Thursday, April 26, 2018

'Spearphishing' Attacks Aimed Specifically at the Freight Forwarding and Global Shipping Community

Latest Scam from Nigeria Has No Mention of Fake Generals or Illicit Bank Funds
Shipping News Feature
NIGERIA – WORLDWIDE – The Handy Shipping Guide Offices are bombarded daily by emails proffering fraud in every hue, from Tax rebates to threats to reveal our kindly old Editor's allegedly dubious internet history to the world. Now however one organisation, calling itself 'Gold Galleon' has been specifically targeting the global shipping industry and its freight forwarding customers for fraudulent activity. The group specialises in business email compromise (BEC) and business email spoofing (BES) fraud using a technique euphemistically known as 'spearphishing'.

It is somewhat unsurprising that this particular scam appears to originate in Nigeria (the fictitious Generals and Bank Executives all having presumably retired on the profits they had squirrelled away from the slew of emails they in turn used to send). Information on this latest scheme comes from researchers at Secureworks® Counter Threat Unit™ (CTU), who estimate that between June 2017 and January 2018, Gold Galleon, previously known as Gold Skyline, attempted to steal a minimum of $3.9 million from maritime shipping businesses and their customers. The CTU says that it has helped to interrupt multiple Gold Galleon fraud attempts, averting potential losses of more than $800,000.

BEC is a social engineering scheme where threat actors gain access to a business's email account. The actors typically use ‘spearphishing’ emails with malicious attachments to steal the email credentials of individuals responsible for handling business transactions. Once the threat actors have obtained these credentials, they can intercept emails between the two parties involved in a transaction and modify financial documents to direct funds to attacker-controlled bank accounts.

BEC and BES scams might seem unsophisticated, but they continue to account for significant losses globally, with the FBI reporting that such scams accounted for estimated losses of $5.3 billion between October 2013 and December 2016. Secureworks CTU has observed the group targeting firms in South Korea, Japan, Singapore, Philippines, Norway, US, Egypt, Saudi Arabia, and Colombia and encourages organisations to evaluate the BEC threat in the context of their own systems and consider the following steps to mitigate the risks associated with BEC:

  • Implement two-factor authentication (2FA) for corporate and personal email. Small and medium-sized enterprises (SMEs) are popular targets for BEC groups because SMEs typically have limited security budgets. Most BEC threat actors rely on remote access to a company's email via commodity webmail programs, so 2FA would deter all but the most sophisticated attackers.
  • Inspect the corporate email control panel for suspicious redirect rules. An unexplained redirect rule that sends incoming email from specific addresses to third-party systems could indicate a compromise and should trigger an organisation's incident response process.
  • Carefully review wire transfer information in suppliers' email requests to identify suspicious details.
  • Always confirm wire transfer instructions with designated suppliers using a previously established non-email mode of communication, such as a fax number or phone number. Establish this communication channel using a method other than email.
  • Require multiple approvals for wire transfers, and ensure this procedure is difficult for cybercriminals to discover.
  • Question any changes to typical business practices and designated wire transfer activity (e.g. a business contact suddenly asking to be contacted via their personal email address or a change to an organisation's designated bank account information).
  • Be suspicious of pressure to take action quickly and of promises to apply large price discounts on future orders if payment is made immediately.
  • Thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses, such as the addition, removal, substitution, or duplication of single characters in the address or hostname (e.g., versus username@
  • Create detection rules that flag emails with extensions that are similar to company email addresses (e.g., abc company versus abc-company).
  • Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.
  • Consider adopting the Financial Industry Regulatory Authority (FINRA) standards to deter money laundering and fraudulent wire transfers.
  • Consider using the Secureworks' free pdfxpose tool that CTU researchers developed to help detect wire-wire fraud. CTU analysis of Gold Skyline activity revealed that the threat actors edited PDF invoice files by redacting the original payment details with a white opaque rectangle and then overlaying it with the money mule account information. This tool searches for sub-page-sized opaque rectangles with text overlays and adjusts the opacity and color to reveal potentially suspicious edits.
As we know to our industry’s cost there have been several huge cyber scams which penetrated the IT defences of some of the biggest names in the shipping business, and the gateway is often the unwary staff members email address. The utmost care has to be taken, and full training in how to identify this type of threat, in order to minimise the risks.

Photo: Cash to master (CTM) request from a South Korean ship management company. (Source: Secureworks)