The Research, Analysis, and Intelligence Division (R.A.I.D.) here at PhishLabs interacts with a multitude of malware samples in our day-to-day operations. Occasionally, we come across a campaign that stands out from the rest. One such instance occurred recently when one of our Phishing Threat Monitoring service clients was targeted with DNSMessenger, a sophisticated, memory-based infection technique, which has been previously associated with a financially-motivated Advanced Persistent Threat (APT) actor group. Also notable is the delivery method – the increasingly popular Dynamic Data Exchange (DDE) protocol Office document attack. This delivery method has recently been adopted by actors ranging from nation-state APTs to spammers peddling downloaders and ransomware. In this article, we will examine this delivery vector and dissect the initial DNSMessenger payload.
Have the well-meaning recommendations of the security community made web users more vulnerable to cyber attacks? Have we conditioned people to be phished?
The HTTPS Paradox
You know that little green padlock symbol that appears in your browser’s URL bar every now and then? What do you think it means?
A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others. Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android systems to exfiltrate sensitive data from its victims. It has been known to, but is not limited to, log keystrokes, take pictures and record audio, steal cached data such as passwords and form fills, download/execute malware, amass system and user information, and modify registry entries.
In observance of National Cyber Security Awareness month, we released several videos to help employees and consumers spot a phish. In the final video, we take a look at a number of phish to apply what we have learned. To view all videos released in this series, visit this page: https://info.phishlabs.com/2017-cyber-security-awareness-month.
Today, we are going to look at a phish that takes advantage of the massive user base of Office 365 products. It’s safe to speculate that this phish is specifically targeting enterprise employees given most users of Office 365 products are using it for business purposes.
In observance of National Cyber Security Awareness month, we are releasing several videos to help employees and consumers spot a phish. In the third video, we discuss hovering over a link in a email to analyze the URL before clicking. To view all videos released in this series, visit this page: https://info.phishlabs.com/2017-cyber-security-awareness-month.
When people think about phishing, their mind often turns immediately to ransomware. And for good reason. After all, there have been dozens of high profile ransomware attacks in recent months.
But you know what? An even greater proportion of phishing lures don’t contain ransomware. Instead of extorting money from you, they have an ulterior motive: they’re designed to steal your identity.
Well, OK. They’re designed to steal your login credentials… but in reality that isn’t far short of stealing your identity.
The Anti-Phishing Working Group (APWG) has released the Phishing Activity Trends Report for the first half of 2017. APWG utilizes reported phishing attacks from multiple data sources to track, analyze, and report on fraud resulting from phishing, crimeware, and email spoofing. The report reveals frequent targeting in Payment, Financial, and Webmail sectors, as well as a rise in phishing attacks that utilize website builders and free hosting providers.
Crane Hassold, Manager of Threat Intelligence at PhishLabs, noted in the report that hosting providers that offer free hosting and free website-building tools provide criminals with opportunities. “These free hosts are not only easy and cheap to use, but they also allow threat actors to create subdomains spoofing a targeted brand, resulting in a more legitimate-looking phishing site. Free hosts also afford phishers additional anonymity, because these services do not make registrant information easily available.”
In observance of National Cyber Security Awareness month, we are releasing several videos to help employees and consumers spot a phish. In the second video, we take a look at the sender's email address to help spot a potentially malicious email. To view all videos released in this series, visit this page: https://info.phishlabs.com/2017-cyber-security-awareness-month.
Originating in India around 2008, tech support scams are a simple and effective way of preying on individuals’ fear.
In its earliest form, the tech support scam involved a scammer cold-calling English speaking countries, and claiming to represent Microsoft Technical Support. The victim would be informed that their machine was infected with malware, and that the caller would help them remove it if granted access to the machine.
Naturally, once access was granted, the scammer would “fix” the problem and promptly demand payment.