A Bangladeshi based Cosco Shipping company email was detected in Wapack Labs malicious email used to pass malicious email targeting a publishing company in Australia/New Zealand. The email was most likely taken from a Cosco open source shipping schedule, utilizing a legitimate Cosco email. This demonstrates the use of a maritime sector company to target or be used as a conduit for malicious intent.
On 3 January 2019, Wapack Labs identified suspicious email activity from proprietary collection sources. The collection is focused on known maritime keys words used on phishing type attacks to spread various types of malicious malware.
In the sender’s field of one collected malicious email, it was observed:
\"NEW GOLDEN SEA SHIPPING PTE. LTD.\" <firstname.lastname@example.org>
New Golden Sea Shipping (NGSS) is a shipping company from Singapore that entered into a joint venture with Cosco Shipping International (Singapore) Co., Ltd, on 28 November 2018. The main activities of this joint venture are investment holding and provision of logistics, storage, forwarding and shipping services and other services.
Sender email: cosconbd.com is a Cosco Bangladesh subsidiary. Pallabee appears to be a real email name assigned to:
Dhaka Address, National Scout Bhaban (14th Floor), 70/1, Kakrail, Dhaka-1000, Bangladesh.
Tel: 880-2-9357804, 9357810. EXT-117
Subject Line: CONFIRM DETAILS OF BANK TRANSFER (which is a known lure in maritime shipping campaigns)
Target: nowtolove.com Now to Love is an online celebrity magazine for Australia and New Zealand.
Target recipient: email@example.com (may not be compromised)
VT Detections: 22/56 detections Mal/Generic-S - Sophos,Trojan-FQIO!7C688EB3A323 - McAfee, Backdoor.Win32.Shiz.KP@4og572 - Comodo, Trojan.Injector!1.AFE3 (CLOUD) - Rising,Trojan/Win32.Crypt - Antiy-AVL,Trojan.Agent.DLYT - MicroWorld-eScan,Trojan.PWS.Stealer.23680 - DrWeb,Trojan:Win32/Occa
Cosconbd.com uses the IP address 188.8.131.52 hosted by Endurance International Group, Inc in Provo, UT United States.
This information is derived from an official Cosco open source weekly shipping schedule. This collection and analysis confirms an escalated interest in targeting the maritime industry by malicious actors.
For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or firstname.lastname@example.org