The great CoGUI caper. [OMITB] - Hacking Humans

Summary4 min read

Podcast Summary: "The Great CoGUI Caper" – Hacking Humans by N2K Networks

Release Date: June 3, 2025
Episode: The Great CoGUI Caper
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.

Introduction

In this episode of Hacking Humans, the team from N2K Networks delves deep into the intricacies of modern phishing scams, focusing on a particularly sophisticated phishing kit known as CoGUI. Hosted by Dave, Keith Milarski, and Selena Larson, the discussion provides valuable insights into the evolving tactics of cybercriminals and offers actionable advice to safeguard against such threats.

Overview of CoGUI Phish Kit

The episode kicks off around [04:21] with Selena introducing the primary topic: credential phishing using the CoGUI phish kit. She highlights recent research by Proofpoint, which identifies CoGUI as a significant threat targeting Japan with millions of messages per campaign, occurring multiple times a week.

Selena [04:21]: "It's a super interesting threat cluster of activity. It's a phish kit that targets largely Japan with millions of messages per each campaign."

Targeting and Sophistication

Keith and Selena elaborate on the sophistication of CoGUI, emphasizing its targeted approach and high customization. Unlike more generic phishing attempts, CoGUI impersonates both consumer and financial brands with remarkable accuracy, enhancing its credibility and effectiveness.

Keith Milarski [10:08]: "The sophistication in this, which I really love, the redirect, you know, that if you weren't the person that was getting targeted, you were taken, like, to the legitimate Amazon page."

Selena adds that CoGUI is particularly adept at mimicking financial institutions, making it a potent tool for attackers aiming to steal sensitive credentials.

Underground Economy and Distribution

A significant portion of the discussion revolves around the distribution channels and the underground economy supporting CoGUI. Keith delves into the backend operations, noting the use of platforms like Chinese Telegram channels where these phishing kits are advertised and sold as a service.

Keith Milarski [12:29]: "We're seeing a lot of advertisements just last month, you know, in these Chinese telegram channels."

This commercialization of phishing tools indicates a scalable and organized approach by cybercriminals, resembling legitimate business models.

Attribution Challenges

The conversation shifts to the complexities of attributing such sophisticated phishing campaigns to specific threat actors. Selena argues that while the proliferation of phishing kits makes attribution challenging, each kit can still be traced back to its provider through various indicators like spam methods, sender infrastructure, and payload URLs.

Selena [20:14]: "So the kits themselves can be traced back to a kit provider. Right. And then you have the distribution."

Keith echoes this sentiment, highlighting the broader implications for attribution and the need for organizations to expand their understanding of cyber threats beyond traditional stereotypes.

Keith Milarski [28:02]: "We just have to expand our perception of E-crime. We can't throw in these silos of China equals APT. Russia equals E-crime because that's going to start emerging and it's just really too simplistic."

Recommendations for Mitigation

As the discussion progresses towards actionable advice, Selena emphasizes the importance of Multi-Factor Authentication (MFA) and tailored security training. She advocates for using physical tokens over SMS-based MFA to enhance security.

Selena [25:46]: "While most of the time we didn't necessarily see Kogui being MFA, awareness is very, very important to ensure that you do have MFA on everything. And if you can, preferably something like a Fido token."

Keith adds to the conversation by stressing the need for a holistic view of cyber threats, urging organizations to move beyond siloed defenses and adopt comprehensive security measures.

Keith Milarski [28:02]: "We just have to expand our perception of E-crime. We can't throw in these silos of China equals APT. Russia equals E-crime because that's going to start emerging and it's just really too simplistic."

Conclusion

The episode concludes with the hosts reiterating the evolving nature of phishing threats and the necessity for organizations to stay informed and proactive. They stress that understanding the tactics, techniques, and procedures (TTPs) of cybercriminals is crucial in defending against sophisticated phishing campaigns like CoGUI.

Selena [29:32]: "Go save your dips."

Keith Milarski [29:35]: "And that's only malware in the building."

Key Takeaways:

Sophistication of Phish Kits: CoGUI represents a highly sophisticated phishing tool targeting specific regions with tailored campaigns.
Underground Economy: The commercialization of phishing kits on platforms like Telegram signifies a scalable and organized cybercriminal infrastructure.
Attribution Complexity: Tracing phishing attacks to specific actors remains challenging but is achievable through diligent analysis of distribution methods and technical indicators.
Mitigation Strategies: Implementing robust MFA solutions and tailored security training are critical in defending against credential phishing.
Evolving Threat Landscape: Cyber threats are continuously evolving, necessitating a comprehensive and adaptable security posture.

Notable Quotes:

Selena [04:21]: "We're actually talking about phishing, specifically credential phishing and some new research that Proofpoint put out on a phish kit we actually called CoGUI."
Keith Milarski [10:08]: "The sophistication in this, which I really love, the redirect... that's really showing the sophistication."

For those interested in staying ahead in the cyber security landscape, this episode provides a thorough analysis of modern phishing threats and practical strategies to counter them.

Loading summary

Transcript103 lines

[00:06]
Dave
All right, team, look alive. Wheel's up in two minutes. Lights are good. Crowds hot. Sound checks are done. Let's lock it in. Dave, you're center stage. Selena, you're on the left mic. New guy, you'll be over here on mic three. New guy, new guy, over here. Where's the new guy?
[00:24]
Selena
Keith texted me be there in two, but that was, like, 10 minutes ago.
[00:29]
Keith
Doesn't answer the question. Is he in the building?
[00:31]
Selena
I thought he was in the bathroom.
[00:33]
Dave
All right, folks, we're out of time.
[00:35]
Keith
Let's just go.
[00:36]
New Guy
The crew can wrangle him if he appears.
[00:38]
Selena
Okay, showtime. We've done this before. We got this.
[00:42]
Dave
Starting in three, two. Selena, that's you. Go.
[00:58]
Selena
Welcome. Well, welcome to Only Malware in the Building, the podcast where three cyber security nerds try to. Hold on. Dave? Dave, can you fix this?
[01:13]
Keith
Yep, got it. Okay, good to go. One more time from the top.
[01:24]
Selena
Today we're talking about phishing scams. Specifically, we have heard some campaigns have been more targeted.
[01:31]
Keith Milarski
Hey, am I late? I got. I got stuck in the.
[01:34]
Dave
No, guy, you're here. You're on. Go now.
[01:40]
Selena
Once those attackers.
[01:45]
New Guy
Keith.
[01:51]
Keith Milarski
Well, okay, where are we? Are we live?
[01:56]
Selena
No. Totally. A dress rehearsal for an entire live audience.
[02:01]
Keith
Welcome to the show.
[02:02]
Selena
Keith, right?
[02:03]
Keith Milarski
Yes. Absolutely. Thrilled to be here. Did we already start?
[02:08]
Selena
Only three times.
[02:09]
Keith
Let's try for a fourth. Phishing scams. Today's episode is about. Turn off those cell phones.
[02:19]
Keith Milarski
I don't even own a third phone. Where is it coming from?
[02:24]
Selena
Okay, focus. Fishing. Fishing. We need to get this back on track. We keep getting distracted, and our audience deserves better than.
[02:34]
Keith
Whoever in the audience keeps coughing. Please remove yourself from the room. Have you no decency?
[02:41]
Selena
Okay, so today's episode is.
[02:46]
New Guy
Why is the music playing?
[02:47]
Keith
Guys, we've rehearsed this for days.
[02:49]
New Guy
What is going on?
[02:51]
Selena
Well, stick around. At some point, we might actually talk about phishing scams.
[02:56]
Keith Milarski
What if we just go to commercial?
[03:10]
New Guy
And now a word from our sponsor. Cyber threats are evolving fast. And if you're still relying on traditional antivirus or reactive tools, you're already a step behind. Threatlocker takes a fundamentally different approach by putting you in control of exactly what's allowed to run in your environment. It's a proactive, zero trust approach to security, where only the applications you've explicitly approved are allowed to execute. No chasing malware, no dependencies on post attack threat detection. Just real control that stops threats before they ever get a chance to run. With ThreatLocker, you're not limiting productivity. You're empowering your team to work securely without compromise. It's smarter security that doesn't get in the way. Thousands of IT leaders trust ThreatLocker to protect their organizations from ransomware, zero days and insider threats. Ready to see it in action? Visit threatlocker.com to book a personalized demo. And we thank ThreatLocker for sponsoring our show.
[04:22]
Selena
So today we are actually talking about phishing, specifically credential phishing and some new research that proofpoint put out on a phishkit we actually called CO gui. So this is a super interesting threat cluster of activity. It's a fish kit that targets largely Japan with millions of messages per each campaign. And these campaigns are happening, happening multiple times per week. So we did actually find this really new interesting phish kit. It is believed to be Chinese speaking. Threat actors are using this fish kit, are distributing this fish kit. And there was some interesting alignment with public reporting by Japan's Financial Services Agency. So happy to dive in and also would love to talk about credential phishing in general and some of the stuff that you guys are seeing on the landscape beyond just this one particular case targeting Japan. But how are threat actors using MFA fishing? Is there anything that's crossed your desk recently that you're like, huh, this is super interesting crud fish.
[05:22]
Keith
Well, let me back you up, Selena. What are you guys calling this one?
[05:27]
Selena
All right, so this is a really fun thing where you only ever read words and then we say them out loud. Like, am I actually. Is this how it says it in my head? I'm calling it Koguy.
[05:40]
Keith
So Kogui.
[05:41]
Selena
Kogui. C, capital C, small O, big G U I kogui.
[05:47]
Keith Milarski
Makes sense. Makes sense.
[05:50]
Keith
It reminds. It's like mowage.
[05:55]
Selena
Mo.
[05:56]
Keith Milarski
Oh, wow.
[05:57]
Selena
I'm gonna.
[05:59]
Keith
Oh, look at the. That puppy is so cute. And cousin, I'm gonna have to watch.
[06:08]
Selena
Princess Bride after this recording.
[06:11]
Keith
Okay. Yeah. I'm just gonna note here that as the person whose job it is to very often have to pronounce out loud words that people like you, Selina, and people like you, Keith, who've come up with clever names for things, written them down using leet speak and all that kind of stuff, never realizing the fact that someday someone, that someone being me is going to have to actually say that word and that, you know, we.
[06:38]
Keith Milarski
Do that on purpose. Dave.
[06:40]
Keith
Well, I. I've come to believe that now. I mean, it's been so long that there's no way that people can't be aware that sooner or later somebody's going to have to say the Word out loud.
[06:50]
Selena
So I have been advocating for a long time for someone on my team, the next malware that they discover to name it like Selena Stealer or something. You know, that's, that's very pronounceable. No one can mess that up.
[07:05]
Keith
Right? Right. That's funny. You could have a T shirt made for your husband to wear.
[07:11]
Selena
I make my own little logo by paying a designer, not using AI.
[07:16]
Keith
Yeah, there you go.
[07:17]
New Guy
There you go.
[07:18]
Keith
All right, so let's dig into some of the details here. I mean, what called you and your colleagues attention to this one in particular? Foreign.
[07:31]
Selena
Yeah, so I have to give a shout out to all my colleagues who have been tracking this particular threat cluster. We actually, when we first saw it, we're like, okay, yeah, I like phishing targeting Japan and super high volumes. This isn't something that has completely new on the threat landscape. So for example, a few years ago we published some research and other shops have identified, you know, high volume phishing impersonating Amazon targeting Japan. So consumer brands. So we're like, oh yeah, like another gigantic cluster, like gigantic activity targeted Japan. But when we were really diving into it. So first of all, it was a kit that we hadn't seen before. And as you guys might know, the Chinese speaking phishing kits targeting both mobile and email have increased. Right. I think we've even mentioned on the podcast some of these road toll scams like the smishing, the sort of fishing triad, so to speak, that some really interesting research has been published on that includes the Darkula fish kit, for example. So there was, you know, kind of taking a look at some of this phishing in general. And we saw, oh yeah, there's like a lot of similarities to some of these popular Chinese language kits that are, you know, expected to be rated by Chinese threat actors. And so we were looking at this and then we were looking at it and we thought, oh, okay, it's kind of interesting, they're impersonating consumer brands, but also like finance companies and securities companies, they seem to be very, very high volume, very active. They're customized and tailored for the, that they're impersonating. And while Amazon and you know, the consumer brand is, is definitely one of the biggest that we've seen, we've also seen an increase in some of these sort of more financial focused and securities focused campaigns, which was, which was pretty notable.
[09:18]
Keith
Yeah, I reported on one recently that was, it was a phishing campaign impersonating Zoom meeting invites. So you'd get a fake invite, you'd go to log into zoom. And it looked exactly like zoom, but it wasn't actually zoom. And of course, you'd put in your login details and then they've got you. But it's interesting how. I guess what's interesting to me is how, as you say, how much more targeted these campaigns seem to be getting. Like, the threat actors are getting more and more focused and the kits are getting more and more sophisticated. I'm curious, like, historically, over the years, as you've been tracking these things, Keith, I mean, has that followed the trend that you've been tracking, like, the increased sophistication?
[10:09]
Keith Milarski
Well, yeah, I think once looking at this from the article that proofpoint point out, there's a lot of interesting things in there that caught me right off the bat. First is the sophistication. A lot of times a lot of fish are just very crude and there's misspellings and things, things like that. But the sophistication in this, which I really love, the redirect, you know, that if you weren't the person that was getting targeted, you were taken, like, to the legitimate Amazon page, which is, you know, so that's really showing the sophistication also, you know, knowing about the kit's back end where you, you know, where this is sold as a service. So kind of software as a service on the back end, you got a really nice gui. It's keeping track of, you know, your victims and all that. So. So what this is telling me is that this is a very sophisticated operation, you know, that's out there. So, so what I wanted to do was I wanted to kind of look at the dark web and kind of look at the, the, the Chinese underground economy and kind of see what they were saying about that out there. And I found some really interesting things just kind of from digging from Celina's research. So one is we just started pulling some of the domains, you know, that you look there and looking at the registrant emails, which were these QQ.com emails, and, you know, so we just kind of looking at, you know, a couple of them were registered over 2000 domains apiece. So you can see it's, you know, so just thousands and thousands of, you know, domains that are being registered in that. And then we were just seeing on some Chinese Telegram channels that advertising, you know, these synchronous phishing kits is what they're calling. So I don't know whether they're code GUI or not, but, you know, something that very similar that's out there, you know, so they're talking about, you get a nice front end phishing page, a back end database panel. You could, you know, allow easy viewing of data and all of that. So we've seen a lot of advertisements just last month, you know, in these Chinese telegram channels. So, so it was really neat to kind of see what you were seeing on that front end, their proof point from the, you know, from the email gateway to kind of look now kind of what's seeing on that back end there in the cyber underground. So I find it very fascinating.
[12:30]
Keith
Keith, I'm curious, with your experience in law enforcement and the folks you've worked with over the course of your career, can you provide insight onto why a threat actor, a bad guy, would decide, would choose to be the provider of the kit that does the crime versus just doing the crime themselves? Are there practical considerations there or do they consider themselves to have less exposure to, you know, potentially being arrested if they're providing the kit and not doing the actual crime?
[13:09]
Keith Milarski
Yeah, I guess, potentially. But they're looking at it as a business model, you know, So, I mean, you think of it, they're kind of viewing themselves as a startup. Okay, hey, I'm gonna start up this business just like if you were gonna open, you know, a coffee shop and you know, hey, you're selling coffee every day or whatever. So in, in the underground, it is kind of the same thing. Hey, I'm developing a product for people to use and I'm gonna market it and sell it. So it's, it's a, it's a full business model from that. And you know, and sometimes these, these models, they take a cut. So when you think a lot of like the ransomware groups, they have affiliates and things out there. So it's really just that, that underground economy, that organized crime ecosystem, that's, that's, that's out there.
[13:53]
Keith
So it's potentially that being the provider of the tool is maybe more scalable than being the person out there doing the phishing scams.
[14:01]
Keith Milarski
Yeah, potentially. I mean, you know, when you're actually doing the phish, you know, as well, so you have to take that data and then you have to monetize it or sell it. You know, in this case, because I saw that they weren't really targeting mfa, that was kind of just kind of telling me that they're probably turning around and selling that data. Data very quickly. Just, you know, at first look at it.
[14:23]
Selena
Yeah, well, and I think it's interesting too, right? So much like how we operate in any business or as threat researchers we all have our specialization, right? So I don't do malware reversing. So if I was running a criminal enterprise, I wouldn't be building malware. You know, I would, I would be blogging our findings for our criminal customers. No, just kidding. But, you know, it's. So it's all kind of like a breakdown. So, like the building tooling and then using tooling are two separate skill sets. So I think that that is part of it as well, where you have these enterprises that are kind of run like businesses in many cases, in the case of the Kogali Fish kit, where we don't have great visibility into how that operation is structured. But we've seen, for example, like you mentioned, a lot of the ransomware affiliates we saw, for example, like in the Conte leaks or the Black Basta leaks, you have people who specialize in different things and are talking about how to use different tools at what time, how to get around detections, different types of bypasses. You know, Keith, you mentioned the, the circumvention and the geo, the geo filtering and different IP filtering techniques that are used in this case and also in other phishing operations. There's also malware delivery operations that we've seen. So, you know, there's, there's a lot that kind of goes into that. And it's entirely possible, right, that, you know, the people that buy these phish kits, sometimes the level of skill needed to deploy phishing kits is quite low. If you have this sort of email sender infrastructure set up and some of the stuff that you need to actually spam, you don't really need to know the heavy lifting of the functionality of how the tool works, or you don't necessarily need to modify it yourself. It's very much plug and play. Whereas some of the other more advanced threat actors you see doing the full operation, they have that ability to build the tool and they're probably not selling it, they're probably using it themselves to further their own sort of objectives. Obviously there's, that's not every case, but it's kind of interesting. And if we're talking about sort of the, like the goal or the objective, right? So again, we don't see that. We see, we see the initial access, right, like the email. So you're providing all this interesting insight from the beforehand, like on the dark web, what they're doing and how they're, how they're advertising it, what they're selling. But we were able to actually look at a publication from Japan's Financial Services Agency they published. It was so funny because we were like working on this research and then I was like, oh, hey, did you see this? And we're like, definitely not. So thank you for my Japanese speaking colleagues for flagging this because of course all of this, you know, is Japanese language and we have a few native speakers. I have course do not speak Japanese. So I'm not monitoring the, the financial service agency's press releases, but they did note that there's been a sharp increase in the number of cases of unauthorized access and unauthorized trading on Internet trading services using stolen credential, stolen consumer information. So login IDs, passwords from fake websites disguised as the websites of real securities companies. So it does look like, you know, they might be selling some access, but they are also might be using, you know, this access to conduct fraudulent transactions and to purchase stock in other companies that potentially align with their interests. So, yeah, pretty interesting.
[17:47]
Keith Milarski
What I thought was very fascinating too, you know. So you see the Chinese threat actors targeting Japan and that kind of makes it easy because they're both Sino genic languages. Is that how you say it? Cyanogenic languages. So you were talking about pronunciations, Dave. Here we go.
[18:05]
Keith
I thought you were fluent in like half a dozen languages. Is that incorrect?
[18:10]
Keith Milarski
No, just Pittsburghese.
[18:11]
Keith
Dave just buried right Yin's get it right.
[18:18]
Keith Milarski
So kind of what that tells me is okay, that's an easy first place to target, but then I would expect to kind of see them targeting more US companies as well. So we're seeing kind of the emergence of the whole Chinese E crime organizations and economic structures there. Because usually when we're thinking of China, we're thinking of apt threats, but now we're really seeing that move into E crime and them getting more sophisticated. So normally we were just like what you were saying, Selena. We were seeing, you know, crude Smithing, you know, the toll, you know, pay your toll Smithing, you know, them setting up VPN services and things like that now. So we're kind of seeing that sophistication move now, which will be a little bit more worrisome because we're always thinking of E crime actors of like Russia or maybe West African. But now here come the Chinese coming saying, hey, we want to play in that space too.
[19:23]
Selena
Stick around. We'll be right back.
[19:35]
Keith
Does the proliferation of these kits make it more challenging for attribution?
[19:44]
Selena
So that's a good question. I have some thoughts, Keith. I don't know if you have, if you have thoughts, but I would say for the proliferation of the Kits? I wouldn't say so, no. So there's a lot of. There's so many fishing kits that exist. A lot of them have been around for a really long time. They've just gotten a lot better. In fact, a lot of the fishing kits that we see are actually MFA attacker in the middle types of fishing kits. So, like tycoon or socket pages, things like that. The thing is, right, so it's kind of like using a tool. So, for example, so the burglar used.
[20:14]
Keith
A Craftsman tool crowbar to break into the building.
[20:18]
Selena
Yeah. But they still left fingerprints. Yeah, so they're still leaving their fingerprints, but they're using a tool that they bought at the hardware store. So, you know, if they break into a building, maybe they put the crowbar at the top lock as opposed to the bottom lock. Or, you know, they went for a window instead of a door. And, you know, once they were inside, they were specifically looking for computers. And a different one might be looking for televisions. So, you know, you have a robbery that has their own tricks and techniques and shoes that they wear and, you know, gloves that they wear and stuff that they're stealing. And maybe they eat your chips while they're in your kitchen.
[21:02]
New Guy
Not your dips.
[21:03]
Keith Milarski
Dips. No, no.
[21:05]
Keith
Oh, no. Oh, I don't know what I would do if my dips went missing.
[21:09]
Selena
Dave is specifically targeted by threat actors going after gourmet dips.
[21:15]
Keith Milarski
There you go.
[21:17]
Selena
That is their teacher.
[21:18]
Keith
Yeah.
[21:20]
Selena
But I would say. Yeah, so. So. So the kits themselves can be traced back to a kit provider. Right. And then you have the distribution. So there's a lot of stuff that you can kind of look at for, like, spam, how they're. How they're doing mouse spam, the different sender infrastructure that they're using, the actual URLs, the payload URLs, and some of the kubernetes, stuff that's within the full attck chain. And then, of course, the objective. So a lot of times we don't always see the objective, but sometimes we do. And there's actually a really interesting research that was published by Sophos back in April, but they were talking about how, for example, a phishing threat actor, which, again, you know, it's something I think that we have to kind of shift our mindset a little bit on getting away from, like, only malware leads to malware, and phishing leads to, like, sort of identity theft. Because in this case, Sophos published this detail about a spear phishing campaign that impersonated screen connect and tried to steal credentials for that tool. And so they were phishing for that tool and then ultimately it led to a ransomware infection. So, you know, you can use credentials for a lot of different things, whether it's, you know, buying and selling fraudulently stocks or, you know, gaining access to then distribute ransomware, or, you know, targeting identities to then pivot within an organization. So there's a lot of kind of, of that interest, interest there. And so it's really kind of about the full ATTCK chain and not necessarily the tool that they're using when it comes to att. Mostly. Of course, there's like, you know, back in the days when it was just poison ivy used by China, like that was.
[22:51]
Keith Milarski
Yeah.
[22:51]
Selena
Speaking of China.
[22:54]
Keith Milarski
Yeah, yeah. I think, you know, the interesting thing here is, you know, I think that people should understand is, you know, you know, you know, what started out in Tokyo is not going to stay in Tokyo, so to speak. You know, what we're going to see is the evolution of these threat actors targeting U.S. companies. And I think that, you know, where people have always been focused on E crime, again on that, you know, that Russian market and learning about those actors and those TTPs, you know, you're going to be coming, you're going to be seeing a whole totally different set of ttps coming at you from potentially from Chinese actors. So, so you really got to, you know, understand your adversary, you know, and how that's going to pivot, move in the future. For sure.
[23:38]
Selena
Yeah. And I would say too, from the like China malware perspective. So obviously there's crudfish, but from the malware perspective there's. I always love when we're looking at data and we're looking at, oh, we suspect that this is, you know, potentially Chinese operators or at least China. They're speaking Chinese, right. These operators are doing this work and then you see, oh, this is like a fun new malware and then it just ends up being like ghost rat in a hat. Like ghost rats have been around for like decades at this point. And it was, you know, again, originally used by China apt. And now it's just like all of these different things that are just like ghost rat dressed up in a different outfit.
[24:16]
Keith
Yeah. First of all, I love ghost rat in a hat. Like that should be a. There's another T shirt for you or maybe a stuffed animal to give away at the rsu.
[24:27]
Keith Milarski
Don't like it in a box. Don't like it with a fox, Dave.
[24:30]
Keith
Yeah, yeah, but, but it all, I mean, Reminds me of the, you know, when a company gets hit with ransomware or something. And of course, the first thing that comes out of PR is, you know, these were sophisticated threat actors. This was an international operation. There was no possible way we could have defended ourselves against something of this sophistication. And as fully funded as they were. And then every now and then, every now and then we find out, nope, it was a teenager in a basement. Just, it was just persistent, had nothing better to do that weekend and just banged away at them. And that's sometimes the way the pieces fall. Right.
[25:17]
Selena
There's more to come after the break.
[25:28]
Keith
All right, well, I'll tell you what, let's bring it home here and give our listeners some actionable advice here. I mean, when we're talking about protecting yourselves against this sort of thing, let's go to each of you and talk about recommendations. You want to lead us off here, Selena?
[25:46]
Selena
Sure, yeah. So when it comes to any type of credential phishing, certainly with Kogali, but with other types as well, while most of the time we didn't necessarily see Kogali being mfa, awareness is very, very important to ensure that you do have MFA on everything. And if you can, preferably something like a Fido token, right? So like a physical key that is responsible for verifying your identity. It is very like basically, you know, if it's just sms, there's ways to get around it. You know, if it's a, if it's a code that could be potentially socially engineered or if it's a MFA aware, it can steal session cookies. So, you know, having that, having that Fido token as your reliable second factor, the physical key of some sort being a defense is very, very useful also for organizations. I mean, I know like everyone talks about security training, but making sure that people are aware of what it looks like, right? Talking to your team, especially tailoring it for the, like, what it's actually going to look like. Right. So, you know, the GAS gift card would probably like. We don't really see that in fishing, but we see, you know, potentially that in training. But that's not, you know, that's, that's not what your employees are probably going to be faced with. It's going to be something that looks like Amazon or looks like, you know, a different, a different brand or company. So really tailoring a lot of that training and awareness around what's actually impacting your organization. And that's why when we kind of talk about like threat informed defense, that's part of it. Right. So knowing what's targeting your organization, knowing what some of these threats are, and being able to both make sure your security teams are aware of it and educating them on best practices. Are we defended against this? Of course. You know, from the network security perspective, making sure that you have various rules that are detecting a lot of this stuff and making sure that the endpoints are also, you know, well defended. For example, we threw in some emerging threats rules in the blog that detect some of these fish kits. But yeah, I mean, MFA everywhere, preferably not. Preferably a token, like.
[27:58]
Keith
So Selena didn't leave a whole lot of room for additional things there.
[28:03]
Keith Milarski
Keith, that's fine, but I will close it with this. We just have to expand our perception of E crime. We can't throw in these silos of China equals apt. Russia equals E crime because that's going to start emerging and it's just really too simplistic and it's really missing is the real point of everything. And for my law enforcement friends that may be listening here too, that have always focused on Russia, now you need to get your Mandarin up to speed. You need to start looking at the Chinese speaking telegram channels and things like that, where maybe they've been focusing on Russia, because we're going to see this and we're going to see it a lot more because it's evolving very quickly.
[28:46]
Selena
Dave, I feel like one day we should have the great debate of. Keith, you will disagree with me because I think law enforcement has a different, different view on this. But for most organizations, attribution doesn't matter.
[29:01]
Keith Milarski
This should be a big topic. I would love to talk about it because actually, CISO just told me two weeks ago, he says, I don't care about attribution. I just want to stop it. And I was about ready to have a heart attack.
[29:13]
Keith
Future episode friends. Future episode producer Liz, Jot it down. Future episode. All right, we're going to leave it there before we come to blows over whether or not attribution is important. Selena, Keith, thank you so much. Great episode, as always. We'll see you guys back here next time.
[29:31]
Selena
Go save your dips, Dave.
[29:32]
Keith
I'm gonna go save my dips.
[29:36]
Selena
And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're on male Unraveling the mysteries of cyber security. Always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead of the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher.
[30:23]
Keith
I'm Dave Bittner.
[30:25]
Keith Milarski
I'm Keith Milarski.
[30:26]
Selena
And I'm Selena Larson. Thanks for listening.
[30:42]
Keith
And we thank threatlocker for sponsoring our show.
[30:45]
New Guy
Threat Locker Application, Allow Listing, Ring Fencing, Network Control and EDR solutions enhance cybersecurity postures and streamline internal IT and security operations. Learn how at threatlocker. Com.