Blog

Blog

Top 4 Digital Brand Threats

Threat actors routinely impersonate brands as part of their attacks. Brand abuse can occur anywhere online, and impersonating a reputable company automatically gives credibility to a threat that might otherwise be instantly identified as suspicious. Because brand impersonation is so broadly used across the threat landscape, security teams need to have complete visibility into the top brand threats...
Blog

What is Digital Brand Protection?

Digital brand protection is defined as comprehensive intelligence sourcing and mitigation of external threats targeting your brand. Digital brand abuse can occur anywhere online. Therefore, it is necessary to have proactive and comprehensive detection capabilities across digital channels to prevent revenue loss and reputation damage. Efficient brand protection requires more than simply using tools...
Blog

Ransomware Playbook: Defense in Depth Strategies to Minimize Impact

In 2020, ransomware attacks in the U.S. increased 139% year-over-year . Attacks are more strategic, demands are higher, and new tactics have emerged that leave victims experiencing the pressure to pay. Organizations that are affected by ransomware believe they are left with one of two choices: Refuse to meet ransom demands and risk the loss of data or, pay the ransom and hazard it released anyway...
Blog

Alien Mobile Malware Evades Detection, Increases Targets

PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan. Alien, a fork of Cerberus, continues to evade Google's malware detection and is targeting a broad spectrum of both financial and non-financial apps. So far, Alien has been connected with 87 new brands previously not targeted by Cerberus. Cerberus versus Alien Brands...
Blog

ZLoader Dominates Email Payloads in Q1

Malicious payloads delivered via email phishing continue to drive access to sensitive infrastructures and result in data compromise for enterprises. In Q1 of 2021, attack methods including malware campaigns have contributed to a 564% increase in individuals affected by a data leak, as well as a 12% increase in publicly-reported compromise. As we continue to see leaks and widespread reports of...
Blog

Example of a Phishing Email: Breaking Down the Latest O365 Phishing Techniques

Microsoft Office 365 phish are some of the most common threats that reach end users inboxes. Over the course of a two-year period, PhishLabs has observed that O365 phish have accounted for more than half of all reported phish by enterprises - by a significant margin. Today, we are highlighting a recent O365 campaign, and breaking down the techniques used to enhance the threat actor's odds of...
Blog

Most Phishing Attacks Use Compromised Domains and Free Hosting

To stage a phishing site, cybercriminals have several options. They can use a legitimate domain that has been compromised, they can abuse free hosting services, or they can register their own domain. Understanding the prevalence of each scenario is fundamental to detecting and mitigating these threats as early in the attack process as possible (including before they've been launched). PhishLabs...
Blog

Surge in ZLoader Attacks Observed

PhishLabs has observed a spike in malicious emails distributing ZLoader malware. The spike is notably one of the greatest upticks for a single payload observed in a 24-hour period over the past year, and is the first significant sign that another botnet may be stepping up in the aftermath of the Emotet takedown . May 2020 - February 2021 ZLoader Activity Z Loader is one of the most frequently...
Blog

OSINT: Mapping Threat Actor Social Media Accounts

A threatening social media post targeting an executive, employee, brand, or any other asset often has merit to it, and investigating the online accounts associated with the threat actor is imperative in the process of assessing risk. By mapping social media accounts operated by the threat actor, as well as general social media risk monitoring , you can build a more comprehensive profile of the...
Blog

Emotet Dismantled, Trickbot, ZLoader, and BazarLoader Step In

Recently, we published a piece highlighting early stage loaders often used in ransomware attacks. One of the most prolific was Emotet, which has since been taken down via a coordinated, multi-national effort . How will this impact the threat landscape? In this post, we take a look at loader activity in the aftermath of the Emotet takedown. Predominant Payloads In 2020, Emotet, Trickbot, and...
Blog

Threat Actor using Social Media to Scam Credit Union Members

Recently, PhishLabs mitigated an attack using a fake social media page to steal the credentials of a credit union (CU) customer. Social media is increasingly used as a vehicle for attacks, and organizations should adopt social media protection measures to stay ahead of threats. The below demonstrates how the attack was executed. The Scam Initially, the threat actor sends the victim a text message...
Blog

Sharp Increase in Emotet, Ransomware Droppers

Ransomware continues to be one of the most impactful threats to enterprises. Aside from external vulnerabilities, its primary delivery method remains email phishing, with links or attachments containing early stage loaders. These loaders initiate attacks by compromising systems and installing additional malware. PhishLabs has analyzed these early stage loaders and observed a dramatic increase in...
Blog

Using Social Media OSINT to Determine Actor Locations

Obtaining the location of a social media threat actor can provide important information in the process of assessing risk. Verifying a geographical region of a user is vital in determining the credibility and risk level of the posted threatening content. Investigating true locations of threat actors can evidently turn a seemingly baseless low risk social media threat into something that may be...
Blog

Activists Leak Data Stolen in Ransomware Attacks

The activist group known as Distributed Denial of Secrets (DDoSecrets) has published almost one terabyte of data originally leaked to dark web sites by ransomware operators. In addition, they are privately making another 1.9 terabytes of stolen data available to journalists or academic researchers. The data is just a portion of the terabytes of stolen emails, documents, and photos that DDoSecrets...
Blog

Look-alike Domain Mitigation: Breaking Down the Steps

Look-alike domains remain some of the most consistent elements of cyber attacks targeting organizations. At a high-level, there are two ways to mitigate the threat of a look-alike domain : remove the threat completely by taking it offline, or block attacks on your users by implementing IT security controls. If we dissect the construction of a look-alike domain, we see where each step in its...
Blog

Year In Review: Ransomware

In 2020, cybercrime has seen a dramatic evolution in ransomware attacks. This threat type has adopted increasingly malevolent tactics and targeted some of the year's most vulnerable industries. Operators are linking up, franchising their attacks, extorting their victims, then expecting organizations to believe them trustworthy . By 2021, ransomware is anticipated to cause $20 billion in loss. In...
Blog

The Anatomy of a Look-alike Domain Attack

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable brands and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery. Look-alike domains are intentionally misleading to give customers the false impression that they're interacting with trusted...
Blog

The Year In Review: How COVID-19 Has Changed Cyber Security

The novel coronavirus has dominated 2020, and in the cyber community, threat actors have capitalized on its impact from the beginning. In early March we saw the first of what would be an onslaught of criminal activity using the pandemic to manipulate users, and over the course of the year these attacks have been modified to reflect local and global fallout. The coronavirus has not only been used...
Blog

APWG Q3 Report:Four Out of Five Criminals Prefer HTTPS

The Anti-Phishing Working Group (APWG), known for its collaborative analysis of phishing attacks and identify theft techniques, has released its Phishing Activity Trends Report for Q3 of 2020. Highlights from the report include more than two hundred thousand unique phishing websites detected in August and September, SSL encryption for phishing sites overtaking SSL deployment for general websites...
Blog

Easy to Deceive, Difficult to Detect, Impersonation Dominates Attacks

Impersonation enables threat actors to manipulate victims into disclosing sensitive information as well as enhance their ability to commit fraud. An organization's name, logo, or messaging can be incorporated into almost any threat type, making it an easy and versatile element of a cyber attack. Impersonation is an especially difficult technique to defend against because of its diverse range of...