Phish 'n' Ships Aims to Disrupt the Global Shipping Industry

Phish 'n' Ships Aims to Disrupt the Global Shipping Industry

Threat Type: - Phishing and Credential Theft
Exploited Vulnerabilities: - Human Error via Phishing Attacks
Malware Used: - None specified (primarily credential-harvesting techniques)
Threat Score: - Moderate to High (7.5/10) — The campaign targets the maritime sector, a critical infrastructure, with phishing designed to penetrate operational technology (OT) networks.
Last Threat Observation: - October 30, 2024, by maritime cybersecurity researchers


Overview

The "Phish 'n' Ships" campaign is a recent phishing attack wave directed at the maritime industry, specifically targeting the OT environments of shipping companies, ports, and logistics networks. These phishing attacks aim to harvest credentials and gain unauthorized access to sensitive maritime systems, potentially endangering global supply chains. This campaign has been observed exploiting maritime personnel's lack of cybersecurity awareness and deploying social engineering techniques to bypass security measures.

Key Details

  • Delivery Method: Phishing emails with links to fake login portals or credential harvesting sites.
  • Target: Maritime industry entities, including ship operators, port authorities, and logistics companies.
  • Functions:
    • Harvest credentials for shipping network access.
    • Exploit access to OT systems that control ship navigation and cargo operations.
    • Spread to internal networks, gaining access to financial and operational data.
    • Utilize email impersonation techniques to target specific personnel.
    • In some cases, attackers create spear-phishing emails using company-specific terminology.
  • Obfuscation: Use of spoofed email addresses and domain names mimicking legitimate maritime organizations.

Attack Vectors

The campaign primarily leverages email phishing attacks to penetrate maritime networks. These emails often appear to be from legitimate sources, such as shipping partners or regulatory authorities, with links that redirect users to credential-stealing sites. Attackers employ social engineering tactics to increase credibility, such as using maritime jargon or referencing industry regulations, making these phishing attempts highly convincing. This phishing effort has been tied to the goal of infiltrating OT systems and subsequently causing potential disruptions to vessel operations, risking both cybersecurity and physical safety.

Known Indicators of Compromise (IoCs)

IP Addresses:

209[.]74[.]110[.]182209[.]74[.]110[.]189
209[.]74[.]110[.]179209[.]74[.]110[.]187
209[.]74[.]110[.]180209[.]74[.]110[.]188
209[.]74[.]110[.]186209[.]74[.]110[.]181
209[.]74[.]110[.]212209[.]74[.]110[.]213
209[.]74[.]110[.]214209[.]74[.]110[.]211
209[.]74[.]107[.]131209[.]74[.]107[.]132
199[.]33[.]121[.]229199[.]33[.]127[.]244
199[.]33[.]121[.]230173[.]214[.]161[.]82
5[.]22[.]221[.]160104[.]128[.]239[.]68
45[.]76[.]173[.]44210[.]16[.]120[.]35

These IP addresses are defanged by replacing dots with "[.]" to prevent accidental navigation. They should be refanged before using them in any investigative processes or threat analysis tools.

Mitigation and Prevention

  • User Awareness: Provide training specific to maritime phishing schemes, teaching personnel to verify emails and avoid clicking on suspicious links.
  • Email Filtering: Implement advanced phishing detection filters that can flag spoofed maritime-related domains and impersonation attempts.
  • Antivirus Protection: Ensure that all IT and OT systems are covered by robust antivirus solutions to detect unauthorized access.
  • Two-Factor Authentication (2FA): Require 2FA for all personnel accessing maritime control and logistics systems.
  • Monitor Logs: Actively monitor login attempts and access patterns in OT networks to detect unusual activity.
  • Regular Updates: Conduct regular updates and security patches on all systems connected to both IT and OT networks.

Conclusion

The "Phish 'n' Ships" campaign underscores the importance of heightened cybersecurity awareness within the maritime industry. With the risk of unauthorized access to critical OT systems, this campaign could have far-reaching consequences for global logistics and the safety of maritime operations. Organizations are advised to implement proactive measures such as phishing awareness training and advanced email filters to protect against these persistent threats.


Sources

  1. AlienVault - Phish 'n' Ships Fakes Online Shops to Steal Money and Credit Card Information
  2. Human Security - Satori Threat Intelligence Alert: Phish ’n’ Ships Fakes Online Shops to Steal Money and Credit Card Information
  3. Bleeping Computer - Over a thousand online shops hacked to show fake product listings