Phishing emails with .com payloads target finance departments

There has been an increase in the use of .com extensions in phishing emails that target financial service departments, according to a new analysis.

In October alone, anti-phishing company Cofense Intelligence analyzed 132 unique samples with the .com extension, compared to only 34 samples analyzed in the nine months before. Four different malware families were utilized.

The subject lines and email contents of the phishing emails suggest that the threat actor is specifically targeting financial service departments. The two most popular subject line themes use the terms 'payment' and 'purchase order' to tempt recipients to click. The messages have an attached .iso file containing a .com executable.

Of the malware families that are being delivered, the majority are made up of Loki Bot, AZORult and Hawkeye. Some campaigns include an attachment containing such an intermediary dropper, and often the attachment was weaponized to exploit a CVE or a malicious macro, which would then deploy a .com payload onto the endpoint.

Intelligence analyst Aaron Riley, writing on the Cofense blog, says, "Cofense Intelligence estimates that we'll see an increased adoption of malware using the .com extension. Similar campaigns will likely expand to other industries that have monetizable data, like the healthcare and telecommunication sectors. An increased use of the .com extensions can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense."

You can read more about the attacks and sign up for free threat alerts on the Cofense blog.

Photo credit: wk1003mike / Shutterstock