Scammers target oil companies with sneaky attack

The affected companies are in Spain, Germany, U.K., Italy and Belgium, as well as China and Singapore.
The affected companies are in Spain, Germany, U.K., Italy and Belgium, as well as China and Singapore.

A threat actor is using a sneaky attack to steal usernames and passwords from oil companies in various parts of the world, and then appears to be using the credentials to obtain specific types of documentation for use in a scam, according to research from Panda Security.

The attack involves three parts: stealing credentials from employees at oil companies, accessing the networks of the companies, and attaining proof of product documentation, Luis Corrons, PandaLabs technical director, told SCMagazine.com in a Monday email correspondence.

The way the credentials are being obtained is particularly notable because it involves no malware, Corrons said.

In one instance, Panda Security observed an employee opening a seemingly innocuous PDF file attached to an email, which then led to a series of actions that ultimately resulted in credentials being uploaded to a FTP server, according to a report.

“[The attack] is based on a simple self extractor file that includes a few scripts and a few legal tools in order to perform all its malicious actions,” Corrons said. “It is a clever way to act to avoid antimalware solutions [that might] interfere in their [operation].”

The scam itself likely involves the threat actor arranging a sale of high quality oil, the report indicates.

The proof of product documentation – it could be a quality certificate, a certificate of origin, or a cargo manifest – would be used to get up to $100,000 in advance of the alleged exchange, after which the scammer vanishes and the victim is left with nothing.

Researchers were able to access the FTP server and identified 80,000 text files with credentials stolen from a variety of companies. After further analysis, the researchers determined that 860 files were unique, and belonged to ten companies in the oil and gas maritime transportation sector.

Corrons said that the affected companies are in Spain, Germany, U.K., Italy and Belgium, as well as China and Singapore. The report notes that Panda Security sought to inform law enforcement, but ran into some trouble initiating an investigation since none of the victims wanted to report the issue.

Further Panda Security investigating revealed that the threat actor may be Nigerian, the report notes.

“[Organizations] need to have control and visibility over their networks: being able to detect if vulnerable applications are being executed and ensuring that all endpoints and servers are only running safe applications are some of the approaches that companies need to take in order to be protected and prepared.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS