A criminal gang in Nigeria targeting the global maritime industry has been running multiple “business email compromise” scams for hundreds of thousands of dollars. The group calling themselves “Gold Galleon” have been sending messages to infiltrate payments within shipping companies over the last year.
According to Secureworks researchers, unlike other BEC groups, Gold Galleon does not target a wide range of businesses but appears to focus solely on global maritime shipping businesses and their customers. CTU researchers estimate that between June 2017 and January 2018, these hackers attempted to steal at least $3.9 million from shipping businesses. The threat actors' theft attempts average $6.7 million per year.
As informed, the Gold Galleon uses similar tools, tactics and procedures (TTPs) to other Business Email Compromise groups, typically using publicly available malware like inexpensive remote access trojans (RATs), crypters and email lures. The group often targets smaller maritime companies, such as those who may provide ship management services, port services, and ‘cash to master’ facilities.
In its latest edition of Phish and Ships newsletter, Be Cyber Aware at Sea campaign explains their activity:
Gold Galleon appeared to identify target emails from looking at publicly available websites, and it also appeared to be using commercially available marketing tools to scrape email addresses – such as Email Extractor and BoxxerMail – as well as purchasing email address lists. Once they gained access to a target’s inbox, they extracted all the target’s contacts – plus every email address that the target ever had an exchange with, using a free tool called EmailPicky.
After this initial recon, members targeted high-worth individuals with spearphishing campaigns, usually with a topic related to shipping. Attachments would deploy a RAT with keylogging capabilities. They used Predator Pain, PonyStealer, Agent Tesla, and Hawkeye – all available to buy online, with a basic version of Agent Tesla running for as little as $12. Once they compromised an email, they would monitor inboxes for business transactions. They then inserted themselves into legitimate exchanges, submitting fraudulent invoices that would request payment to a mule account. The gang would also buy domains that resembled the legitimate buyer or seller company name – lookalikes that would help them impersonate either party.
Researchers estimate that Gold Galleon:
appears to have a loose organisational structure, with the activities coordinated by a few senior individuals, who occasionally coached the junior members in what appeared to be mentoring roles, as well as liaising with other external criminal partners like suppliers of mule bank accounts.
used proxy services to cloak their origin, but
many of their systems were regularly connecting to the internet via infrastructure based in Nigeria, according to CTU.
A South-Korean shipping company was among the victims: The group was able to steal credentials for eight accounts belonging to the company, including the accountant’s and they then targeted all of the clients. The attackers monitored the business transaction of the South Korean company and a cash-to-master service for a ship arriving in America and inserted themselves into the transaction with a fake Outlook email account. They submitted a fraudulent email asking the South Korean company to deposit the payment into a “subsidiary bank account” – a mule operated by the criminals.
A separate attack saw Gold Galleon targeting another of this South Korean company’s clients for $325,585, a large Japanese company that provides marine transportation of petroleum and chemicals with clients worldwide. The Japanese company, ultimately, had flagged the transaction as suspicious.
A third attempt against a separate multinational Japanese conglomerate for $243,838 was also derailed, with SecureWorks able to notify both parties and South Korean CERT – the incident response team in the country.