Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

In a similar fashion to the Jaff ransomware, Forcepoint Security Labs have observed another piece of ransomware called “Scarab” being pushed by the infamous Necurs botnet. The massive email campaign started at approximately 07:30 UTC and is active as of 13:30 today, totalling over 12.5 million emails captured so far.

The graph below shows the per-hour volume of Scarab/Necurs emails blocked by Forcepoint between 07:00 and 12:00 UTC:

Figure 1: Scarab/Necurs emails intercepted per hour

Based on our telemetry, the majority of the traffic is being sent to the .com top level domain (TLD). However...

Read more

As we round out what has been one of the most impactful years in cyber security we are pleased to announce the Forcepoint Security Labs’ cyber security predictions report for the forthcoming year.

Subject matter experts across our global Security Labs, Innovation Labs, CTO and CISO teams have pooled their collective insights to give you an accurate insight into the landscape of the future.  We have dived into the current threat landscape, looked at business challenges on the horizon and surveyed enterprise leaders to arrive at what we think are key areas of risk that will present themselves in 2018 and beyond.


Read more

On 24 October 2017 Bad Rabbit – the third ‘major’ ransomware outbreak of the year – made headlines as it affected large numbers of machines, predominantly in Eastern Europe.

The malware bears many similarities to the Petya - AKA NotPetya, GoldenEye, ExPetr, Petrwrap - attack from June (éjà-vu-petya-ransomware-appears-smb-propagation-capabilities): the ransom messages are very similar in both content and style, the ransom demand is for a similar amount (USD $300 in June versus BTC 0.05 – approximately $280 at current prices), and it attempts to move laterally once inside a network....

Read more

Please note:​ This is an update to our original analysis posted earlier on Oct. 16, 2017.

The best advice is to not transmit or receive sensitive information over Wi-Fi without some additional form of encryption actively in place, and follow these best practices:

Use a corporate VPN client whenever you’re outside of your corporate networks. In conjunction use HTTPS in web browsing. Ensure that the padlock icon is active in your browser. Stop browsing if you get any pop-up errors about certificates or insecure communications. Apply vendor patches to all Wi-Fi... Read more

Forcepoint Security Labs have encountered an ongoing Trickbot campaign that appears to target crypto-currencies. Trickbot is a banking Trojan that is traditionally known to target financial institutions. Recently, we have observed Trickbot targeting Paypal and expanding its list of target institutions to include those from Nordic countries.

Today’s campaign uses Canadian Imperial Bank of Commerce (CIBC) as a social engineering lure. Below is a screenshot of the email:

The attached document is disguised as a CIBC document. It contains a macro downloader that ultimately downloads and executes a...

Read more

This blog is part of a series! Read part one ‘Security, Performance, Obfuscation & Compression’ here and part two ‘Camouflage .NETting’ here.

Much attention is paid to the underground economy in the media with a huge focus on the availability of malware on underground and so-called ‘darknet’ forums. These underground services may make a more exciting story, but the recurring theme throughout the past two posts in this series has been the ready availability of commercial tools written without malicious intent which can nonetheless be turned to ill purposes.

Instead of relying on underground...

Read more

Click here for part one of this series: ‘Security, Performance, Obfuscation & Compression’.

Since its introduction the majority of malware authors have shunned .NET as a development platform, despite its relative popularity as a platform for developing legitimate Windows software. There are numerous potential reasons for this, but two in particular that likely have a significant influence on malware authors are .NET code’s reliance on external libraries (few people are likely to want to install a specific version of the .NET Framework in order to support someone trying to steal their banking details) and...

Read more

Recently, Forcepoint Security Labs have encountered a strain of scam emails that attempts to extort money out of users from Australia and France, among other countries. Cyber-extortion is a prevalent cybercrime tactic today wherein digital assets of users and organizations are held hostage in order to extract money out of the victims. Largely, this takes in the form of ransomware although data exposure threats - i.e. blackmail - continue to become popular among cyber crooks.

In light of this trend, we have observed an email campaign that claims to have stolen sensitive information from recipients and demands 320 USD payment in...

Read more

Historically, the majority of traditional AV solutions have relied on static signatures to identify known malware. As a result, malware authors naturally started employing a range of tools to obfuscate the underlying code of their software in order to avoid such signature based detection and to hinder (human) static analysis.

These obfuscation tools have proliferated over the past years, with numerous commercial offerings available as even legitimate software authors look to at least hinder the reverse-engineering of their products. While the methods and results vary, the ultimate intention is now usually to make the code...

Read more

In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection.

In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.

However, these samples appear to exhibit new features including anti-sandboxing...

Read more