, measurable improvements you must test your employees. And when it comes to email security, that means phishing your employees on a regular basis. In this post, we’ll take a deep dive into a...
Blog

How and Why You Should Calculate Your Organization's Cost of Phishing

Everybody knows phishing is costly to their organization. But how costly? Few organizations know for sure. Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident ? Or $3.7 million per year ? Perhaps... but probably not. The issue with these figures is that they're...
Blog

Why Some Phishing Emails Will Always Get Through Your Spam Filter

Frustrating, isn’t it? It seems like no matter what you do, a few phishing emails always find their way into your users’inboxes. You’ve tweaked your spam filter, and you’re scanning every attachment… But nothing seems to work. Is it you? Are you making some glaring mistake? Probably not. We've discussed before why your users keep falling for phishing scams , and there's more to it. The fact is...
Blog

Why Your Users Keep Falling for Phishing Scams

We’ve all been there. That awful moment, when you realize it’s happened again. “Why do they never learn?” You ask yourself. “It really isn’t that hard!” Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better. So why do they keep falling for phishing scams? Is it just...
Blog

When Good Websites Turn Evil: How Cybercriminals Exploit File Upload Features to Host Phishing Sites

Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason...
Blog

Alma Ransomware: Analysis of a New Ransomware Threat (and a decrypter!)

With low overhead and risk of prosecution, ransomware attacks have outpaced banking Trojans in sheer number of incidents, if not profit. Ransomware’s rapidly growing popularity has spawned dozens of variants, subtypes, and families as threat actors seek to outmaneuver researchers and competitors. In this dynamic threat landscape, alongside monitoring the established ransomware families for any...
Blog

Google AdWords Used in Bitcoin, Banking, and Online Gambling Phishing Campaigns

Hackers targeting bitcoin wallet users are once again leveraging Google’s AdWords in their most recent campaigns. Phishlabs has previously seen similar attacks against banks and online gambling sites over the past year. Some of the most recent attacks have targeted Blockchain and Kraken and have been widely blogged and tweeted about over the past week. As seen in the screenshot below, a Google...
Blog

Olympic Vision Keylogger and BEC Scams

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This...
Blog

Building a Business Case for Effective Security Awareness Training

Security education programs are sometimes mandated, always important, and often difficult to justify the investment. It is easy to get the powers that be to sign off on a once-per-year security awareness training program that will satisfy compliance requirements, but we all know by now that compliance does not equal security. The Information Security Forum (ISF) has defined information security...
Blog

The unrelenting evolution of Vawtrak

In a recent blog post, we wrote about Vawtrak expanding targets and gaining momentum. Fast forward a few months and the threat is anything but diminishing. Sophos just released a technical report on Vawtrak which discusses the significance of the threat and its Crimeware-as-a-Service model. In December 2014, Vawtrak version 0x38 was released including significant code and configuration changes...
Blog

Fraudsters Take Advanced Fee Scams to the Next Level

We've all seen them before. The late prince Abdul has left us millions in inheritance and we need only provide a minor convenience fee to receive the funds. Advanced fee scams are nothing new and have been circulating the Internet since its inception. Until now, scammers have relied on email correspondence and convincing legal jargon to con victims out of their hard-earned dollars. Recently...
Blog

Vulnerabilities found in Dendroid mobile Trojan

On Friday, the full source code of the Dendroid Remote Access Trojan (RAT) was leaked. Dendroid is a popular crimeware package that targets Android devices and is sold on underground forums for $300. Usually the source code for botnet control panels is encrypted, so it was surprising to find the full source code for the Dendroid control panel included in the leaked files. Analyzing the leaked code...
Blog

Phishing Takedown Anti-Phishing Phishing Protection

Phishing is a prevalent problem for businesses, particularly financial institutions. Over the years, many services have emerged to help organizations address phishing attacks that are targeting their customers' accounts. When seeking solutions, businesses find they have several options to choose from. These fall into three categories: Phishing takedown services Anti-phishing services Phishing...
Blog

New Man-in-the-Middle attacks leveraging rogue DNS

New MitM attacks impersonate banking sites without triggering alerts PhishLabs has observed a new wave of "Man-in-the-Middle" (MitM) attacks targeting users of online banking and social media. Customers of more than 70 different financial institutions are being targeted. In these attacks, hackers use spam to deliver malware that changes DNS settings and installs a rogue Certificate Authority (CA)...
Blog

“Your ACH Transaction” Spam Leads to Malware

PhishLabs has discovered a new malware campaign which appears to be an alert from NACHA regarding a failed ACH transaction. If a vulnerable user clicks the enclosed link, they will be infected with malware. Users receive an email message which appears as follows: From: [email protected] [mailto:[email protected]] Sent: Thursday, February 24, 2011 9:47 AM To: Denise Muns Subject: Your ACH transaction The...
Blog

Advancements in Phishing Redirector Scripts

Almost since the beginning of phishing, attackers have created simple webpages that redirect users to another URL that contains the actual phishing form. They do this for several reasons. In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site. This means that everyone who receives an email with the redirector link and...