We've recently noticed two significant changes in C2 tactics used by the threat actors behind BankBot Anubis, a mobile banking trojan. First is the use of Chinese characters to encode the C2 strings (in addition to base64 encoding). The second is the use of Telegram Messenger in addition to Twitter for communicating C2 URLs. Previously reported by PhishLabs, the criminals behind BankBot...

It happens on a daily basis, it's even likely that at some point it happened to you: social media account takeovers. A quick Google search shows a new batch of celebrities, politicians, companies, and other high profile users becoming the victim of account takeovers on a weekly basis. It's concerning, it can cause a ruckus, and depending on what happened after the fact it can even cause damage...

Since September 21, PhishLabs analysts have detected a number of phishing sites hosted on emoji domains. So far, all detected sites have a few things in common: They are hosted on the .WS Top Level Domain (TLD) They utilize domains with numerous subdomains (also emojis) They make use of redirects to avoid detection At the time of writing, PhishLabs analysts are investigating active...

Exposing your geolocation information publicly can lead to increased personal and business risk. This is particularly important to note in the wake of Google's location tracking, even if you explicitly told them not to. It is remarkable how freely we tell the world one of the most important things about ourselves: where we are. The everyday use of geotagging and geolocation data has enabled many...

In the Oscar-winning movie The Sting, Harry Gondorff (played by Paul Newman) explains to his apprentice Johnny Hooker (Robert Redford) that the con that they set up must be so convincing that their mark, Doyle Lonnegan (Robert Shaw) won't even realize that he's been taken. Today, Gondorff and Hooker might not have needed to use a past-posting scheme to con Lonnegan. Instead they might have...

As a marketer I am all too familiar with how social media can benefit or damage a brand. On the one hand, social media offers an easy and (sometimes) free way to communicate with customers, prospects, and partners that many brands have used to great advantage. But on the other hand, it's yet another source of potential threats to an organization's infrastructure and reputation. And for the...

Reported phishing emails are useful for plenty of reasons. They help you measure cyber risk, study common attack trends, and even provide inspiration for your own phishing simulations. One of the security functions that benefit most from reported phishing emails is threat hunting, the process of identifying threats quickly so they can be contained before any major damage is done. Reported...

Ransomware. The word strikes fear into the hearts of hospital administrators, local government officers, and small business owners everywhere. After exploding in 2016, ransomware has been covered extensively by media outlets and security experts, to the point where most organizations have started to take at least some action to mitigate their exposure. But have these efforts had any impact?...

On Friday, March 23, nine Iranian threat actors were indicted for stealing massive quantities of data from universities, businesses, and governments all over the world. If you've been following our blog (or the news), you already know the actors are associated with an organization called the Mabna Institute, and are responsible for stealing more than 31 terabytes of data over the past four and...

A newly observed variant of BankBot has been discovered masquerading as Adobe Flash Player, Avito, and an HD Video Player. This variant, now detected by PhishLabs as BankBot Anubis, was first identified on March 5, 2018. BankBot Anubis takes mobile threats to the next level incorporating ransomware, keylogger abilities, remote access trojan functions, SMS interception, call forwarding, and...

You receive an email, you are unfamiliar with the sender's name or email address, and they are offering you a new service or deal on something. Is it malicious? Not necessarily. Perhaps you forgot about signing up for a newsletter a while back. Malicious Versus Benign According to Symantec, 55.5 percent of business emails are considered spam emails, with the average business account getting...

A Java-based Adwind Remote Access Trojan campaign has been observed sending spam emails containing a malicious JAR file under the guise of “Request For Quotation,” “Transfer Import,” “Swift Copy,” “Proforma Invoice,” “DHL Delivery Notification” and many others. Adwind, also known as jRAT and JSocket, is a cross-platform remote access tool designed to run on Mac OS, Windows, Linux, and Android...

All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works. Today, we’re a true phishing classic: Nigerian 419 scams. We've put the 15 best practices for spotting and handling...

All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works. Today, we’re exploring one of the most audacious phishing tactics: Business email compromise (BEC) also known as CEO scams....

In the last post, we took a look at the logistical and human issues surrounding the setup of a new security operations center (SOC). And while having a mission, the right people, and a physically secure location are all vital to the success of a new SOC, there are many more things to consider before you can jump in and get started. In this post, we’re going to take a closer look at the...