It is noted that malicious mails are sent by using a Motor Vessel (MV) or Motor Tanker (MT) keywords to attract users in the shipping industry to open emails containing malicious attachements.
The two collaborators gathered ten weekly examples of malicious mails sent, as shown in the table below.
In the table above, we can see malicious actions using vessel names in efforts to spoof companies, with the majority of the emails attempting to deliver Windows trojan malware. Some of the new vessel names used this week include “MV COCO GYUN” and “MV SEA CHAMPION” again this week, among others.
In efforts to explain how a malicious email works, an example is presented; Specifically, analysts observed that an email sent contained the subject line “VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INC.” The email was sent from a “sales” email belonging to Shenzhen Cloud Sailing Company out of China. Notably the reply-to email address was one different from the sender and in this case was a Gmail account ([email protected]).
The phishing email targeted a Dutch computing systems company, GICOM, with the company's email being publicly available on their "contact us" page. Yet, there is no clear connection between GICOM, and the vessel mentioned in the email – MV Abalone.
The malicious email attachment was an .xlsm file which is an Excel file with macros enabled. This is a common filetype sent by attackers. The filename appears to be the same as the requisition number mentioned in the email text. It contains Exploit:O97M/CVE-2017-11882.ARJ!MTB.
It is highlighted that in an other mail, the experts saw the generic greeting “Dear sirs,” which is commonly used by attackers as templates for other malicious email campaigns. Because there is nothing about a specific ship/company in the message body, it could easily be copied for use in other emails.