Hackers are getting more and more precise with their shipping targets, using real vessel names and the coronavirus in recent subject lines of malicious emails tracked by Dryad Global’s cyber security partners, Red Sky Alliance.
Red Sky Alliance is providing a weekly list of ships where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempt to deliver malware or phishing links to compromise the vessels and/or parent companies.
Among more novel attempts to hack into shipping companies, emails are emerging impersonating a coronavirus advisory from the World Health Organization warning of vessels with infected crew.
Another email was observed in the past week attempting to impersonate a ship called Ocean Hero using a subject line of “MV OCEAN HERO : CTM DELIVERY”. The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/AutoitInject.BH!MTB malware. The message body contains a Cash To Master request of $60,000 referencing an attached document for details. However, opening the attachment could activate the malware, likely delivering ransomware and credential stealing payloads.
Another email highlighted in the weekly report from Red Sky Alliance has the subject line “CORONA VIRUS / AFFECTED VESSEL TO AVOID” suggesting the message contains a list of vessels with infected crew. However, the message body provides guidelines and procedures for ships masters to avoid crew infection. There are also numerous calls to action in the message body enticing recipients to open, fill out, and return the attached forms by email. The attached document, an Excel spreadsheet named “”CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm” echoes the subject line in its promise to reveal affected (infected) crew and vessels.
“Typically, the use of language is a good indicator of a spoofed message. Errors in grammar and punctuation can indicate a non-native English speaker originated a message. This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language,” security consultants Dryad Global noted in an update to clients.
“Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles,” Dryad Global warned.
Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.