Security researchers said criminals create new phishing campaigns designed to take advantage of the Colonial Pipeline attack’s popularity.
It is common for attackers to create phishing emails themed after well-known events to trick people into clicking links and other suspicious content.
Customers of the cybersecurity firm INKY reported receiving emails that warned them about the ransomware attack against Colonial Pipeline. They were asked to download updates to prevent a similar scenario from happening to them.
The links were hosted on NameCheap domains with convincing names like ms-sysupdate.com and selectivepatch.com. Attackers used the same domains for sending emails and hosting URLs.
The attackers used the images and logos of the target company to make the fake websites look more convincing. After clicking on a download button, the victims downloaded a “Cobalt Strike” file onto their computers called “Ransomware_Update.exe.”
The “Cobalt Strike” ransomware was the second most prevalent threat detected by Red Canary in 2021.
INKY says a month after the pipeline company paid the DarkSide Group millions in ransom money, they started seeing this phishing attack.
“In this environment, phishers tried to exploit people’s anxiety, offering them a software update that would ‘fix’ the problem via a highly targeted email that used design language that could plausibly be the recipient’s company’s own,” Alibe wrote. “All the recipient had to do was click the big blue button, and the malware would be injected.”
The attackers also made their emails look like they have been sent by the user’s own company, which helped them capitalize on the fear around ransomware.
“If it looks as if it was sent by the company itself (e.g., from HR, IT or Finance), does it in fact originate from an email server under the company’s control? If it looks like the HR or IT Departments but deviates from the norm, that should be a flag,” the blog post said.
Alibe said IT teams should expect more of similar attacks:
“We would not be surprised if we see attackers use the recent Nobelium-USAID phishing campaign as a lure,” Alibe said.