Triage 1.26 Update: New Features for Enhanced Security

With this release, SOC teams can quickly identify and remediate reported emails that contain actionable intelligence from Cofense Intelligence and new features to increase security and close down vulnerabilities attackers are known to exploit. In Cofense Triage 1.26, you can easily increase efficiency and security.

Integration with Cofense Intelligence IOC Feed

Cofense Intelligence™ provides a timely, accurate, and actionable phishing IOC (Indicator of Compromise) threat feed, enabling quick detection of actual malicious emails found within enterprise environments. Intelligence classifies the impact of each indicator as major, moderate, or minor. This product integration pulls Major indicators from Cofense Intelligence into Cofense Triage and clearly tags them on active reports or clusters. This alerts your SOC analyst that this email contains actionable intelligence so they can immediately take action, remediate the threat, and overall increase their efficiency and reduce Mean Time to Detect (MTTD) and Mean Time to Response (MTTR).

Major Incident Tagged in Cofense Triage 

The most difficult part of working on any email investigation is the lack of context. With the integration of Cofense Intelligence and Cofense Triage, you can clearly see when a Major Incident is tagged by Cofense Intelligence. Our Cofense Intelligence network consists of several proprietary data sources that include the Cofense PDC and Cofense Reporter ecosystem and is based on actual malicious emails and zero-day threats found within enterprise environments. In other words, our PDC receives thousands of emails a day from enterprise and Fortune 500 organizations, analyzes and then shares the malicious ones with Cofense customers around the globe so they can be automatically removed from inboxes or remediated.

You can create a playbook to run a remediation plan for a reported email anytime that a Major Incident is found with Cofense Triage; no investigation is needed as it’s already been confirmed to be a threat by Cofense’s Intelligence Team. However, if you are curious about an IOC, you can easily navigate to Cofense Intelligence ThreatHQ to get more details on it.

Easily Navigate to ThreatHQ for more details on the Threat 

SOC teams are constantly overburdened with alerts and face difficulty assigning priority and triaging the most impactful threats first. With this release, we reduce the burden on SOC analysts and reduce MTTD/MTTR by quickly automating email investigations that contain actionable intelligence and, ultimately, save them time so they can focus on other priorities.

Streamlined process for applying operating system security updates

SOC Teams can now install security updates between releases of Cofense Triage without waiting for the next full release to drop. New options on the System Maintenance page enable you to check for security updates, configure Cofense Triage to install security updates automatically on a specific day and time, and configure Cofense Triage to automatically reboot after security updates are installed. Want a “set it and forget it” approach? This new feature helps SOC teams to strengthen their defenses and close down vulnerabilities threat actors are known to exploit.

What else is in this release?

We’ve included a few customer-requested UX updates that will make navigating and automating within Cofense Triage more seamless as well as incremental updates to previous features. You can learn more about these improvements in the release notes.

To learn more about Cofense Triage or to see these new capabilities in action, please request a demo at Cofense Customers can always reach out to their CX team for more information on upgrading.

*Please note: Customers must have Triage versions 1.25.0 or 1.25.1 in order to upgrade to 1.26.0

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.  

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  

Cyber Threats and Industry Shifts: Our Experts Predict 2023 

In a time of economic uncertainty and geo-political instability, organizations must adopt a forward-thinking approach to cybersecurity to stay a step ahead and avoid costly breaches. According to IBM, the average cost of a breach in 2022 is $4.35 million. Email continues to be the primary attack vector and investment in email and endpoint security must remain a top priority.

Cofense’s intelligent email security solutions, powered by crowdsourced intelligence and machine learning, offer a unique perspective on current and emerging threats. Our research teams analyze millions of emails flagged by our global network of 35+ million human reporters. The data received shines a spotlight on the ever-evolving threat landscape and the specific threats targeting our customers’ environments. It is this insight that shapes the security solutions that keep our customers safe.

Looking ahead to 2023, here are our top threat and industry predictions to help inform your security decisions:

Rohyt Belani, Chief Executive Officer and Co-Founder

1. Cybersecurity will not be immune to the recession.
In 2023, we will see fewer resources and tighter security budgets in corporate settings thanks to economic uncertainty, resulting in subpar security posture across organizations. Because of this, threat actors will capitalize on this asymmetry and evolve faster, creating the perfect storm for an amplified number of breaches across all vectors in 2023, especially email attacks.

2. Email security and endpoint security will be at the top of the CISO’s wish list.
The CISO’s role is all about prioritization, especially as they face economic pressures and uncertainty. When looking at the threat landscape, more than 90% of an organization’s threats come in via email and end at a system’s endpoint. As CISOs plan for 2023, email and endpoint security will be on the top-3 list of priority security solutions they invest in and are areas that they are not willing to compromise on.

3. Cyber insurance providers will look at an organization’s bloodwork to underwrite policies.
Today, cyber insurance policies are developed very naively – looking at the organization’s number of employees and revenue alone to build premiums, but this does not provide an accurate view of a company’s security posture. As vendors and cyber insurance providers work together in 2023 to converge on the best way to underwrite a cyber insurance policy, they will begin to look at a “company’s bloodwork.” This will include meaningful metrics that are demonstrative of the maturity and resilience of the organization’s cybersecurity posture, much like what is done for an individual’s life insurance policy.

Tonia Dudley, Vice President, Chief Information Security Officer

4. The reliance on crowd-sourced threat intelligence will increase significantly.
As threat actors continue to share what works on their side in terms of attack vectors and tactics, security leaders and cybersecurity organizations will increase their communication with each other in 2023 on what is working best to defend against threat actors. This crowd-sourced threat intelligence will allow organizations to learn how to better defend themselves.

5. BEC will see a continued rise, especially employee impersonation fraud.
Attacks have made a clear list of what tactics work over the years and always defer back to what is successful for quick and easy money. Leveraging this strategy, attackers will place increased efforts on business email compromise (BEC) attacks like employee impersonation fraud. Many organizations lack security protocols for reviewing items, like invoices, that seemingly look like they are coming from a vendor. Not only are these tactics quick wins, but they are also often almost untraceable.

Josh Bartolomie, Vice President, Global Threat Services

6. There will be a mass consolidation across email security, leading to an increase in attacks.
There is a common 5-year pattern when it comes to the consolidation of tools that we see across the security market. This pattern is due to economic fluctuation, business shifts and simply because people’s memories are short when it comes to past major breaches. As economic uncertainty continues in 2023, the pattern will rise again. Organizations will decide that their email security tools are enough and forgo additional vendors, leading to an increase in attacks that do not get blocked.

7. Ransomware will see a new boom as tensions between Russia and Ukraine continue.
As the conflict between Russia and Ukraine continues, we will see Russian threat actors double down on ransomware efforts as physical, on-the-ground tactics see little return. To make an even greater impact, threat actors will target countries that support Ukraine to “punish” their allegiance to the country, targeting critical infrastructure like healthcare and energy.

Ronnie Tokazowski, Principal Threat Advisor

8. Romance scams and consumer fraud will run rampant in 2023 to secure big phish.
Threat actors will lean in on romance scams, where cyber criminals adopt a fake online identity to gain a victim’s affection and trust, and large-scale consumer fraud in order to reap massive profits in the new year. And while there won’t be a massive change in BEC attack tactics, which have run rampant in 2022, we’ll specifically see an increase in pig butchering scams, a form of romance scam that convinces victims to invest in cryptocurrency platforms.

For additional explanation of these predictions watch our on-demand webinar where Cofense CISO, Tonia Dudley, and VP of Global Threat Services, Josh Bartolomie, give their expert insights, and more.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

5 Tips for Building a Positive Email Security Reporting Culture

By Dave Alison

Building a positive email security reporting culture is vital to the protection of any organization. Your employees are the first line of defense for any attacks that make it through your perimeter security, and by focusing on a positive program, rather than a punitive one, you can engage employees and make them part of the solution, not the problem.

The five focus areas for building that positive reporting culture are: Communication, Reporting, Realism, Reward, and Acknowledgement.

Here are five specific tips that can help you accomplish this:

1. Communication

Inform your employees of the importance of email security, and the role they play in protecting your organization from malicious actors.

Employees play a vital role in protecting the organization from malicious email phishing attacks. By reporting suspicious emails, they can help create a strong line of defense against cyberattacks. Make sure everyone in the organization understands the importance of email security. Regularly send out reminders and best practices and be sure to make yourself available to answer questions.

2. Reporting

Make it easy for your employees to report suspicious emails.

The first step in building a positive reporting culture is to make it easy to report suspicious emails. Provide employees with a simple way to forward suspicious emails to the IT or security team and make sure there are no repercussions for doing so. We recommend a reporting button embedded directly into your email client that routes the email directly to the security team with one click. Other forms of reporting can be used, but they are often less effective and inefficient.

3. Realism

Use active real phishing scenarios for your simulation program.

One way to encourage employees to report suspicious emails is to use active real phishing scenarios in your simulation program. By using real phishing attacks, employees will be more likely to report them if they fall for them and learn from that experience. This also ensures your employees are learning from the most current attack attempts as threat actors are always evolving their actions to circumvent the latest security protocols. Leveraging real threat scenarios will help you better protect your organization from cyberattacks.

4. Reward

Reward your employees for reporting suspicious emails.

Incentivizing employees is a great way to encourage them to participate in positive email security practices. One way to do this is by rewarding employees who report suspicious emails. This could be in the form of a bonus, gift card, or even just public recognition.

5. Acknowledgement

Celebrating the success of your email security program is a great way to show your employees their efforts are appreciated, and their contributions make a difference.

  • Make sure everyone in the organization knows about the successes of the email security program.
  • Publicly recognize employees who have contributed to the success of the program.
  • Hold a celebration event to mark the success of the email security program.
  • Give out awards and recognition to the employees who have made significant contributions to the security email program.

Creating a positive email security reporting culture doesn’t have to be difficult. By following these five tips, you can encourage your employees to be proactive in identifying and reporting suspicious activity. In doing so, you’ll create a strong line of defense through your well-conditioned employees and help protect your organization from costly cyberattacks.

Phishing Attack Targets Microsoft Users Via HTML Attachment

Email Gateways Bypassed:


By Amy Griffiths, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that is aimed to harvest an employee’s Microsoft credentials via a malicious HTML attachment. The attached file includes spliced code when it’s executed it scrapes for the employee’s credentials.

Figure 1: Email Body

As seen in Figure 1, the subject of the email “Reminder for…” gives the employee a sense of urgency, something they may have missed or overlooked previously. Perhaps not so urgent, but does have an interesting object within the body, an attached HTML file named “Secureproofpoint[.]html[.]”

The attachment name could refer to the trusted vendor Proofpoint Secure Share a cloud-based solution that enables enterprise users to exchange large files in a secure and compliant manner to enterprise policies.

Figure 2: Malicious code

The several lines of code seen in Figure 2 can be found within the HTML file and are used to run JavaScript code to decode strings and a malicious URL. To summarize the code, the ‘encdStr’ string is the encoded subdomain ‘primeaco[.]com[.]br’ which is followed by the targeted users email address that is stored as the string named ’emma’. The function ‘atob(encdStr)’ is followed by a linked set of variables that sets the URL to “hxxp://SILENTCODERSLIMAHURUF[.]primeaco[.]com[.]br/<recipient name or identifiable information>”. Finally, the last line of code calls the function ‘window[.]location[.]href’. This function returns a string containing the whole URL and allows the hyperlink reference to be updated. At this point the browser is updated from the HTML file to the malicious URL.

Figure 3: Pick an Account

Once the completed URL is executed in the browser the user is presented with the page seen in Figure 3. This gives the user a false sense of security by masquerading as a trusted brand, Microsoft. It fools the user into thinking they can pick the account; however, we know from analyzing the code the user’s details are already set as a variable.

Figure 4: Phishing Page

Once the employee clicks on their user account, they are then presented with the phishing page seen in Figure 4, where they are prompted to enter their credentials which are finally scraped by the threat actors.

IOC(s) Description
PM_Intel_CredPhish_283847 Cofense Triage YARA Rule
hxxp://silentcoderslimahuruf[.]primeaco[.]com[.]br/ Phishing URL
216[.]172[.]172[.]168 IP Address for shared hosting node

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Wins 5 FISSEA Top Security Awareness Training Awards

by Beth Ohrnberger

We are thrilled to announce that Cofense’s security awareness content was recognized at this year’s FISSEA Fall Forum. This gave us an opportunity to showcase our innovative approach to security awareness training.

Awareness Website Award: Choose Your Phish – Comprehensive

Cofense’s adaptive HTML web-series—Choose Your Phish—provides relatable, personalized experiences for learners. In this adaptive education, the learner experiences a day in the life of a payroll administrator. Throughout the story, they are presented with a series of choices, and the story is tailored according to their choices. “Choose Your Phish – Comprehensive” includes the topics of credential phishing, BEC, VPNs, vishing, and smishing.

When the story concludes, the learner is presented with their score and personalized training based on the choices they made.

Choose Your Phish – Comprehensive is part of an ongoing “Choose Your Phish” series. Additional Choose Your Phish content is available for Cofense customers:

  • Choose Your Phish – 90 Days of BEC
  • Choose Your Phish – Behind the Phish
  • Choose Your Phish – Credential Phishing
  • Choose Your Phish – Government Contracting
  • Choose Your Phish – World Cup

Localized versions are also available.

The malicious emails in these exercises are real phish identified by Cofense Intelligence that Cofense leverages as the center of the lessons. The modules build resiliency by contextualizing real phish in a relatable and highly memorable learning experience.

Click here to view the trailer for Choose Your Phish – Comprehensive:

Training Awareness Award: 3 Tips Animated Microlearnings

Our 3 Tips Animated Microlearning series educates learners on critical cyberthreats in under 1 minute. Each video concisely explains the threat or topic and provides 3 tips to remember.

All emails in this series are based on real phishing emails identified by Cofense Intelligence that have bypassed Secure Email Gateways. With upbeat music and memorable animations, this series was designed to engage learners and provide practical takeaways.

Click here to view the trailer for 3 Tips Animated Microlearnings:

Also check out 2 examples from the series:

But wait, there’s more!

FISSEA is the premier organization for federal employees and vendors seeking information, community and insight into how to build and run the best cybersecurity training programs possible. This year’s Fall Forum was another great opportunity to meet (virtually) and exchange ideas, best practices, and hold discussions that foster innovation and improvement in the security awareness space. An exciting vehicle for this community dialogue was the FISSEA Awareness and Training Contest.

The contest was broken out into eight categories:

  1. Awareness Poster
  2. Awareness Website
  3. Awareness Newsletter
  4. Awareness Video
  5. Cybersecurity Blog
  6. Cybersecurity Podcast
  7. Training Awareness
  8. Innovative Solutions

The FISSEA Awareness and Training contest also had a “People’s Choice” category, and Cofense won three out of eight categories! This recognition helps to cement the position Cofense has at the top of the cybersecurity training-and-resiliency pyramid.

Choose Your Phish and the 3 Tips Animated Microlearnings are available to Cofense customers in PhishMeSCORM, and the Cofense LMS. Cofense PhishMe simulations are based on the latest threats known to bypass secure email gateways (SEGs), empowering your users to become human threat detectors. With resilient users attuned to the latest phishing threats, you have the best organizational defense. With Cofense’s Learning Management System (LMS), you can easily zero in on the security and compliance issues that are important to your company. And LMS perfectly complements the behavioral conditioning and experiential learning of Cofense PhishMe.

We’re always available to answer your questions. Contact us at any time for a demo and more information.

Microsoft Customer Voice URLs Used In Latest Phishing Campaign

Found in Environments Protected By:
Microsoft, Proofpoint

By Brooke McLain, Cofense Phishing Defense Center

Analysts at the Cofense Phishing Defense Center (PDC) see all sorts of tactics being used by threat actors to make their phishing campaigns more effective. Recently the PDC has observed phishing campaigns abusing Microsoft Customer Voice URLs, similar to the campaign reported in August. While Microsoft Customer Voice is a customer engagement/survey service that is used for plenty benign and useful reasons, threat actors are always trying to abuse such avenues. Figure 1 is an example of such an attempt.

Figure 1: Email Body 

As seen in Figure 1, the body of this email attempts to appear legitimate due to the use of the Microsoft SharePoint logo, as well as the simple formatting of the body which convinces the user receiving the email that this is an authentic document being delivered through SharePoint. In the message itself, the threat actor is trying to persuade the recipient to click “Go To Document >>,” leading to the first page of the phishing attack at a Microsoft Customer Voice URL. By using such a Microsoft URL, the user can be tricked into believing this is a legitimate email.

Figure 2: Phishing Page 

Once at the Microsoft Customer Voice page seen in Figure 2, the user is informed that they have to “preview” the document. This is an example of threat actors using stolen credentials to build a page that the user wouldn’t know exists and difficult for the recipient to know. Once opening the hyperlink nested in the “CLICK HERE TO PRINT | PREVIEW DOCUMENT” section of the page, the user is redirected to the final phishing page.

Figure 3: Phishing Page 

The second malicious URL, hxxps://fghdfghdf-g0ej-5r90hngt-w9rnef-w9nejrf-9wenjf-efdewd[.]obs[.]ap-southeast-2[.]myhuaweicloud[.]com/sx-3rg-0o-j-hq-enjf-0whbnr-0fnjqe-0fcdhnwq-enc-0enf[.]htm, seen in Figure 3, takes the recipient to the landing page of the phish where they are prompted to enter their Microsoft login credentials. The appearance of the page closely resembles that of a legitimate Microsoft login page.

In the end, this campaign used to abuse Microsoft Customer Voice services by threat actors has given them another way to get their phishing landing pages to users. Luckily for the client in this example, they had Cofense Vision so any other instances of this specific campaign in their email environment can be quarantined. Couple that with the knowledge of the PDC analyst, and enterprises can enjoy adaptive and responsive protection. Contact us to learn more.

Indicators of Compromise IP

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

See Something, Say Something – The Importance of Employee Reporting in Cybersecurity

By Dave Alison, Senior Vice President of Products 

With an estimated 40% of ransomware attacks starting through email, and phishing attacks accounting for 80% of reported security incidents, it’s no secret that email security is a top concern for businesses these days. To take it a step further, RiskIQ reports that $17,700 is lost every minute due to phishing attacks – you read that right, every minute!  

So, what are you to do?  How do you keep up? How do you stop these threat actors whose sole reason for existence is to find new ways to penetrate even the best security systems?   

You train your employees. Groundbreaking, right? You’ve heard that before. But not just train your employees to spot suspicious or malicious emails, you need to take it a step further. 

What’s needed is for humans to report the emails you’ve trained them to spot. Employees need to be empowered, encouraged, and even motivated to report suspicious activity. 

Why? Because they can be the force multiplier.  We know because we see it every day. 

According to Cofense Intelligence, for every one email reported by a user, an average of 20 additional malicious emails are removed from inboxes around the world.  Yes, one reported email is a 20X multiplier. 

Oh, and those 20 additional emails, they come from an average of four other companies in the Cofense Global Intelligence Network who would have been impacted. With over 35 million reporters worldwide, you can begin to see the impact your employees can have.  

It’s no longer “good enough” to just recognize questionable cybersecurity activity that may threaten the organization. If all we focus on is recognizing suspicious or malicious emails, we are basically setting up an ineffective neighborhood watch program. What’s the point of seeing something suspicious if you don’t report it?  As one of the most important lines of defense, employees must learn to not only identify but report questionable activity as it benefits their organization and all those around them. 

Sure, technology plays a role in helping organizations defend against cyberattacks like phishing, business email compromise (BEC), and ransomware. However, technology alone isn’t good enough, and anyone who says it is, well, is frankly, short-sighted.  It only takes one breach to damage a company’s financial status, brand reputation, and/or relationship with its employees and customers.  “Good enough” is a risky strategy when it comes to cybersecurity.   

The industry has made significant progress with all the work being done around artificial intelligence (AI) and machine learning (ML).  Both AI and ML are helping to create automation, lightening the load of security operations center analysts who are often overwhelmed by massive amounts of alerts, notifications, and investigations.  The reality is that technology can only take us so far because the threat actors are always evolving their techniques and finding new ways to penetrate these systems.   

As a matter of fact, we know that even today, on average almost 50% of URL attacks that are presented to the most respected secure email gateways (SEGs) in the industry are getting through that technology and reaching employees’ inboxes.  

That is why a strong employee reporting culture is critical to a successful security strategy.  There hasn’t been an AI system built to detect something strange, targeted at an employee, better than a trained human.   

Most awareness training, as well as pretty much every SEG vendor out there, claim people are the issue and many organizations are taking that cue and treating employees as risks to be mitigated, as opposed to assets to be trained and empowered.  Through positive reinforcement, real-life simulation, and by creating a culture where employees embrace their important role in defending the organization, employees can serve as a force multiplier in your battle against cyberattacks.   

It truly is a better-together story.  Technology isn’t as agile as humans, and humans aren’t as fast as technology in sharing.  We firmly believe that operationalizing human-discovered, crowdsourced intelligence and positively reinforcing a reporting employee culture is the only way to be successful in defending your organization against these criminal actors.  

Phishing Campaigns Abusing Web3 Platforms Increases 482% in 2022

The term “Web3” refers to a set of technologies intended to decentralize common internet and computing activity. Proponents of decentralization tout the ability to host content without the need for large technology companies. In short, anybody can publish any content, avoiding technical problems like server management as well as legal problems or censorship. Unfortunately, these features make the technologies attractive to threat actors seeking easy, robust hosting for malicious content. Analyzing credential phishing campaigns that reached inboxes during the first three quarters of 2022, we found massive growth in the abuse of Web3 platforms for phishing during the first three quarters of 2022. In this report, we explain the utility of Web3 platforms for phishing threat actors and analyze the growth and other trends in malicious Web3 usage.

Why Web3 Is Good for Phishing Threat Actors

Threat actors are regularly abusing several similar Web3 platforms. Each platform has two essential characteristics that make them useful to phishing threat actors:

  • Anyone can host content within the platforms simply by running the relevant software. No central servers are involved. Instead, content is collaboratively hosted by the platforms’ users. From a threat actor’s perspective, the users unwittingly provide free, anonymous, no-questions-asked hosting.
  • No company or governing organization moderates hosted content. While some measures are available to limit access to malicious content, it’s impossible to prevent it from being hosted within the platforms or to remove it once it has been hosted. The lack of oversight gives malicious content a longer lifespan, saving threat actors the trouble of finding new hosting.

Generally, the platforms are designed to make content hosting more available to individuals, evade censorship, and guarantee access to published content. But these features also make the platforms attractive for threat actors seeking to host malicious content.

Each platform is designed with different underlying technologies and use cases in mind, yielding differences in the ways threat actors can abuse them. For more details on the platforms and protocols involved, see Appendix A.

Malicious Use of Web3 Exploded in Q2, Still Increasing Steadily

Web3 platforms are an increasingly common method of hosting malicious content for phishing campaigns, as Figure 1 shows. Although a few malware campaigns have recently started to use Web3 platforms to host their payloads, credential phishing constitutes nearly all of the abuse so far. Our analysis in this report covers credential phishing emails found in users’ inboxes during Q1 to Q3 2022. Web3-hosted content was involved in 1.5% of credential phishing campaigns reaching inboxes in Q1. During Q2, that figure more than quintupled, accounting for an 8.0% share of campaigns reaching inboxes. In Q3, the share increased to 8.8%, with the number of campaigns abusing Web3 platforms being 482% of the number observed in Q1.

Figure 1: Emails found in commercial inboxes that included Web3-hosted malicious content. The graph shows each month’s share of the total number of emails from Q1 to Q3 of 2022.

Several services allow for easy use of Web3 technologies, including the generation of gateway URLs that can be accessed with a web browser. The URL’s domain reflects which service was used to create it. Fleek ( was the most popular service for threat actors, accounting for almost half of the URLs in the campaigns we analyzed.

Figure 2: Share of URLs from each Web3-related service in credential phishing emails, Q1 to Q3 of 2022.

The second most common service, Skynet Labs (, announced recently that it is shutting down, effective November 15, 2022. Skynet Labs URLs have not declined meaningfully in October, but the shutdown will almost certainly affect the distribution of Web3 URLs in November and beyond.

How Web3 URLs Are Used in Phishing Emails

As in our past analyses of domains used in credential phishing emails, we divide malicious URLs into two stages. Stage 1 URLs are embedded into the email itself, but rarely go directly to the credential phishing page. Stage 2 URLs include any that are involved after the user has opened the link embedded in the email.

Only 21% of Web3 URLs are used in Stage 1. Since Web3 platforms lack content censorship by design, organizations are more likely to block emails linking to them. Threat actors continue to prefer abusing well-known services like Adobe, Google, and Microsoft, which organizations are essentially unable to block.

Figure 3: A fax-themed email linking to a fraudulent page hosted on the Microsoft Customer Voice service. 

Figure 4: The fraudulent page linked in the email from Figure 3. It leads to a phishing page hosted on Skynet. 

By contrast, Web3-hosted content is well suited to threat actors’ needs in subsequent stages of the phishing campaign. Broadly speaking, content published on Web3 platforms is permanent. Moreover, Web3 publication removes the need for creating or stealing accounts, compromising websites, or registering new domains to host a credential phishing page. Threat actors can continuously publish new phishing pages to stay ahead of countermeasures.

Figure 5: The Skynet-hosted phishing page linked by the campaign in Figure 3.

Although Web3 platforms may be a good hosting solution for threat actors, they cannot perform data exfiltration on their own. None of the Web3 technologies can receive input from a user and send it to an exfiltration service. Instead, threat actors still rely on embedded forms or JavaScript code, so that the victim’s browser sends captured login credentials to endpoints under threat actor control.


Web3 technology offers little downside to threat actors at present. In the near future, there is no reason to doubt that Web3 abuse will continue to increase in both credential phishing and malware.

Over the longer term, if Web3 technology gains adoption in the everyday life of users and organizations, the opportunity for abuse will only grow. For example, most browsers currently need gateway services to create URLs for them to access decentralized content using the InterPlanetary File System (IPFS–see Appendix A for more details). Those services can disable a URL if it is reported as malicious. But if browsers receive native IPFS support in the future, then opening an IPFS link will be similar to opening a saved file from the user’s hard drive.

By design, decentralization technology puts all the responsibility for publishing and for consuming content on individual users. For network defenders, that prospect involves a significant amount of risk. Short of outright blocking all Web3 gateway services (for those companies that have no need for legitimate access to such services), keeping users educated and vigilant remains the best feasible preventive measure for the foreseeable future.

Appendix A: Description of Web3 Technologies Used for Phishing

Gateway URLs

Each of the Web3 technologies covered in this report creates a network of many different computers working together to host content or applications. They include protocols that allow users to access the content or applications, but in most cases, those protocols are not currently supported directly by web browsers. To make the services more usable, the protocols also include a way to create “gateway URLs,” which allow browsers to open Web3-hosted content or applications as though they were hosted on a traditional server. These are the services threat actors use to send links to the phishing pages they host using Web3 technologies.

Services that provide gateway URLs are operated by a mix of commercial and community organizations. Gateway services can help speed up the adoption of Web3 technology by making it more usable by current browsers. However, they also effectively centralize access to Web3-hosted content because they can choose to disable a gateway URL that points to malicious or illegal content. All the operators of gateways we found in our data have a way for users to report malicious content.

InterPlanetary File System (IPFS)

IPFS is a protocol for decentralized storage and serving of content. An IPFS user wishing to publish a piece of content can choose to make it available from their computer. Initially, other IPFS clients download the content from the original publisher’s computer. When they do, they also start to make the content available to more clients. This way, IPFS essentially serves as a content distribution network, ensuring that content remains available–and from one or more nearby hosts, which improves performance.

Protocol Labs, the organization responsible for IPFS development, operates a few gateway URL services for IPFS. Others are operated by commercial entities attempting to utilize and enhance IPFS for their customers.

Sia / Skynet / Skynet Labs

Sia is a blockchain project that utilizes users’ empty disk space to act as part of a distributed file storage platform. It has its own cryptocurrency, Siacoin, which is used to “rent” disk space on computers running the Sia software. Skynet is a technology built on top of Sia intended to be used for web and application hosting. The organization behind it, Skynet Labs, operates a gateway service ( that has been popular with threat actors. That gateway service will be shut down in November 2022, but Skynet will still be accessible using other gateway services.

Internet Computer

The Internet Computer is a general-purpose blockchain designed to run apps, similar the smart contracts of the Ethereum blockchain. Serving content directly to a web browser is a unique ability of apps running on the Internet Computer. Dfinity, the organization that developed the Internet Computer, operates the domain, serving a similar purpose as the gateway services mentioned above. Dfinity maintains a code of conduct specifying several prohibited categories of content. If an app is serving malicious content, Dfinity will disable the public URL on the domain, leaving the app inaccessible (even though it is still running).

To download a PDF of the report, click here.

This is what happens when you give scammers $500 worth of gift cards.

By: Ronnie Tokazowski

Executive Summary

Over the last few months, analysts at Cofense have been trying to gain more insights into the world’s most lucrative cybercrime, Business Email Compromise. In July, the team set out to see how many responses a scammer would engage with from a potential victim before making their ask.

This time, Cofense analysts purchased $500 worth of trackable gift cards to intentionally give to scammers in the hopes of discovering what happens once scammers receive these funds. With gift cards continuing to be one of the more difficult cash-out methods to track, due to the complexity and locality of the information, we had no idea what we would find.

Something that stood out through this research was how quickly these scammers move funds.

In all but one case each gift card was stolen, re-sold, and used for purchases within 24 hours. And while scammers do have preferences for the brand of cards they target, they are willing to pivot depending on the cards available. Based on the research, scammers prefer to use in-store cards over credit card gift cards.

So, from counterfeit toys sold in Myanmar to digital greeting cards to companies that don’t appear to exist and purchases for energy companies, let’s dive into the report.


Business Email Compromise (BEC) continues to make headlines with arrests across the world and losses in the billions. The roots of BEC originated from Nigerian prince scams (419 scams), where attackers found new, creative, and innovative ways to target consumers each day. Attackers are constantly adding new types of fraud to their arsenal as security practitioners, law enforcement, and organizations change their defenses against these tactics. While many of these scammers operate in small groups, many are part of larger organized crime groups, international gangs, and criminal syndicates.

While the machinations on how dozens of tactics and objectives of these attacks are well known, one of the biggest “unknown” aspects of BEC is a deeper understanding into how gift card fraud fully works.

Based on empirical evidence captured by defenders around the world, we know that once gift cards are stolen, they are sold locally or remotely via gift card exchanges. For gift cards sold remotely, many appear to be sold on cryptocurrency exchanges, where cards can be sold for Bitcoin, Ethereum, or other forms of digital payments. While many of the remotely sold gift cards are exchanged for 80-85% of the face value, cards can be purchased locally for around 50% of the face value, depending on the country. While a fuller picture of how gift card fraud works is limited to the organizations and institutions who manage this infrastructure, we do know current losses are in the hundreds of millions of dollars.

The concept of our research project was based on a simple premise. What gift cards can be purchased, tracked, and used to engage with these attackers to help identify how, where, and when they’re used? With these concepts in mind, we purchased $500 in gift cards and engaged with 54 live BEC attacks over the course of 5 weeks to evaluate what type of insight and usage patterns we could uncover.

In addition, we discovered that most cards were used on the same day they were stolen, making the mitigation of this type of attack extremely difficult. Many financial institutions have anti-money laundering (AML) controls in place so that money can be reversed and recovered under certain circumstances. This normally results in a 72-hour “safety window” of asset recovery, however that window is closing, and scammers are aware of our inefficiencies. While it’s quick and easy to write the losses off, this does nothing to address the root cause and simply perpetuates the issue.

Going into this project we didn’t know what we would expect to see or ended up with more questions than answers. Let’s look at the fraud.

What Does BEC and Gift Cards Have to do With Each Other?

Traditionally, Business Email Compromise (BEC) is straight forward. In these attacks, a scammer impersonates a C-level executive within the company to convince unsuspecting users to make urgent wire transfers to vendors, organizations, and other accounts that they control. As awareness of this tactic grew, organizations adapted and increased their diligence against these types of attacks. Attackers took notice and started to adjust their attack methods to include payroll diversion, invoice fraud, check fraud, and the topic of this research: gift cards.

Gift card scams play out like other types of BEC scams. Scammers ask unsuspecting employees to run tasks or errands under the guise of “helping out.” Within Cofense, we have seen dozens of different email lures such as holiday surprises for employees, rewards for employee performance, or gifts for the CEO’s family members. We have also seen templates including a forgotten birthday or one last gift card for a sick and dying relative. While many of these attacks stay within email, some scammers will ask for the phone number of the victim to converse with them while they are purchasing the cards or even start as SMS text messages.

Once the unsuspecting victim has taken the bait and responded to the scammer, they will be asked to go to a local store to purchase gift cards, often in $100 or $500 dollar denominations. After the cards have been purchased, the scammers ask the victims to scratch off the back code and send them pictures of the cards. Once received, the scammers confirm receipt and pushes the victim to send more cards or money over time.

Engaging With Scammers to Get Information from Them

The key to having successful scammer engagement is to respond to the initial email as if you had no idea you were about to be scammed. The actual context is dependent on what type of scam they are attempting, and what angle they are playing to entice their victim.

Most gift card scams start out with the CEO or another person in authority asking for help running a “task,” however scammers withhold the task until their email is acknowledged. Once a response is received, the scammer divulges what the “task” is, why they are asking for help, and why they can’t do it themselves.

Based on the knowledge of how these scams work and the communication patterns that these attackers are used to seeing from actual victims, we can socially engineer the scammers in an unsuspecting manner. For example, if a scammer is expecting a response to the question “do you have spare time at the moment?” we would provide a simple answer like “Sure, how can I help?”

Image 1. Screenshot of BEC engagement 

And just like clockwork the scammers respond right back.

Image 2. Actor response 

Cards Scammers Want vs. Cards Scammers Get

In order to conduct our research, we used general branded credit cards which can be used as gift cards. As strange as it may sound, scammers were extremely hesitant to take these cards and would often push for store-specific cards, such as Apple, Steam, or Google Play cards. It took a surprising amount of work to make them pivot from their “normal” methods of gift card fraud. However, we were able to get a surprising number of them to accept our trackable gift cards.
In addition, we do not have full visibility into what happened to the gift cards after they were sent to the scammers. The gift card can take many routes after being sent, and here are a few possible scenarios.

  1. They are sold on gift card to cryptocurrency exchanges. Buyers could be legitimate persons looking to save a couple dollars on cards or criminal syndicates who are using cards as a way to launder stolen cryptocurrencies. Both have been publicly observed.
  2. Stolen cards could be sold locally for a smaller percentage, as many people don’t fully understand cryptocurrency. In one of our engagements, we know the card was sold locally.
  3. If scammers are part of larger groups, they may have ways to launder specific cards, thus turning larger profits.

