Cyberattackers are now using the notoriety of the Colonial Pipeline ransomware attack to leverage further phishing attacks, it’s common to use news events to get people on malicious links . INKY said it has received multiple mails received by customers
INKY customers reported receiving emails that discuss the ransomware attack on Colonial Pipeline and ask them to download “ransomware system updates” in order to protect their organization from a similar fate.
The malicious links take users to websites with convincing names ms-sysupdate.com and selectivepatch.com both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post.
The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”
In addition to capitalizing on the fear around ransomware, the attackers made the emails and fake website look like it came from the user’s own company, giving them an air of legitimacy.