Threat actors often use popular news headlines to entice people to click on malicious links in email messages, and the recent Colonial Pipeline hack is the perfect opportunity for criminals. Threat researchers are seeing malicious emails that discuss the attack and ask victims to download a “ransomware system update” in order to protect their organization. The emails contain links to websites with convincing names. The threat actors behind the attacks created fake websites that are designed with logos from the target companies to further convince victims everything is legitimate. Threat researchers stated the attackers were able to get past many phishing systems by using new domains. This same technique will likely be used in conjunction with the recent JBS attack as well.
The best way to protect against phishing campaigns is training and awareness, combined with a good email threat filtering system to keep known threats from reaching employee inboxes. Teaching employees how to spot a phishing email can be a great defense when the automated filtering fails to identify a threat. Identifying suspicious URLs or email addresses or knowing when an attachment may be malicious can prevent an attack brought on by a phishing email. Spelling and grammar errors are also common in phishing scams as are suspicious links and mismatched domain names. If an email claims to be from a reputable company but the email came from a separate domain, it is likely a scam. More sophisticated, targeted attacks such as the campaign referencing Colonial Pipeline require extra vigilance on the part of employees and are best caught by endpoint monitoring to find suspicious files that were downloaded and executed. Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack after they have compromised employee passwords. Companies should also utilize a service such as Binary Defense’s Managed Detection and Response service to monitor endpoints for any abnormal activity and identify attacks early before they can cause damage.