One often overlooked but valuable clue in social media threat investigations is the threat actor’s username. While it may seem trivial at first glance, usernames can carry personal significance, hinting at patterns, affiliations, or behaviors that help expand an investigation across platforms.As we discussed in our previous OSINT post, mapping all known social media accounts to a single user is a...

Phishing attacks are becoming more elusive and more dangerous. To extend the life of their campaigns and increase success rates, threat actors employ evasion techniques designed to hide malicious content from security teams. By avoiding detection, attackers boost their chances of reaching more victims and profiting from compromised accounts or stolen data.One increasingly common approach is...

Cybercriminals use sophisticated evasion tactics to outsmart security scanners and human detection — prolonging the life of phishing campaigns. These techniques are often layered for maximum effect. In this post, we spotlight one such method: active evasion, where access is restricted based on device type to block non-targets and avoid exposure.Restricting by DeviceActive evasion refers to...

In Q2, ransomware made headlines with multiple high-profile attacks and tactics. The largest infrastructure shutdown in U.S. history brought the East Coast to a halt, operators doubled up on ransomware strains, and reported attacks are on track to beat 2020, with numbers already surpassing Q1 by 38%.As ransomware continues to drive data loss and fraud for enterprises and their brands, PhishLabs is...

Evasion techniques are methods attackers deploy to extend the life of phishing campaigns. The longer a threat is active, the more opportunity it has to claim victims.Attackers have two objectives when applying evasion techniques:Defeat automated scanning technologies designed to quickly shut down or prevent attacks from going live.Increase the time, cost, and complexity required for security...

Cybercriminals continue to heavily abuse domains to launch phishing attacks. PhishLabs’ analysis of Q1 phishing attacks has found that: 96% used Legacy Generic (gTLD) or Country Code (ccTLD) Top-level DomainsAlmost 83% abused HTTPSDomain Validated (DV) Certificates were used 94.5% of the time For this analysis, PhishLabs looked at three categories of TLDs: Legacy gTLDs, ccTLDs, and New gTLDs. In...

In Q1, PhishLabs analyzed hundreds of thousands of phishing attacks and found more than 62% abused legitimate no-cost tools or services. >> Access the Report In this post, we take a look at findings from our Q1 Threat Trends and Intelligence Report and review the free services that were most commonly abused to stage phishing sites. Methods of Staging Phishing Sites Free Domain...

In Q1, PhishLabs analyzed and mitigated hundreds of thousands of phishing attacks that targeted corporate users. In this post, we break down these attacks and shed light on the phishing emails that are making it into corporate inboxes. Threats Found in Corporate Inboxes Credential TheftCredential theft attacks continue to be the most prolific threats observed in corporate inboxes. In Q1, nearly...

Phishing is on the rise. PhishLabs identified 47% more phishing sites in Q1 of 2021 than there were in Q1 of 2020. This trend is continuing as Q2 attacks are also up significantly year-over-year. Last year, phishing spiked in late Q1 and Q2 as threat actors took advantage of pandemic-related fear and uncertainty. This year, we are seeing an even greater increase in attacks. Closer Look:Of the...

Phishing attacks in Q1 have increased 47% compared to last year, according to PhishLabs newly released Q1 2021 Threat Trends & Intelligence Report. The report uses data collected from hundreds of thousands of attacks analyzed and mitigated by PhishLabs in Q1 to identify top threats targeting enterprise brands, and determine emerging trends throughout the threat landscape. Key findings of the Q1...

Threat actors frequently impersonate trusted brands to lend credibility to their attacks. This tactic can surface anywhere online and often makes malicious content appear legitimate at first glance. Because brand abuse is so widespread, security teams must maintain full visibility into the top brand threats targeting their organization and have streamlined workflows to turn potential threats into...

Digital brand protection involves proactively identifying and mitigating external threats that target your brand across digital channels. Because brand abuse can surface anywhere online, effective protection demands broad visibility and precise detection to prevent revenue loss and reputational damage.True protection goes beyond basic brand mention monitoring. Security teams must prioritize the...

In 2020, ransomware attacks in the U.S. increased 139% year-over-year. Attacks are more strategic, demands are higher, and new tactics have emerged that leave victims experiencing the pressure to pay. Organizations that are affected by ransomware believe they are left with one of two choices: Refuse to meet ransom demands and risk the loss of data or, pay the ransom and hazard it released anyway. ...

PhishLabs is monitoring the increasing number of mobile applications targeted by the relatively new Alien Mobile Banking Trojan. Alien, a fork of Cerberus, continues to evade Google's malware detection and is targeting a broad spectrum of both financial and non-financial apps. So far, Alien has been connected with 87 new brands previously not targeted by Cerberus. Cerberus versus Alien Brands...

Malicious payloads delivered via email phishing continue to drive access to sensitive infrastructures and result in data compromise for enterprises. In Q1 of 2021, attack methods including malware campaigns have contributed to a 564% increase in individuals affected by a data leak, as well as a 12% increase in publicly-reported compromise. As we continue to see leaks and widespread reports of...

Microsoft Office 365 phish are some of the most common threats that reach end users inboxes. Over the course of a two-year period, PhishLabs has observed that O365 phish have accounted for more than half of all reported phish by enterprises - by a significant margin. Today, we are highlighting a recent O365 campaign, and breaking down the techniques used to enhance the threat actor's odds of...

To stage a phishing site, cybercriminals have several options. They can use a legitimate domain that has been compromised, they can abuse free hosting services, or they can register their own domain. Understanding the prevalence of each scenario is fundamental to detecting and mitigating these threats as early in the attack process as possible (including before they've been launched). PhishLabs...

PhishLabs has observed a spike in malicious emails distributing ZLoader malware. The spike is notably one of the greatest upticks for a single payload observed in a 24-hour period over the past year, and is the first significant sign that another botnet may be stepping up in the aftermath of the Emotet takedown. May 2020 - February 2021 ZLoader Activity ZLoader is one of the most frequently...

A threatening social media post targeting an executive, employee, brand, or any other asset often has merit to it, and investigating the online accounts associated with the threat actor is imperative in the process of assessing risk. By mapping social media accounts operated by the threat actor, as well as general social media risk monitoring, you can build a more comprehensive profile of the...

Recently, we published a piece highlighting early stage loaders often used in ransomware attacks. One of the most prolific was Emotet, which has since been taken down via a coordinated, multi-national effort. How will this impact the threat landscape? In this post, we take a look at loader activity in the aftermath of the Emotet takedown. Predominant PayloadsIn 2020, Emotet, Trickbot, and ZLoader...