Malicious actors are targeting the shipping industry, using “whaling,” a.k.a. business email compromise (BEC) attacks, to collect credentials and compromise critical transportation systems.
Hackers are launching whaling attacks to target various types of employees with some serious online (and sometimes telephone-based) social-engineering BEC scams. Scams against the shipping industry are on the rise. Whaling is not a new attack method, but it continues to grow in popularity with hackers. Attacks against the shipping industry, known for its lax security measures, are at risk. US federal authorities report that BEC scams in 2018 resulted in losses of more than USD $12.5 billion. This is twice the losses in 2017, which was at USD $5 billion. In many cases, scammers are using social engineering to imitate higher-level executives based on data collected via social media and other tools. This tactic used to trick unsuspecting victims into performing various activities, including opening malware-riddled attachments or transferring payments to suspicious accounts.
Social Engineering – Hackers begin by collecting an array of publicly-available information on targets. That can include data from social-media pages, like personal facts (birthday, location, etc.) on Facebook and business information on LinkedIn (title, coworkers, business organizational structure – even how the business interacts with suppliers).
An example of these schemes are a victim posts a picture of themselves at a recent business conference. A bad actor may then send an email to that person and say they met at that conference. If an online conversation ensues, more personal information could be obtained. In a common attack scenario, an email arrives to a company’s accounts payable department, stating that a supplier’s bank details have changed. The email looks legitimate, with correct logos and the name of the individual making the request correct and one the accounting department recognize. Bank details are then innocently changed for the next supplier payment. The problem is that it was a scam and the money has now disappeared. Many times this is not discovered before much money is lost. Sometimes the hackers are so brazen as to use the CEO or another high-ranking executive’s information to trick unsuspecting victims.
Often the bad actor waits until an executive post they are going on a vacation or will be on a long flight. They then send an email to a financial department representative, internally asking them to make an urgent payment. These requests have at times explained that the person’s job is on the line if the payment is not made. Attempts to validate the request fail because the CEO is on a long flight or out of communication, so the finance employee is intimidated into making the payment.
Preventing these attacks can be hard, since they often use different data points to build convincing directions. In high-value attacks, emails will be prefaced with a phone call to the victim employee to add to the authenticity of the intended financial transaction. In a large organization if the CEO rings you personally you will act, especially as it is unlikely the victim will know exactly how the CEO sounds as they may never have met them or spoken to them before.
Sending malware to a victim via email attachments is another effective way that the shipping industry has been compromised. Emails are often developed and are made to appear as if they are being sent internally. An easy method is for a hacker to create a similar looking email address, often exploiting subtle differences between letters such as a ‘1’, ‘l’, ‘I’ to fool the reader in to thinking it is a legitimate email. A report published last year found that the global shipping industry is vulnerable to a range of attacks, including one that can send multimillion-dollar vessels on a literal collision course by manipulating navigation systems. With the reported polar magnetic fields changing and causing GPS errors, there is a higher risk for this type attacks. This is a concern for the transportation sector.
Researchers in April 2018 identified a hacking group behind several wide scale BEC attacks taking the maritime shipping industry for millions of dollars since 2017. Attackers in the campaign took advantage of the industry’s lax security and the use of outdated computers. Training executives is “critical” to helping prevent these attacks, especially those in target areas such as finance and shipping. It is important to remember that BEC “targets” are not going to be in most cases management, but will be sent to subordinates. This is why these attacks are so successful. No one challenges the boss. Training and internal coordination is the key to sound cyber security. It is important to have layers of approval in place before money is sent.
 Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles.