Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Finance Departments getting Targeted by Phishing Emails with .Com Payloads

As per a recent analysis by Cofense IntelligenceTM, there has been a substantial increase in the number of phishing emails targeting financial service departments by using .com extensions.


Cofense Intelligence, an anti-phishing company, has analyzed 132 samples that are unique having .com extension in the month of October alone; whereas, the company had analyzed only 34 samples in the past nine months before that. Four malware families that are different were utilized.


The file extension .com is used for the text files having executable byte code. Microsoft NT kernel-based operating systems and Disk Operating System (DOS) both allow .com files to be executed because of the backward compatibility reasons. Within DOS stub, .com style byte code is similar across all the PE32 binaries (.dll, .exe, .scr, etc.).

The phishing emails contents as well as the subject lines suggest that the financial service departments are specifically getting targeted by the threat actors. The two very frequently used subject line by the hackers are 'purchase order' and 'payment' for tempting the recipients to click. The threat actors usually carry out these campaigns for targeting the employees having financial information saved on their local systems or machines, which explains use of the information-stealing malware as campaigns' payloads. The mentioning of .iso file attachment in email contents is actually an archive which contains a .com executable.


Out of the malware families which are being delivered, most were made up of Hawkeye, AZORult and Loki Bot. The analysis done by Cofense Intelligence reveals that the subject lines of the email are specific to malware payloads that they deliver. For example, if the email subject is 'payment' then it would deliver mostly AZORult information stealer, whereas if 'purchase order' is the email subject then it would deliver mostly the Hawkeye keylogger and the Loki Bot information stealer.


Generally, the .com payloads are attached directly to the phishing email without the intermediary delivery mechanism. Though, there are a few campaigns that include an attachment containing an intermediary dropper.


Aaron Riley, an Intelligence Analyst, writing on Cofense blog says that, "Cofense Intelligence estimates that we'll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors". Riley further said that, an increase use of .com extensions could be harmful to the enterprise networks in case the organizations are unprepared for it; and if they become prepared, then there will be surge in popularity of another file extension in a continuous effort to remain ahead of defense.

» SPAMfighter News - 11/27/2018

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page