A threat actor called Gold Galleon, uncovered by Secureworks, is focused on nabbing millions from global maritime shipping companies, related services and their customers. The Gold Galleon group is likely based out of Nigeria and involves at least 20 criminals collectively engaging in business email compromise (BEC) and business email spoofing (BES) fraud.
Secureworks Counter Threat Unit (CTU) researchers discovered the previously unidentified Gold Galleon threat group while tracking Gold Skyline, a Nigerian threat group also involved in BEC and BES fraud.
The researchers say that Gold Galleon has attempted to steal at least $3.9 million from their targets between June 2017 and January 2018, and on average, aims to steal around $6.7 million per year. Countries targeted include South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia.
The group aims its efforts not just at shipping organizations, but also enterprises that offer ship management services, port services, and cash to master services.
It’s unusual that a threat group engaged in BEC focuses so exclusively on a single industry. As shipping firms operate in different global time zones, they tend to rely on email for conducting business transactions, making them an attractive target to hacker groups that employ BEC techniques.
As part of the BEC social engineering scheme, threat actors typically use spear-phishing emails with malicious attachments to steal the email credentials of individuals responsible for managing business transactions. This provides access to then intercept emails between parties involved in an exchange, and alter financial documents to redirect funds to bank accounts controlled by the attacker/s. Although somewhat unsophisticated in methodology, BEC and BES scams continue to contribute to significant losses to businesses on a global level.
The Gold Galleon group deploys tools, tactics, and procedures (TTPs) similar to those used by other BEC/BES groups, including email lures, crypters, and inexpensive and commodity remote access Trojans (RATs) that is publicly available.
Secureworks says that the group “appears to have a loose organizational structure, with activities coordinated by several senior individuals”. Tasks are allocated to different individuals i.e. one group member might be given responsibility for obscuring the group’s RATs with crypters, while another focuses on monitoring targets’ email accounts for business transactions that are shortly to be invoiced. Secureworks said that senior members frequently handle the purchasing of malware, crypters, and infrastructure. Its researchers have also observed “senior members coaching and mentoring less-experienced group members and liaising with external providers of related criminal services (e.g., suppliers of mule accounts for transferring stolen funds and crypter sellers)”.
The group uses the “Hide my Ass!” (HMA) proxy and other privacy services to disguise its origin. CTU researchers believe that Gold Galleon is located in Nigeria based on the fact that many of the group regularly connect to the Internet via Nigeria-based infrastructure, and frequently communicate with one another via instant messenger services in Nigerian Pidgin English.
Secureworks reserchers are using an “offence-in-depth approach” to combat the rise of BEC/BES cyberattacks in Africa. The approach, which uses three primary factors to target fraud, includes working with law enforcement to identify and arrest the cybercriminals, however, the main goal is essentially to waste the fraudsters’ time and reduce their financial rewards by reporting “mule” bank accounts and asking for them to be frozen, SecureWorks CTU researcher Joe Stewart told SC Media UK.
“The offense-in-depth approach involves disruption or stalling of scammers. So, the targets or defenders would aim to increase the attacker’s risk levels and effort, while reducing the corresponding reward,” Stewart stated.