Secureworks has recently discovered a threat actor whose business email compromise (BEC) campaigns focus solely on global maritime shipping companies and their customers.
Named GOLD GALLEON, the group is said to have attempted to steal at least $3.9 million from their intended victims between June 2017 and January 2018 alone. Overall, the group attempts to steal an average of $6.7 million per year, the security researchers say.
As part of the BEC social engineering scheme, actors usually employ spear-phishing emails to steal email credentials of individuals responsible for handling business transactions. This allows them to intercept emails between involved parties, modify financial documents, and redirect funds to attacker-controlled bank accounts.
Alongside business email spoofing (BES) fraud, BEC continues to cause significant losses globally, in the order of billions of dollars per year.
To gather email account credentials and launch attacks, GOLD GALLEON uses various commodity remote access tools featuring keylogging and password-stealing functionality. However, the attackers also test malware on their own systems and keep track of their tools’ detection rates, Secureworks reports.
Likely based in Nigeria, the group targets not only shipping organizations, but also companies that provide ship management services, port services, and cash to master services.
Typically located all around the world and operating in different time zones, companies involved in shipping industries often rely entirely on email for conducting business transactions, which makes some of these organizations highly susceptible to BEC fraud methods.
GOLD GALLEON consists of at least 20 criminals collectively carrying out BEC campaigns targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. They use tools, tactics, and procedures (TTPs) similar to those of other BEC/BES groups, including publicly available remote access Trojans (RATs), crypters, and email lures.
The organization has several senior individuals who coordinate and allocate tasks to other individuals, who often handle the purchase of new tools, and also coach inexperienced members. Each member is responsible for a different task, such as RAT obfuscation, victim email monitoring, and the like.
The group uses a proxy and privacy services to disguise its origin, but evidence strongly suggests the attackers operate out of Nigeria. They appear to be regularly connecting to the Internet via Nigeria-based infrastructure, and were observed using Nigerian Pidgin English in conversations carried out via instant messenger services.
While analyzing the group’s usernames, passwords, and other artifacts, Secureworks researchers concluded that members of GOLD GALLEON are strongly connected to a popular fraternity in Nigeria dubbed the Buccaneer Confraternity (originally established to support human rights and social justice, a subgroup of the fraternity is said to have engaged into criminal activities).
“The group follows a common operational pattern often relying on low-tier, free, or inexpensive tools. What it lacks in technical prowess is made up for in social engineering, agility, and persistence. Despite technical challenges and minimal investments in cybercrime tools, infrastructure, and automation, the group’s profit margins are orders of magnitude greater than its initial investment,” Secureworks says.
The group likely identifies target email addresses through reconnaissance of publicly available contact information, but it might also use commercially available marketing tools that scrape email addresses from company websites. The threat actors occasionally purchase email lists of target businesses, the researchers say.
After accessing a target’s inbox, the attackers use the free tool EmailPicky to extract contacts from the address book and all of the email addresses the target has had an exchange with. The tactic appears to have been extremely fruitful for the actors, as many of the harvested contacts are in the maritime shipping industry.
Spear-phishing emails carrying malicious attachments are delivered to the intended victims in an effort to deploy a RAT. The group uses tools such as the Predator Pain, PonyStealer, Agent Tesla, and HawkEye keyloggers. Next, the attackers monitor the victim’s email account to intercept business transactions and redirect funds by simply modifying the bank details in the seller’s invoice.
The group also purchased domains closely resembling the buyer’s or seller’s company name and also registered email accounts containing a variation of the target’s name, which allowed them to impersonate either party.
During their investigation, Secureworks researchers were able to interrupt dozens of BEC fraud attempts and notify victims to prevent transfers. They also reported the identified attacker-controlled accounts to banks, to stop fraudulent use. Overall, the researchers averted losses of more than $800,000.
“The monetary losses [caused by BEC] can be significant to the victims and the affected businesses. In some cases, the victims are unaware of what is happening until it is too late. Organizations in some industries (in this case shipping) may be exposed to heightened risk as threat actors focus their attempts toward industries that are more susceptible to these techniques,” Secureworks concludes.