Shipping Company Spoof

Summary

A Bangladeshi based Cosco Shipping company email was detected in Wapack Labs malicious email used to pass malicious email targeting a publishing company in Australia/New Zealand.  The email was most likely taken from a Cosco open source shipping schedule, utilizing a legitimate Cosco email.   This demonstrates the use of a maritime sector company to target or be used as a conduit for malicious intent.     

Threat

On 3 January 2019, Wapack Labs identified suspicious email activity from proprietary collection sources.  The collection is focused on known maritime keys words used on phishing type attacks to spread various types of malicious malware.

In the sender’s field of one collected malicious email, it was observed:

\"NEW GOLDEN SEA SHIPPING PTE. LTD.\" <pallabee@cosconbd.com>   

New Golden Sea Shipping (NGSS) is a shipping company from Singapore that entered into a joint venture with Cosco Shipping International (Singapore) Co., Ltd, on 28 November 2018.[1]  The main activities of this joint venture are investment holding and provision of logistics, storage, forwarding and shipping services and other services.

Sender email: cosconbd.com is a Cosco Bangladesh subsidiary.  Pallabee appears to be a real email name assigned to:

Dhaka Address, National Scout Bhaban (14th Floor), 70/1, Kakrail, Dhaka-1000, Bangladesh.                                                            

Tel: 880-2-9357804, 9357810. EXT-117   

Fax: 880-2-8315286 

E-mail: pallabee@cosconbd.com

            shampa@cosconbd.com    

            imran@cosconbd.com       

Subject Line: CONFIRM DETAILS OF BANK TRANSFER (which is a known lure in maritime shipping campaigns)

Target: nowtolove.com   Now to Love is an online celebrity magazine for Australia and New Zealand.

Target recipient: 82a07acf1334c4ba9ddcf391cf27a944@nowtolove.com (may not be compromised)

VT Detections: 22/56 detections Mal/Generic-S - Sophos,Trojan-FQIO!7C688EB3A323 - McAfee, Backdoor.Win32.Shiz.KP@4og572 - Comodo, Trojan.Injector!1.AFE3 (CLOUD) - Rising,Trojan/Win32.Crypt - Antiy-AVL,Trojan.Agent.DLYT - MicroWorld-eScan,Trojan.PWS.Stealer.23680 - DrWeb,Trojan:Win32/Occa

Cosconbd.com uses the IP address 142.4.30.250 hosted by Endurance International Group, Inc in Provo, UT United States.

This information is derived from an official Cosco open source weekly shipping schedule.  This collection and analysis confirms an escalated interest in targeting  the maritime industry by malicious actors.     

For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or feedback@wapacklabs.com

[1] https://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapid=35671571

You need to be a member of Red Sky Alliance to add comments!