Maritime security intelligence firm Dryad Global and cyber partners RedSkyAlliance monitor attempted cyber attacks in the maritime sector, examining how email is used to deceive the recipient and potentially expose the target organizations. The following update regards the period from 25 April to 2 May.
The partners remind that, even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. Therefore, it is critical to implement training for all employees to help identify malicious emails/attachments.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
25 Apr-2 May: Key points
This week, partners observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Spar Canis” and “MV Grace Ocean” among others. There appears to be an ongoing campaign using the same subject line to target numerous recipients.
Analysts observed threat actors impersonating multiple companies to spread phishing malware while using the same subject line – “Shipping documents notice.”
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
While obfuscation of the sending email makes identification of the true sender more difficult, analysts observed at least one sender email listed in original form allowing analysts to identify one of the companies being impersonated in this campaign. The sending email in one case appeared as “EBILLS<dpartin@singerlevick[.]com>” indicating the attacker is trying to impersonate the legal firm Singer & Levick, based out of Dallas, TX USA.
It appears that attackers are spoofing the sending email and are not using a compromised account.
However, the email address belonging to a lead attorney at the company is listed in the recent COMB (Combination of many breaches) breach data. Through the compromise of legitimate business email credentials, attackers can login to real accounts appearing more legitimate, and leading to a higher rate of success. The following obfuscated email addresses were used to send malware:
- “EBILLS” [email protected] (“EBILLS”[email protected])
- “EBILLS” [email protected]
- “EBILLS” [email protected]
- “EBILLS” [email protected]
- “EBILLS” [email protected]
The attackers are using the alias “EBILLS” to make the target think the email is coming from a legitimate online service. Although the sending emails are mostly obfuscated, the TLD’s used indicate the attackers are impersonating senders from Japan, Brazil, China, and likely the United States. Because the message body is “[redacted]” there is no additional information in the message body to help identify the attackers.
There are more than 15 unique email addresses being targeted by these malicious emails. If any of the targets opened the malicious attachment, they would be prompted to input their password into a fake login screen created by the attackers.
After the target inputs their password (username is pre-filled by attackers), the attackers would steal this password for use in future cyber-attacks. All of the phishing links observed appear to spoof a login for SF Express Delivery, a common delivery tracking service.
Companies that use this software should be aware of this threat and should monitor incoming emails for these patterns.
These analytical results illustrate how a recipient could be fooled into opening an infected email.
Recommendations
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human element as well as organizational workflows and procedures. Therefore, it is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information, and use the
- Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
