Recent Posts

Recent Blog Posts

The PhishLabs Blog

Credential Theft: How To Spot a Phish

Posted by Amanda Kline on Oct 19, '17

When people think about phishing, their mind often turns immediately to ransomware. And for good reason. After all, there have been dozens of high profile ransomware attacks in recent months.

But you know what? An even greater proportion of phishing lures don’t contain ransomware. Instead of extorting money from you, they have an ulterior motive: they’re designed to steal your identity.

Well, OK. They’re designed to steal your login credentials… but in reality that isn’t far short of stealing your identity.

Read More

Topics: Threat Analysis, Cyber Security Awareness Month

Tech Support Scams: How To Spot a Phish

Posted by Amanda Kline on Oct 17, '17

Originating in India around 2008, tech support scams are a simple and effective way of preying on individuals’ fear.

In its earliest form, the tech support scam involved a scammer cold-calling English speaking countries, and claiming to represent Microsoft Technical Support. The victim would be informed that their machine was infected with malware, and that the caller would help them remove it if granted access to the machine.

Naturally, once access was granted, the scammer would “fix” the problem and promptly demand payment.

Read More

Topics: Threat Analysis, Cyber Security Awareness Month

Nigerian 419 Scams: How to Spot a Phish

Posted by Amanda Kline on Oct 11, '17

All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works.

Today, we’re a true phishing classic: Nigerian 419 scams.

Read More

Topics: Threat Analysis, Cyber Security Awareness Month

BEC Scams: How to Spot a Phish


All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works.

Read More

Topics: Threat Analysis, Cyber Security Awareness Month

From Macro To Mitigation: An Analysis of TrickBot's Lifecycle


Summary

Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.

Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, TrickBot

Dissecting the Qadars Banking Trojan

Posted by Raashid Bhat on Feb 22, '17

Qadars is a sophisticated and dangerous trojan used for crimeware-related activities including banking fraud and credential theft. Qadars targets users through exploit kits and is installed using Powershell Scripts. We have observed Qadars targeting multiple well-known banks in UK and Canada and is capable of stealing infected users' two-factor authentication codes and banking credentials through the deployment of webinjects. While not as well known or widespread as other Trojans, the operators have shown commitment to development of Qadars’ on-board evasion techniques and its advanced and adaptable privilege escalation module. This emphasis on persistence alongside the frequent shifts in both industry and geographic targeting indicate Qadars will remain a potent threat through 2017.
Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, Qadars

Vawtrak / Neverquest2 adopts new methods to increase persistence

Posted by King Salemno on Aug 5, '16

At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.

Read More

Topics: Threat Analysis, Threat Intelligence, Vawtrak, Banking Trojan, Neverquest2, Malware Analysis, R.A.I.D.

Olympic Vision Keylogger and BEC Scams

Posted by Eris Maelstrom on May 24, '16

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This campaign appears to be originating out of South Africa, utilizing both maliciously registered free domains as well as compromised domains.

Read More

Topics: Malware, Threat Analysis, Threat Intelligence, BEC, business email compromise

How to make the most of reported phishing emails... Even if there are way too many

Posted by Joseph Opacki on May 19, '16

You’ve done it.

After months of nagging, security awareness training, and constant reminders, your employees have started reporting phishing emails. Take a moment to pat yourselves on the back, because this is no mean feat.

But… now what? What do you actually do with all these reported emails?

Read More

Topics: Phishing, Threat Analysis, Threat Intelligence, Spear Phishing

Examining a New Cybercrime OPSEC Technique (And How to Break It)

Posted by Jason Davison, Threat Analyst on May 17, '16

The techniques that cybercriminals use are becoming more advanced. They are going to greater lengths to commit fraud, compromise computers, and steal credentials. The time, money, and effort attackers spend crafting attacks makes it important that they protect their work from being stolen by others or give their actions more life by evading technical analysts and investigators.

Read More

Topics: Phishing, Threat Analysis, Strategy

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events

Calendar_Mock_

Posts by Topic

see all