The PhishLabs Blog

The Evolution of Mobile Banking Trojans… and What To Do About Them (Part II)

Posted by Joshua Shilko on Aug 15, '17

In the last article, we looked at why threat actors have flocked to the mobile space in droves, and which tools they’re using to ply their trade.

And naturally, no discussion of mobile threats would be complete without a detailed look at the most concerning current mobile threat: mobile banking trojans.

Since we’ve already covered the most common functionality, permissions, and distribution mechanisms, it only makes sense to take things a stage further and look at specific banking trojan families. To that end, in this article we’ll be looking at the two of the most widespread families: Marcher and BankBot.

Once we’re through with that, we’ll go over some of the things organizations and individuals can do to avoid falling prey to mobile banking trojans in the future.

Read More

Topics: Phishing, Android, Banking Trojan

Globe Imposter Ransomware Makes a New Run

Posted by Amanda Kline on Aug 10, '17

In the world of cyber security, there are some threats that seem to have been specifically designed to wreck your day.

Ransomware is one of those threats.

Even if you have secure backups, and they’re kept safely away from the rest of your network, the time it takes to restore from them and remove all traces of the offending trojan is sure to get your blood boiling.

So when a new ransomware threat arises, it pays to make sure your house is in order, and your users are on high alert.

Read More

Topics: Ransomware

The Evolution of Mobile Banking Trojans… and What To Do About Them (Part I)

Posted by Joshua Shilko on Aug 8, '17

Over the past few years the way people interact with the Internet has changed.

In the past, the vast majority of people (over 80 percent) accessed the Internet using Windows desktop and laptop machines, with similar OSX devices taking a distant second spot.

But by the end of 2016, everything had changed. Android mobile devices overtook Windows desktops as the most common means of accessing the Internet.

Naturally, this trend hasn’t gone unnoticed.

Read More

Topics: Phishing, Trojan, Vishing, Rogue Mobile Applications

Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis

Posted by Jason Davison, Threat Analyst on Aug 4, '17

 Sample Analyzed:
415a75cd01a4b00385c974b59bbbd3e5211a985bf2560d7639d464fd5a56e9e6

Smoke Loader, also known as Dofoil, has been advertised on dark web forums since at least mid 2011.[1] Since initial release, this modular loader has continued to evolve with the addition of more complex anti-analysis techniques. Modular loaders such as this work by communicating with the command and control infrastructures to receive secondary execution instructions and/or to download additional functional modules, providing multiple stages of infection. Currently, Smoke Loader’s primary delivery method is via exploit kits, primarily Rig EK. Smoke Loader is commonly used to load the Trickbot banking Trojan and Globe Imposter ransomware.

Read More

Topics: Malware, Smoke Loader

New Phishing-Based TrickBot Campaign Identified

Posted by Olivia Vining on Jul 20, '17

This week, PhishLabs analysts have detected a new TrickBot campaign that began at approximately 23:30 EST on July 17th, and continued through the evening of July 18th before ending later that night.

Thousands of lures were detected, the bulk of which were sent between 12:30 - 15:30 EST on July 18th.

But let’s back up a little.

In case you missed it first time around, TrickBot is a prominent example of a type of malware known as a Trojan.  Like the Trojan from which it was developed, Dyre, Trickbot is configured to steal banking credentials. 

Once a victim's machine is infected, Trickbot sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. As a result, many victims are unaware their machine has been infected.

Read More

Topics: Phishing, TrickBot

Marcher Android Banking Trojan - Threat Actor Shifts Technique to Evade Detection

Posted by Joshua Shilko on Jul 12, '17

PhishLabs has recently observed a technique change implemented by a threat actor tracked by our Research, Analysis, and Intelligence Division (R.A.I.DTM). This actor is utilizing a variant of the Marcher Android banking trojan to target clients of financial institutions, payment companies, auction sites, retailers, email providers, and social media companies, primarily located in North America.

Overview of Marcher

Marcher is a family of malicious Android applications that run in the background on an infected device and monitor its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Marcher first appeared in 2013, and there are a number of variants in the wild with varying levels of functionality. Some samples contain only the web overlay and credential theft capability, while others extend functionality to include the ability to intercept and send SMS messages, lock the screen, steal system data, detect and hide anti-virus software, and even utilize the infected device as a SOCKS proxy.  

Read More

Not NotPetya (An analysis of Karo Ransomware)


While there was a lively running debate over whether it was Petya or NotPetya yesterday, we all can all agree that what locked up some of the world’s largest shipping companies, spread through the infamous SMB exploit, and may have been delivered as an infected update, was not Karo. However, this obscure ransomware family was launched into the spotlight due to early confusion over Petya's initial infection vector.

Read More

Topics: Ransomware

New Tech Support Scam Strikes Amazon, eBay, and Alibaba Customers

Posted by Amanda Kline on Jun 28, '17

In a world where new cyber threats seem to develop almost daily, it’s easy to forget that some tactics have stood the test of time.

Since mid-May, PhishLabs has been tracking an ongoing consumer-focused email phishing campaign.

And what tactic have they been using? The dreaded tech support scam.

No matter how much technology develops, threat actors will nearly always default to the simplest tactic that still works. And when it comes to consumer-focused phishing, there’s nothing simpler (and more effective) than a well constructed tech support scam.

Read More

Topics: Phishing

Healthcare Security Awareness Training: Don't Fear Failure, Learn From It

Posted by Dane Boyd on Jun 23, '17

The past few years has seen an explosion of cyber attack activity in the healthcare industry.

But that shouldn’t come as a surprise. Healthcare records are a goldmine for enterprising hackers, and with low security budgets across the industry it’s no wonder that healthcare organizations are considered a soft target.

A cursory glance at the industry’s security profile tells us everything we need to know. There are weaknesses everywhere, and hackers all over the world know it.

Incredibly, from a single successful healthcare breach, a hacker stands to earn anything from $285,000 to $1.7 million.

Read More

Topics: security awareness training, Healthcare

Why Your Security Awareness Training Isn't Working and What to Do Instead

Posted by Dane Boyd on Jun 22, '17

At this point, everybody knows phishing is a threat.

But then, it’s difficult to deny. As Verizon points out, over 90 percent of data breaches include a phishing or social engineering component, including many of the high profile breaches we all read about each week.

In fact, from a security perspective, phishing is the single greatest threat to most organizations, whether they’re tiny family owned businesses or huge multinational conglomerates.

So what are most organizations doing to defend against phishing?

Read More

Topics: security awareness training

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_

Posts by Topic

see all