SecureWorks recently discovered a different kind of Nigerian scam that may have cost enterprises millions of dollars...
According to a new SecureWorks report, a threat actor group out of Nigeria has been targeting the maritime shipping industry with a business email compromise campaign that involves fraudulent invoices and financial documents. The group, which SecureWorks called Gold Galleon, used a combination of malware and social engineering techniques to gain access to corporate email accounts and use them in an attempt to steal nearly $4 million via fake payment requests.
James Bettke, security researcher with SecureWorks' Counter Threat Unit (CTU) and co-author of the Gold Galleon report, said, at first, the research team couldn't figure out why the hacking group was targeting maritime shipping businesses. But once they looked closer, he said, the campaign started to make more sense.
"Doing international business of any kind lends itself to business email compromise attacks," Bettke said. "There are different time zones, language barriers and website domains -- all of the things we're supposed to notice with phishing attacks -- and these are absolutely common for the shipping industry."
In addition, several of the shipping organizations SecureWorks observed while tracking Gold Galleon were poorly protected. That allowed the threat actors to successfully infect employees with inexpensive, off-the-shelf malware, like remote-access Trojans and keyloggers. Once the threat actors steal credentials and gain access to email accounts, they can set up redirect rules, intercept invoices and payment requests, and change the bank and destination account for those payments.
SecureWorks said Gold Galleon attempted to steal at least $3.9 million in 2017. The vendor said it was able to avert approximately $800,000 in potential fraudulent payments and transfer, though Bettke said it's difficult to tell if the remaining $3.1 million was successfully stolen by Gold Galleon, because SecureWorks doesn't have access to victims' financial records.
The CTU researchers were tracking another Nigerian hacker group specializing in business email compromise when they first discovered Gold Galleon. Bettke said the research team first caught on to the group because it observed the Gold Galleon hackers infecting their own systems with cheap malware in order to test it.
Bettke said the techniques Gold Galleon used are not sophisticated, but the business email compromise campaign the group built is very effective. "They're not really any different than other business email compromise groups," he said. "They invest very little in their tools, and they don't have a great understanding of the technology, but they know the payoff is huge."
The primary difference between Gold Galleon and other business email compromise groups, according to the report, is Gold Galleon specializes in a specific attack on a specific vertical industry.
"They're very good at social engineering," Bettke said. "They don't do anything else besides email compromise, and they don't try to access the corporate network once they successfully place their malware. They just study victims' inboxes and study the business and then use the email accounts."
In some cases, Gold Galleon hackers didn't obtain access to corporate email accounts, but they still succeeded by using cloned domains for email addresses that looked like legitimate corporate email domains and fake documents with the company's letterhead. The SecureWorks report detailed how a South Korean shipping company fell victim to these exact tactics.
Defending against business email compromise campaigns
Bettke said Gold Galleon was able to fly under the radar for some time because the threat actors didn't spam hundreds of email accounts with fake invoices and payment orders. Instead, the group kept the volume of compromised emails low and made it harder to for spam filters and email security products to pick up on its campaign.
SecureWorks' report recommended several steps to curb targeted business email compromise campaigns like Gold Galleon's, starting with implementing two-factor authentication for both corporate and personal email accounts. The report also encouraged security teams and network admins to inspect corporate email systems for any suspicious forwarding or redirect rules.
Enterprises should also create rules in email security products that flag suspicious extensions that look like corporate email addresses, according to the report. SecureWorks also recommended using a free tool called Pdfxpose, which was developed by CTU researchers and searches for the small opaque rectangles that indicate text overlays and suspicious edits in PDF documents.
Nadim Farah, product manager for GlobalSign's digital signing service, said fraud and data manipulation threats such as business email compromise could drive more interest in document signing with SSL certificates. The certificate vendor recently joined Adobe's Cloud Signature Partner Program, which handles much of Adobe's 6 billion document signatures a year.
"When companies proposed electronic document workflows," he said, "they have to have a way of verifying documents as authentic to prevent these kinds of attacks."
Document signing could help, Bettke said, but many smaller and medium-sized companies "can barely implement two-factor authentication." While SecureWorks has prevented some of Gold Galleon's fraud, he said the group is still active.
"I worry about more sophisticated groups doing this sort of thing," Bettke said. "Groups like Galleon can't code, and they're not very skilled. What happens when an APT [advanced persistent threat] in Europe starts doing this?"