Gold Galleon hackers target maritime shipping industry

Researchers say a Nigerian hacking group is gleefully plundering maritime shipping businesses and their customers.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a Nigerian hacking ring which targets maritime shipping firms in order to try and steal millions of dollars on an annual basis.

On Wednesday, security experts from the Secureworks Counter Threat Unit (CTU) said that the previously unidentified "Gold Galleon" threat group specializes in business email compromise (BEC) and business email spoofing (BES) fraud to dupe their victims into parting with funds.

In a blog post, CTU said that instead of spamming and targeting companies en masse, Gold Galleon focuses on global maritime shipping businesses and their customers.

The researchers estimate that between June 2017 and January 2018, the hackers attempted to steal upwards of $3.9 million, and on average, fraud attempts may reach attempted theft levels of $6.7 million per year.

BEC and BES scams are more sophisticated than your average spam email. Spearphishing, in which messages are crafted to appear to be legitimate employees, contacts, or other companies, are utilized to lure victims into a false sense of security.

By appearing legitimate, these kinds of scams will often attempt to persuade users to download malicious documents containing malware payloads or to visit malicious web pages which harvest credentials.

When these credentials are stolen, threat actors can then intercept genuine business email exchanges, alter orders or financial details, and quietly reap the rewards.

For example, a compromised email account belonging to a company executive could be used to send a fraudulent request for a wire transfer to the employee who handles such requests. The staff member may not immediately question this request, and then money is sent to an account controlled by the threat actor.

Gold Galleon targets maritime companies including those that provide ship and port management services. As many of these companies operate internationally and work on different time zones, email is a crucial communicative tool -- and one which is ripe for exploit.

The threat actors use a wide range of tools after they have compromised accounts belonging to these companies. These include remote access software, keyloggers, and password stealers, many of which are available online publicly and with little investment.

Gold Galleon utilizes tools including EmailPicky to scrape fresh victims from email contact lists, Predator Pain, PonyStealer, Agent Tesla, and HawkEye keyloggers.

Companies operating in South Korea, Japan, Singapore, Philippines, Norway, the US, Egypt, Saudi Arabia, and Colombia have been targeted by the group, which the researchers believe is loosely made up of at least 20 participants.

Several figures at the top control the rest of the group and give them tasks including monitoring compromised email accounts, phishing for victims, and experimenting with new malware and tools.

CTU researchers say that the senior figures in Gold Galleon also mentor other less-experienced hackers and liaise with traders of malware.

In one case, CTU detected Gold Galleon attempting to exploit a shipping company based in South Korea. The group managed to steal the credentials for eight email accounts linked to the firm, including one belonging to the company's accountant.

See also: Ancient EITest infection chain sinkholed by security teams

These credentials were then used to send a fraudulent request for $50,000 for the purpose of "crew wages" to a "cash to master" (CTM) service partner. Thankfully, the would-be victim had sent emails to other partners for clarification and was aware of the fraud -- but CTU was able to unmask the full scheme.

Gold Galleon then repeated its attempt at fraud, this time with a Japanese company that was the South Korean firm's client. An attempt was made to steal $325,585, which also failed now that the red flags were flying.

"In some cases, the victims are unaware of what is happening until it is too late," the researchers say. "Organizations in some industries (in this case shipping) may be exposed to heightened risk as threat actors focus their attempts toward industries that are more susceptible to these techniques."

Communication between the threat actors and the phrases they use when communicating online have linked Gold Galleon to the Buccaneer Confraternity group, which was originally set up to support human rights in Nigeria.

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards