Red Sky Alliance performed another weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
Red Sky Alliance reports that there are malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week they observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Coral Emerald” and “MV Wilton” among others.
Analysts observed malicious subject line, “MAERSK LINE – World\’s shipping leader…..” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments.
The malicious email sender identifies herself as Marilyn Foster of the Shipping & Logistics Dept. of Maersk Line Asia. However, the sending email “docs[at]maersk[.]com” is not listed anywhere according to open source information. The email is generic enough to be used as a template to send to multiple recipients. Although the email is supposedly sent from a Maersk domain, the reply-to email address is jp.intl555[at]gmail[.]com. This email was seen sending other malicious emails (with Korean subject lines) last October.
The message body of the email has a few different components that can help identify it as illegitimate. The first is the “Dear Shipment Owner” greeting which is generic and can address thousands of companies in the maritime sector. The font is different sizes throughout the email as well which is unusual. Last, the signature does not contain any contact information and shows an image of a Maersk ship that was most likely pulled from open source.
The malicious attachment in this case is a disc image file titled “Maersk Original Doc 101.img.” A .img file is essentially a virtual copy of a disk, CD, or DVD. These image files contain a malicious executable which, when mounted, can activate spyware on the victim host and steal sensitive information. The image in this instance contains HEUR:Trojan-PSW.MSIL.Agensla.gen malware. This malware has the ability to steal sensitive credentials from the victim host, and specifically targets FTP and browser credentials.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies
mentions Red Sky Alliance.
Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.
Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.
Recent studies also suggest that cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
