Impersonation enables threat actors to manipulate victims into disclosing sensitive information as well as enhance their ability to commit fraud. An organization's name, logo, or messaging can be incorporated into almost any threat type, making it an easy and versatile element of a cyber attack. Impersonation is an especially difficult technique to defend against because of its diverse range of...

Most phishing campaigns use social engineering and brand impersonation to attempt to take over accounts and trick the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim's account without requiring them to give up their credentials to the attackers. In this technique,...

App downloads fueled by COVID-19 lockdowns leapt to 37.5 billion in Q2 of this year, and collective global app usage is surging. Android users' screen time stands out significantly, with an increase of 25% above the weekly average from the previous year. As apps continue to be an integral part of how we conduct business and perform sensitive tasks, bad actors are using fake and unethical apps...

The life of a phishing site is brief, but impactful. A study published earlier this year found the average time span between the first and last victim of a phishing attack is just 21 hours. The same study observed the average phishing site shows up in industry blocklist feeds nearly 9 hours after the first victim visit. By that time, most of the damage is done. Blocklists are an important...

Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads' tracking system to evade email filters. How it works Piggybacking on a domain is appealing to...

PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef. Planetary Reef is most notable in how they host phishing...

Threat actors are using social media to engage in money-flipping scams abusing the novel coronavirus. The two examples below demonstrate how they are doing it. We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. The...

Threat actors continue using COVID-19 fears to exploit individuals on a variety of channels. Today we are taking a look at two new, related SMS lures. We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. The first...

Recently we highlighted one of the most common evasion techniques employed by threat actors in order to keep a phishing site online: geoblocking, or blocking by location. However, many other techniques exist, some that are more subtle and make it more difficult for unwanted visitors to view a site. One such method is used to thwart unintended parties - bots, analysts, hosting providers, etc. -...

Every day our teams analyze millions of phish across the web, detected through emails, social media, text messages, and most other common digital vectors. Many phishing sites are easy to review and analyze. However, some threat actors that we track take steps to hide their attacks from people other than their intended victims. This is a defense mechanism that makes it harder to analyze their...

PhishLabs' Email Incident Response analysts recently identified a phishing campaign leveraging novel tactics in the ongoing war between threat actors and security teams. In addition to presenting a unique twist on a popular lure theme, the campaign leverages a clever combination of tactics by attackers attempting to defeat email security technologies to great effectiveness. PhishLabs observed...

Every second, 5,787 tweets are published. Every minute, 300 hours of video are uploaded to YouTube. These are just two of the more popular social networks, and among these data points are the occasional references to a specific organization, its brands, and even customers or employees. For many, these brands have a marketing, communications, or even customer service team dedicated to...

Ambassadors of security training programs often struggle with the most effective way to drive success. The ultimate purpose of these programs is to change employee behavior and create a more secure organization. Put simply, behavior is influenced by either reinforcement (i.e., encouraging employees to perform behaviors that we like) or punishment (i.e., discouraging employees from performing...

You have carefully selected a training program. Employees are completing the courses. And yet, they are not reporting suspicious emails and their passwords are made up of favorite sports teams and graduation dates. What is missing? Research shows that implementing training alone, as good as it may be, is not enough. We have learned that the transfer of new knowledge and behaviors on-the-job is...

In honor of National Cybersecurity Awareness Month (CSAM), Dane Boyd, PhishLabs' Security Training Manager, and I will share a series of posts covering topics from cybersecurity to organizational learning and development. We are kicking off the series by covering a topic near and dear to my heart: taking a programmatic approach to implementing a security training program. A fatal flaw...

As the manager of a security awareness team, whose primary goal is to educate users on how to spot phishing attacks, I often get asked, “can you make the phishing simulations look like real-world phish?" This is when I show people what real-world phishing attacks look like. Because our SOC analyzes millions of phishing emails each year, we have a great data set to choose from. Outside of...

Although computer-based training has been on the scene for over two decades, it is only recently that learning professionals have begun to optimize it. Often these courses present hours of content in a single learning experience. While the flexibility of computer-based training offers convenience, learners are often overloaded and overwhelmed by the amount of information presented to them. ...

In the cyber security world, few research reports are more widely respected than Verizon's annual Data Breach Investigations Report (DBIR). The DBIR—which is based on data from publicly disclosed security incidents, Verizon's Threat Research Advisory Center, and dozens of industry contributors—is one of the most detailed and comprehensive reports available to the security community. So when...

The risk of a user receiving a phishing attack is higher than ever, and technological solutions often miss the most devastating of them. Though technology is both an important and required component in protecting the enterprise, security teams need to remain vigilant and educated on quickly identifying threats which make it past technology. This includes the latest social engineering...