Recent Posts

Recent Blog Posts

The PhishLabs Blog

Chris Schraml, Threat Intelligence Analyst

Recent Posts

Banking Trojan Dropped Through Spoofed Korean CERT Bulletin

Cyber criminals continue to evolve tactics, sometimes going to great lengths to socially engineer people. In this recently observed sample, we find the long-standing and ever-evolving banking Trojan, Gozi using a Korean Cert to trick users into downloading malware. 

Gozi, which has traditionally infected users through macros and exploit kits has been found going after Korean language speakers through Hancom Word Processor (HWP) files. Hancom Office is extremely popular in Korea where it is used alongside, or instead of, Microsoft Office. HWP files have been used extensively by advanced persistent threat (APT) groups to target government, corporate, and academic targets throughout Korea. Given the comparatively esoteric nature of Hanword when compared to Microsoft Word, it is an uncommon delivery mechanism for banking Trojans like Gozi. The HWP file copies the text of a legitimate KrCERT Bulletin, but points to its own embedded file as the solution.[1] 

Read More

Topics: Banking Trojan, Gozi

Enterprise Credential Theft: How to Spot a Phish

Today, we are going to look at a phish that takes advantage of the massive user base of Office 365 products. It’s safe to speculate that this phish is specifically targeting enterprise employees given most users of Office 365 products are using it for business purposes.

Read More

Topics: Phishing, Phish

Ransomware: How to Spot a Phish

Phishing has no limits. Everyone that uses email to communicate will at some point be the recipient of a phishing email. In the spot a phish series we'll be taking a closer look at some phishing lures to help you mentally prepare for these attacks before they hit your inbox. 

Content Clues

The first lure is representative of a vast majority of lures that we see. For starters, it capitalizes on the universal language of money. Because this is a mass distributed phish, the threat actor needs to find a commonality among the recipients.  For this reason, we see the use of "invoice attachments" employed exhaustively.  Lures in all languages utilize this tactic.  One would think this practice would get old and at some point become ineffective but it must be producing results for cybercriminals; otherwise, why would they keep it up?

Read More

Topics: Cyber Security Awareness Month, CyberAware

Locky, Three Ways

Locky, one of the first and most resilient ‘mass distribution’ ransomware families has roared back after a brief break. Throughout August, Locky campaigns have filled our inboxes with fraudulent invoices that need paying, images that need opening, and voicemails that need listening. These recent campaigns are notable not only for their volume, but the multiple delivery methods within a single distribution run. On August 17, Locky arrived en masse with three different infection methods that all led to Locky’s Lukitus variant. While infection vectors frequently change from run to run, intra-campaign shuffling is extremely rare.

Read More

Topics: Ransomware

Not NotPetya (An analysis of Karo Ransomware)

While there was a lively running debate over whether it was Petya or NotPetya yesterday, we all can all agree that what locked up some of the world’s largest shipping companies, spread through the infamous SMB exploit, and may have been delivered as an infected update, was not Karo. However, this obscure ransomware family was launched into the spotlight due to early confusion over Petya's initial infection vector.

Read More

Topics: Ransomware

From Macro To Mitigation: An Analysis of TrickBot's Lifecycle


Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.

Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, TrickBot

Why Ransomware Works, Why it Doesn't, and What it Will Work on Next

Cybersecurity is a field defined by its dynamism, as is crime. When analyzing trends to assess the future of these two
frequently overlapping spaces, the most efficient way to separate persistent threats from hype is by asking not just where the money is, but what the easiest way is to get it. While ransomware has had a lock on headlines all year, the most recent news stories all seem to emphasize increases in attacks targeting educational institutions, state and local governments, and healthcare organizations. Let's examine why this change from shotgun targeting to more focused targeting is happening. 

Read More

Topics: Ransomware

Does the Yahoo Breach Have You Worried About Your Online Security?

The recent news of the Yahoo breach and leak of hundreds of millions of passwords, names, dates of birth, and other
 personal information has led to headlines across the country. Understandably, given Yahoo’s popularity, people are worried. Especially as a summer dominated by news of leaks, hacks, and foreign intelligence agencies with nefarious agendas comes to an end. 

Given that reports suggest that the initial breach of this data occurred in 2014, one of the primary concerns about this type of data dump are password reuse attacks, where cybercriminals take previously compromised credentials and use them to break into accounts on other platforms where the victim used the same username/password combination.  It’s only a matter of time before criminals use the credentials leaked in the Yahoo breach to attempt to compromise other accounts, such as financial accounts or social media profiles. 

Read More

Topics: Phishing, Data Breach

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all