Recent Posts

Recent Blog Posts

The PhishLabs Blog

A Quarter of Phishing Attacks are Now Hosted on HTTPS Domains: Why?

The push for more widespread adoption of HTTPS has been in full-force this year as a way to increase the number of websites that securely transmit information on the Internet. In January, both Chrome and Firefox browsers began alerting users whenever sensitive information, such as passwords or credit card information, was entered on a non-HTTPS web page. In October, Google took this a step further by displaying a “Not Secure” label in the URL bar whenever a user enters any text on an HTTP website.

Read More

Topics: Threat Intelligence, Phishing Trends and Intelligence Report,, Phish

The Targeted Approach to Anti-Phishing: Improving Core Skills

Posted by Dane Boyd on Dec 1, '17

Wouldn’t it be great if every one of your users could be turned into an anti-phishing specialist?

Like sleeper agents, they’d be ready at any moment to drop their day jobs and sniff out every last malicious email that makes it past your perimeter defenses.

It’s an enticing fantasy.

But is it reasonable to expect your users to become genuine anti-phishing experts? We think not.

Read More

Topics: Phishing, security awareness training

Banking Trojan Dropped Through Spoofed Korean CERT Bulletin

Cyber criminals continue to evolve tactics, sometimes going to great lengths to socially engineer people. In this recently observed sample, we find the long-standing and ever-evolving banking Trojan, Gozi using a Korean Cert to trick users into downloading malware. 

Gozi, which has traditionally infected users through macros and exploit kits has been found going after Korean language speakers through Hancom Word Processor (HWP) files. Hancom Office is extremely popular in Korea where it is used alongside, or instead of, Microsoft Office. HWP files have been used extensively by advanced persistent threat (APT) groups to target government, corporate, and academic targets throughout Korea. Given the comparatively esoteric nature of Hanword when compared to Microsoft Word, it is an uncommon delivery mechanism for banking Trojans like Gozi. The HWP file copies the text of a legitimate KrCERT Bulletin, but points to its own embedded file as the solution.[1] 

Read More

Topics: Banking Trojan, Gozi

Holiday Phishing Scams Target Job Seekers

Posted by Amanda Kline on Nov 21, '17

'Tis the season for shopping, time spent with friends and family, and preparations to celebrate the holidays. As most of us plan for the coming season, cyber criminals are looking for opportunities to catch victims off guard and steal valuable personal information. People looking to supplement their gift-giving budget with a seasonal holiday job should take a close look at job listings before pursuing offers found online or in their email inboxes. Job scams target those looking for part-time holiday work, specifically aiming to steal personally identifiable information that is often requested on applications for employment. We have observed mass spam email-based job scams using branding from well-known retailers such as Target and Walmart that commonly offer seasonal employment. 

Read More

Topics: Phishing, Holiday Scams

Office DDE feature exploited to deliver DNSMessenger payload in new targeted phishing campaign

Posted by Joshua Shilko on Nov 14, '17

The Research, Analysis, and Intelligence Division (R.A.I.D.) here at PhishLabs interacts with a multitude of malware samples in our day-to-day operations. Occasionally, we come across a campaign that stands out from the rest. One such instance occurred recently when one of our Phishing Threat Monitoring service clients was targeted with DNSMessenger, a sophisticated, memory-based infection technique, which has been previously associated with a financially-motivated Advanced Persistent Threat (APT) actor group. Also notable is the delivery method – the increasingly popular Dynamic Data Exchange (DDE) protocol Office document attack. This delivery method has recently been adopted by actors ranging from nation-state APTs to spammers peddling downloaders and ransomware. In this article, we will examine this delivery vector and dissect the initial DNSMessenger payload.

Read More

Topics: Spear Phishing, Office DDE Exploit

Have We Conditioned Web Users to be Phished?

Have the well-meaning recommendations of the security community made web users more vulnerable to cyber attacks? Have we conditioned people to be phished?

The HTTPS Paradox

You know that little green padlock symbol that appears in your browser’s URL bar every now and then? What do you think it means?

Read More

Topics: Phishing, Cyber Security Awareness Month

Adwind Remote Access Trojan Still Going Strong

Posted by Amanda Kline on Nov 1, '17

 A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others.  Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android systems to exfiltrate sensitive data from its victims. It has been known to, but is not limited to, log keystrokes, take pictures and record audio, steal cached data such as passwords and form fills, download/execute malware, amass system and user information, and modify registry entries.

Read More

Topics: Remote Acccess Trojan, Adwind

Final Review: How to Spot a Phish Video Series

Posted by Lindsey Havens on Oct 31, '17

In observance of National Cyber Security Awareness month, we released several videos to help employees and consumers spot a phish. In the final video, we take a look at a number of phish to apply what we have learned. To view all videos released in this series, visit this page:

Read More

Topics: Cyber Security Awareness Month, CyberAware

Enterprise Credential Theft: How to Spot a Phish

Today, we are going to look at a phish that takes advantage of the massive user base of Office 365 products. It’s safe to speculate that this phish is specifically targeting enterprise employees given most users of Office 365 products are using it for business purposes.

Read More

Topics: Phishing, Phish

URL Analysis: How to Spot a Phish Video

Posted by Nicole Garrigan on Oct 24, '17

In observance of National Cyber Security Awareness month, we are releasing several videos to help employees and consumers spot a phish. In the third video, we discuss hovering over a link in a email to analyze the URL before clicking. To view all videos released in this series, visit this page:

Read More

Topics: Cyber Security Awareness Month, CyberAware


What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events


Posts by Topic

see all