All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works. Today, we’re exploring one of the most audacious phishing tactics: Business email compromise (BEC) also known as CEO scams....

Nation states. Hacktivists. Cyber criminals. There are so many players in the modern threat landscape it can be hard to keep up. And the number of threats? Practically too many to count. By the time you’ve secured your organization against password reuse, DDoS, and crimeware attacks, your resources are likely so diminished there’s no point even thinking about what else could be out there. ...

The fact that hackers are increasingly targeting mobile devices isn’t exactly a secret. And really, it’s not surprising either. After all, most of us are practically glued to our smartphones throughout the day. An SMS arrived? Better read it straight away. New email? Let me at it. Somebody I don’t care about updated their Facebook status? Great, let’s see what they’re up to. The...

When you’re attempting to mitigate the risk of phishing, threat intelligence plays a vital role. After all, what better way to predict and intercept future phishing attacks than by analyzing past attacks for patterns and indicators? This post is the second in a series breaking down lessons learned from our recent consumer-focused phishing webinar. In the first post we covered the value of...

It’s a sobering moment. You work long and hard to prepare your users. You train them. You test them. And over time, you see amazing results. But then it happens. Just when you think your users are becoming rockstars at identifying phishing emails, threat actors throw a new tactic at you… and everybody falls for it. Of course, this isn’t a new story. Threat actors constantly update their...

In recent months we’ve written a lot about security awareness and phishing awareness training. It’s an involved topic, clearly, and if you’ve taken away anything we hope it will be this: If you want real, measurable improvements you must test your employees. And when it comes to email security, that means phishing your employees on a regular basis. In this post, we’ll take a deep dive into a...

Everybody knows phishing is costly to their organization. But how costly? Few organizations know for sure. Plenty of studies have claimed to calculate the cost of phishing, but the results are usually hard to swallow. For instance, does phishing cost your organization $1.6 million per incident? Or $3.7 million per year? Perhaps... but probably not. The issue with these figures is that they're...

Frustrating, isn’t it? It seems like no matter what you do, a few phishing emails always find their way into your users’inboxes. You’ve tweaked your spam filter, and you’re scanning every attachment… But nothing seems to work. Is it you? Are you making some glaring mistake? Probably not. We've discussed before why your users keep falling for phishing scams, and there's more to it. The...

We’ve all been there. That awful moment, when you realize it’s happened again. “Why do they never learn?” You ask yourself. “It really isn’t that hard!” Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better. So why do they keep falling for phishing scams? Is it...

Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another...

During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This...

Security education programs are sometimes mandated, always important, and often difficult to justify the investment. It is easy to get the powers that be to sign off on a once-per-year security awareness training program that will satisfy compliance requirements, but we all know by now that compliance does not equal security. The Information Security Forum (ISF) has defined information...

We've all seen them before. The late prince Abdul has left us millions in inheritance and we need only provide a minor convenience fee to receive the funds. Advanced fee scams are nothing new and have been circulating the Internet since its inception. Until now, scammers have relied on email correspondence and convincing legal jargon to con victims out of their hard-earned dollars. Recently,...

On Friday, the full source code of the Dendroid Remote Access Trojan (RAT) was leaked. Dendroid is a popular crimeware package that targets Android devices and is sold on underground forums for $300. Usually the source code for botnet control panels is encrypted, so it was surprising to find the full source code for the Dendroid control panel included in the leaked files. Analyzing the leaked...

Phishing is a prevalent problem for businesses, particularly financial institutions. Over the years, many services have emerged to help organizations address phishing attacks that are targeting their customers' accounts. When seeking solutions, businesses find they have several options to choose from. These fall into three categories: Phishing takedown services Anti-phishing services ...