While we focus on one small piece of gift card fraud, we acknowledge that there are many other areas of gift card fraud that are not fully understood. We know cryptocurrency theft, re-shipping scams, in-person purchases, and many other angles of gift card fraud exist. In addition, a fuller scope view of how gift card fraud works is held with card distributors and brokers, and more extensive collaboration is necessary in order to facilitate a better understanding of the gift card ecosystem.


First Engagement (GC1) 

For this engagement, the attacker assumed multiple identities throughout our correspondence with them. Initially, the actor assumed the identity of “Ian William” and later pivoted to the display name “Ian Foy.” This happens frequently with scammers as they engage with multiple targets during a specific engagement. Both accounts will be described as “Ian.”

In the initial phish, Ian asked if we could do something for them right away. Ian was in a meeting with limited connectivity and asked if we could purchase 5 Steam gift cards, an online platform for purchasing video games, for a total of $1,000 (5x$200). To set up the bait, we told Ian that Visa cards were the only ones we could purchase and asked if we could use those instead of the requested Steam gift cards. Ian confirmed, and we provided a single $25 dollar gift card. Ian kept asking if there was something wrong with the transaction as they were expecting multiple cards, however we only provided one gift card in this engagement. The total interaction and engagement lasted two days.

We do not have visibility into how the card was laundered, however the gift card was later used at Amtrak, a railway company, on June 29, 2022. Since this card would have been considered “stolen” under normal circumstances, we provided Amtrak with the card details. No further information was provided by Amtrak as to what the purchase was for.

Image 3. Amtrak purchase from gift card 

Second Engagement (GC5) 

In this engagement, the BEC actor impersonated our CEO, Rohyt Belani, and attempted to steal funds from one of our senior researchers. The specific researcher targeted has spent the last 7 years raising awareness around how all things Business Email Compromise works and instantly knew it was a scam. Instead of letting the scam play out, Cofense used this as a chance to gain more information from the scammers and see if more information about the attacker could be found.  

While the scammer initially tried to scam the researcher, they quickly turned the engagement back on the scammer and converted the scam attempt into an interview opportunity. After providing enough insights to the scammer that Cofense was well aware of how these scams worked, the scammer decided to open up and went off-script. We do acknowledge that it’s entirely possible that the attacker was still lying to us, however they did confirm that yes, they were in Nigeria. The scammer went into further detail about how he became a scammer, with one of the primary reasons being limited opportunities in Nigeria. Based on extensive research into Nigerian culture, economy, geopolitical status, and unemployment, this is an accurate sentiment shared by local sources. 

Prior to scamming, he was a tailor and did other odd jobs just to survive. As a tailor he made shirts, and for the shirts he made, he would profit around #500 Naira, or $1.20 USD for each shirt. He also mentioned that he was 50, did not have an easy life in Nigeria, and all of those things combined led him down the path of scamming. And while many choose the scamming life as a way to make quick or fast money, there is much more going on than an over-simplification of “bad people doing bad things.” 

We didn’t want to leave the scammer empty handed as he provided insights into the underlying ecosystem for us, so we provided them with a gift card to them for their efforts and purported honesty. He mentioned that he would be selling the card locally because he didn’t have access to any other exchanges, where he could have gotten a higher dollar amount.  

After selling the card, it was used to purchase five instances of TikTok Live via the Google play store. The information was passed over to TikTok in case the card was used as part of another fraud scheme and no further information was provided to Cofense.  

Image 4. TikTok Live purchases 

Third Engagement (GC7) 

In this engagement, the attacker assumed the identity of “Andrew Quinton.” Andrew requested 5 AMEX gift cards to the tune of $500 each and asked if we could leave for the store soon. Once it was verified that a Mastercard gift card could be purchased, a card was sent to Andrew. Andrew asked “What’s going on” when no more cards were sent, however the attacker still successfully cashed out the card.  

While researching the origins of the purchase on this card, we were quite surprised with what we uncovered. To get started, the retailer’s name for this gift card was “BKIDZ” in Sheridan, WY. $25 was directly purchased emptying the balance of the card. 

Image 5. Purchases to unknown retailer “BKIDZ” 

When researching the brand BKIDZ, limited information was available for the origins of the transactions in Sheridan, Wyoming, and found no references online that led us to a solid company. However, during our research we did find branded children’s toys using the “BKIDZ” logo for the online marketplace KhitZay, an online store front that sells counterfeit toys in the currency of Myanmar Kyat.  

Image 6. Logo used on ”KhitZay” store using the” BKIDZ” branding 

One instance of counterfeit goods being sold directly under the BKIDZ brand was Marvel toys from Habsoro, with the item number E4353. While some of these counterfeit items are being sold on eBay and Ali Express, many of the counterfeit items are being resold on KhitZay.  

Image 7. Logo used on ”KhitZay” store using the” BKIDZ” branding 

One instance of counterfeit goods being sold directly under the BKIDZ brand was Marvel toys from Habsoro, with the item number E4353. While some of these counterfeit items are being sold on eBay and Ali Express, many of the counterfeit items are being resold on KhitZay.  

Image 8. Unknown purchase at Constellation Energy in Chicago, IL 

Fifth Engagement (GC11) 

In this engagement, the attacker used the name “Amanda Johnson,” and the scammer wanted 10 pieces of Amazon gift cards for $200 each ($2,000 total). Initially, the scammer came from a sudenlink[.]net account, however after the initial email the scammer switched to a Gmail account with the display name of “Mary Webre.” We are unsure as to why the scammers decided to change the display name mid campaign. 

After verifying that a Visa gift card could be used, one $25 dollar card was provided to the scammers, with the scammer confirming the receipt with an “Alright.” When no card was sent the scammer bumped the thread multiple times, and the following day they responded in a formal manner asking for a follow-up on the gift card. This was the last response from the scammer.  

On August 6th, 2022, this card was used at “PF GSHOP” in New York.  

