Oil & Gas

Summary

Three (3) oil and gas (Energy) sector companies were the target of attempted phishing campaigns from a Malawi, Africa identified malicious domain.

Virus Total identified malicious domain:[1]
etcay.org domain information:

Description: Economic and Trade Cooperation of African Youth (ETCAY), Monrovia, Liberia; P.O Box 100 +231-777-270-104 · info@etcay.org ETCAY was formed by the delegates at the 3rd China-Africa Youth Festival representing 53 African countries.  Etcay.org site is currently down. 

Passive DNS replication (This domain has been seen to resolve to the following IP addresses.)

2019-02-04             50.116.98.247
2019-01-16             162.241.232.23
Domain Name:         ETCAY.ORG
Reg. Domain ID:      D402200000007927624-LROR
WHOIS Server:        http://api[.]fastdomain.com/cgi/whois
Registrar URL:         http://www[.]fastdomain.com
Updated Date:         2018-12-11T03:45:19Z
Creation Date:         2018-10-11T09:36:25Z
Reg. Expiry Date:     2019-10-11T09:36:25Z
Registrar:                FastDomain Inc.
Registrant Country: MW (Malawi)
Name Server:          NS1&2[.]NZATHU.NET
Reg. IANA ID: 1       154

These phishing attempts were detected in Wapack Labs Threat Recon malicious domain (URL) collections, and were used in phishing campaigns against Enbridge Inc. (Canada), Range Resources (US) and Targa Resources (US); all oil and gas sector companies.  The malicious domain “etcay.org” appears to have been originally a legitimate domain, then taken over by a malicious actor(s) in Malawi, Africa.  There was no specific malware detected with these phishing attempts and appear to be social engineering attempts.  These phishing campaigns demonstrate active targeting of energy sector companies by identified and known malicious sites. 

See link for Targets and Threat: TR-19-037_OilandGas_phishingFINAL.pdf

Our collection and analysis indicate the willingness of bad actors to corrupt domains in order to social engineer the oil and gas sector to obtain login and password credentials.  Oil and gas sector companies should train and caution employees to be aware of this continuous threat.  If these phishes are successful, the loss of vital proprietary information could be detrimental to the company.

[1] Virus Total's passive DNS only stores address records. The domain etcay.org has been seen to resolve to the following IP addresses: 50.116.98.247, and 162.241.232.23