Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors , the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The...

A newly observed variant of BankBot has been discovered masquerading as Adobe Flash Player, Avito, and an HD Video Player. This variant, now detected by PhishLabs as BankBot Anubis, was first identified on March 5, 2018. BankBot Anubis takes mobile threats to the next level incorporating ransomware, keylogger abilities, remote access trojan functions, SMS interception, call forwarding, and lock...

You receive an email, you are unfamiliar with the sender's name or email address, and they are offering you a new service or deal on something. Is it malicious? Not necessarily. Perhaps you forgot about signing up for a newsletter a while back. Malicious Versus Benign According to Symantec , 55.5 percent of business emails are considered spam emails, with the average business account getting about...

A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others. Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android...

All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works. Today, we’re a true phishing classic: Nigerian 419 scams. We've put the 15 best practices for spotting and handling Nigerian...

All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works. Today, we’re exploring one of the most audacious phishing tactics: Business email compromise (BEC) also known as CEO scams. We...

In the last post, we took a look at the logistical and human issues surrounding the setup of a new security operations center (SOC). And while having a mission, the right people, and a physically secure location are all vital to the success of a new SOC, there are many more things to consider before you can jump in and get started. In this post, we’re going to take a closer look at the technical...

There’s a certain mystique and excitement surrounding the idea of a security operations center. It puts your in mind of a mission control style room, possibly in an underground bunker, where people in uniforms shout orders and spend all their time responding to imminent threats. And in a world where cyber attacks have become a daily reality, and even midsize organizations are forced to designate...

Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason...

With low overhead and risk of prosecution, ransomware attacks have outpaced banking Trojans in sheer number of incidents, if not profit. Ransomware’s rapidly growing popularity has spawned dozens of variants, subtypes, and families as threat actors seek to outmaneuver researchers and competitors. In this dynamic threat landscape, alongside monitoring the established ransomware families for any...

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This...

We've all seen them before. The late prince Abdul has left us millions in inheritance and we need only provide a minor convenience fee to receive the funds. Advanced fee scams are nothing new and have been circulating the Internet since its inception. Until now, scammers have relied on email correspondence and convincing legal jargon to con victims out of their hard-earned dollars. Recently...

On Friday, the full source code of the Dendroid Remote Access Trojan (RAT) was leaked. Dendroid is a popular crimeware package that targets Android devices and is sold on underground forums for $300. Usually the source code for botnet control panels is encrypted, so it was surprising to find the full source code for the Dendroid control panel included in the leaked files. Analyzing the leaked code...

Phishing is a prevalent problem for businesses, particularly financial institutions. Over the years, many services have emerged to help organizations address phishing attacks that are targeting their customers' accounts. When seeking solutions, businesses find they have several options to choose from. These fall into three categories: Phishing takedown services Anti-phishing services Phishing...

PhishLabs has discovered a new malware campaign which appears to be an alert from NACHA regarding a failed ACH transaction. If a vulnerable user clicks the enclosed link, they will be infected with malware. Users receive an email message which appears as follows: From: [email protected] [mailto:[email protected]] Sent: Thursday, February 24, 2011 9:47 AM To: Denise Muns Subject: Your ACH transaction The...

Almost since the beginning of phishing, attackers have created simple webpages that redirect users to another URL that contains the actual phishing form. They do this for several reasons. In case their phishing site is shutdown, they can simply change the destination of the redirect to point to another phishing site. This means that everyone who receives an email with the redirector link and...