Image 9. Purchase at OneUp Trader  

Sixth Engagement (GC14) 

In this engagement, scammer “David Johnson” asked if we had some spare time and we said of course, how could we help. David mentioned that a client needed iTunes gift cards of any denomination for a total of $1,000. David’s instructions were that once the cards were purchased, to gently scratch off the back of each card, to take a picture of the cards, and email a clear picture to the client at a different Gmail account, which we will refer to as “Lim.”  

At this point we had CC’d Lim on the email thread, and the scammer was now going under the name of Lim, different from the initial name of David. We tried to convince the scammer that all of the stores were sold out of iTunes cards, and they instructed us to instead purchase Amazon, iTunes, or Google Play gift cards. After telling them that four stores were sold out, David still insisted on purchasing iTunes gift cards online.  

Finally, after convincing the scammer that we were only in possession of cash, Lim “asked their superior” and was instructed that Visa cards would be acceptable. After sending only $25 dollars, Lim asked if there were any bitcoin vendors in the area, as we only sent $25 of the $1,000 requested. Lim later bumped the thread asking if we could load the $25 dollar card with $900, and this was the end of our contact with the scammer.  

For the gift card in this transaction, unknown persons purchased $25 worth of products with GivingLi, a greetings and gift card company. While we do not have visibility into the product or good that was purchased, historically we have seen Yahoo Boys and other scammers sending cards and flowers to romance victims to keep them in the scheme for longer periods.  

Image 10. GivingLi transaction 

Seventh Engagement (GC15) 

In this engagement, the scammer assumed the fake persona of Jared Russel. Jared said that he trusts he can count on us to keep gift card purchases as a surprise because he wanted to surprise the staff. Keeping this between us and Jared, he wanted to know how quickly we could purchase the cards and what local store could be used to make the purchase. Jared suggested Walmart Visa cards, American Express, or Vanila Visa gift cards “since we can use them almost everywhere.” After conversing back and forth to confirm what should be purchased, Jared confirmed that four pieces of Visa prepaid gift cards at the value of $500 ($2,000) should be purchased.  

One of the interesting things we noticed is that we purchased the gift cards prior to the engagement and the scammer was quick to identify this discrepancy, however we just said that the credit card machines were giving the incorrect dates on the receipts, and this was enough for the scammer to accept the difference. 

For this credit card transaction, unknown persons purchased $25 dollars of something from a company under the name “DEBEBTECH LLC.” At the time of writing no information about DEBEBTECH exists, even on Google or Bing.  

Image 11. DEBEBTECH LLC purchase 

Eighth Engagement (GC16) 

While most scammers assume one persona during an engagement, this scammer went through four different names for the entirety of the campaign. John Slattery, Jerry Williams, Roger Jenkins, and Stephen Timm all asked about gift cards in the same exact thread. This commonly happens when scammers get confused and use different display names during engagements, as they will sometimes engage with multiple companies per account. In addition, the scammer used six different subject lines during this engagement.  

In this campaign, Jer..Rog….the scammer asked us to head to the nearest store to find and purchase gift cards. The cards were for their presentation on data analysis and evaluation and wanted to know how quickly we could get this done. After confirming that we could run to the store and pick them up, the scammer asked if we could purchase Target or Google Play gift cards. There was a lapse of 30 minutes between our next response to the scammer, which led to the scammer asking if we were there, if we were talking to them, and what was up. They were extremely pushy, and after saying that we didn’t like being yelled at, Jerry came back and said that he wasn’t yelling, and just that he didn’t have much time on the presentations.  

Once a single card was provided back to the scammer, they continued being pushy, asking how many of the $25 dollar cards were able to be purchased.  

After the card was provided to the scammer, the card was used at a company called FLUZ AWAY. Fluz is an application that runs on your phone that allows you to receive points and cash back on products and services that you use. Money can be loaded into the app then used at these locations for purchasing products. 

Image 12. Fluz Away purchase 

While researching the retailer “FLUZ AWAY,” it appears that the company has many complaints with the Better Business Bureau (BBB) about multiple values of gift cards being purchased and funds being stolen. Based on comments from BBB, victims of puppy scams, car rentals, and check fraud.  

Ninth Engagement (GC18) 

In our 9th and final engagement, the email came from CHIEF EXECUTIVE OFFICER (caps included) where the scammer asked if we had anything on our plate, as they had a task for us. They wanted us to “drop your phone number so I can concise you about it.” After telling the scammer that we didn’t have our phone with us, they asked if we could purchase an eBay gift card for a business prospect. After “running to the store,” we informed the scammer that they didn’t have any eBay gift cards, and the scammer asked if they had Steam or Apple gift cards. We denied their request, telling them that they did not have these cards. The scammers asked for a Visa Vanilla gift card, and we provided a Vanilla Mastercard to the scammer. Eventually the scammer confirmed the receipt of the $25 dollar gift card, and after ignoring a few more emails they lost connection.

And contrary to every other transaction previously discussed, the transaction on this gift card was the most normal. Unknown people purchased $25 worth of goods on Amazon. 

Image 13. Amazon purchase 

Other Findings and Conclusion 

When we decided to kick off this research, we had no idea what direction this was going to take. Using gift cards to purchase things on Amazon seemed like a normal expense, however stumbling onto counterfeit toys sold in Myanmar, digital greeting cards, companies that don’t appear to exist, and purchases for energy companies were not even considered. While we did find some very interesting things about what happens to gift cards once they’re stolen in BEC attacks, we ended up with many more questions than answers.  

And as counter intuitive as it may sound, it was especially difficult to convince scammers to take the gift cards that we had. They had pre-defined scripts in $100 dollar denominations, and if something deviated out of that it really seemed to throw them for a loop. In addition, timing of the receipts was also another metric that scammers looked for, and if something was outside the scope of the normal time frame scammers were very hesitant to use them.  

For more insights on Business Email Compromise, including the first part of this study, view the resources below: 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.  

All names shown above have been changed to protect the privacy of the user. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.