Gold Galleon: Inside the Nigerian hacking group gouging the global maritime shipping industry

Security researchers have uncovered a new Nigerian hacking group dubbed Gold Galleon that uses business email compromise and business email spoofing attacks to pillage the global maritime shipping firms out of millions of dollars.

According to Dell Secureworks Counter Threat Unit, the outfit specifically targets maritime shipping organizations such as companies that offer ship management services, port services and cash to master services. These companies primarily rely on email to conduct business transactions, making them an attractive and susceptive target to BEC scams and fraud techniques.

Between June 2017 and January 2018, the group has attempted to steal a minimum $3.9 million from shipping businesses and their customers, with their average annual loot amounting to $6.7 million.Security researchers have uncovered a new Nigerian hacking group dubbed Gold Galleon that uses business email

Who are they?

According to Secureworks’ report released at the RSA Conference this week, Gold Galleon seems to be a group of at least 20 cybercriminals likely based in Nigeria. The group has collectively targeted companies in the US, Japan, Norway, South Korea, Singapore, Philippines, Saudi Arabia, Egypt and Colombia.

Researchers said the group uses similar TTPs as other BEC groups such as email lures, publicly available malware, inexpensive remote access Trojans and crypters. Featuring a lose organizational structure, the group is comprised of several senior members who allocate tasks to other members, coach and mentor inexperienced members and work with other criminal service-related suppliers.

“One group member may have responsibility for obfuscating the group's RATs with crypters, while others are tasked with monitoring victims' email for business transactions that are about to be invoiced,” researchers said. “Some senior members often handle the purchasing of malware, crypters, and infrastructure, and they frequently experiment with alternative tools.”

Members of the group typically use instant messaging services like Skype to communicate, primarily in Nigerian Pidgin English. Researchers have also found evidence suggesting the group is likely linked to the popular Nigerian fraternity called Buccaneer Confraternity. The fraternal organization was initially established to support human rights in Nigeria. However, reports suggest a small subset of the group may be engaging in criminal activities.

How do they operate?

Gold Galleon typically relies on lower-level, free or inexpensive tools and social engineering techniques to carry out attacks.

“Despite technical challenges and minimal investments in cybercrime tools, infrastructure, and automation, the group's profit margins are orders of magnitude greater than its initial investment,” researchers said.

The group typically identifies potential target email addresses by gathering publicly available contact information, such as the company’s website, or using marketing tools like Email Extractor or BoxxerMail to scrape email addresses.

Evidence further suggests that threat actors occasionally bought email lists of their target companies as well. Once a target’s inbox has been infiltrated, the attackers used a free tool called EmailPicky to extract the target’s contacts along with every email address that made contact with the compromised target.

“Many of the harvested contacts are in the maritime shipping industry, so this tactic can be extremely fruitful for the threat actors,” researchers note.

Gold Galleon used similar tools as other BEC threat groups including shipping-themed phishing emails with malicious attachments to deploy RATs with keylogging and password-stealing capabilities. Some of their frequently used tools include PonyStealer, Agent Tesla, HawkEye and Predator Paid keyloggers - all of which are readily available on underground markets.

Man-in-the-middle attacks

Once a targeted business email address has been compromised, the attackers scan through the inbox for any emails referring to an ongoing, high-value business transaction.

The transaction is then passively monitored until it is time for payment details or an invoice to be relayed between the buyer and seller. The threat actor intercepts the seller’s email, alters the invoice from genuine versions created by the seller and changes the payment details and destination bank account to the attacker’s money mule account. An unsuspecting buyer then wires the money over to the attacker-controlled bank account.

“In order to impersonate a buyer or seller in a particular transaction, GOLD GALLEON and other BEC groups have purchased domains that closely resemble the buyer or seller's company name, also known as ‘cloning,’” Secureworks said.

“In some cases, the victims are unaware of what is happening until it is too late,” researchers added. “Organizations in some industries (in this case shipping) may be exposed to heightened risk as threat actors focus their attempts toward industries that are more susceptible to these techniques.”

To mitigate BEC risks, businesses have been advised to implement two-factor authentication (2FA), inspect the corporate control panel for suspicious redirect rules and review wire transfer information for any red-flags.