The promise to offer exclusive information about important events has always been used by criminals to get the attention of victims. However, security company INKY recently discovered an unusual pattern, in which messages talking about the massive attack on Colonial Pipeline, victim of ransomware, are used to spread more threats.
As reported by the company on its blog, some of its consumers receive messages that promise to bring details about the attack on the pipeline operator and warn on how to protect themselves from them. The emails always come with links that, while appearing trustworthy — using addresses like “ms-sysupdate.com” and “selectivepatch.com” — initiate malware downloads when clicked.
To make the scam more convincing, criminals even used the Colonial Pipeline visual identity in their messages. By downloading one of the offered files, victims install Cobalt Strike on their machines, a threat that is related to 66% of reported ramsomware attacks in the fourth quarter of 2020.
According to data analyst Bukar Alibe, who works for INKY, criminals take advantage of people’s anxiety to act. When they see news about attacks on the pipeline operator’s systems, they look for a way to protect themselves, which makes it more attractive to click on a link that promises an immediate solution.
The company warns that it is necessary to pay attention to the characteristics of the emails so as not to become a victim: as much as they seem to come from a legitimate source, it is necessary to verify if the sending domains used are real. Another necessary measure is to establish formalized communication standards and reinforce them between companies, ensuring that nothing will be installed without the supervision of the information technology department.
The post Criminals spread malware in “exclusive news” about invaded pipeline appeared first on CmaTrends.