03:55 PM
Connect Directly

Oil & Gas Firms Hit By Cyberattacks That Forgo Malware

New spin on the 'Nigerian scam' scams crude oil buyers out of money with bait-and-switch.

An unusual type of targeted attack underway for two years uses legitimate Windows file functions and a few homemade scripts -- but no malware -- to infiltrate companies in the oil and gas maritime transportation industry.

Researchers at Panda Labs first discovered the attack campaign early last year, which had slipped by antivirus software and hit around 10 companies since it launched in August of 2013. The attackers are stealing information from oil cargo organizations and then using that information to pose as legitimate firms in scams against oil brokers.

"This is an innovative targeted attack" but not an APT (advance persistent threat) or cyberespionage, says Luis Corrons, technical director of Panda Labs. "They use no malware; I'm not sure if they're not using malware because they don't know how to … They were stealing credentials without malware."

The attack campaign, dubbed Phantom Menace by Panda, was first spotted by the security team at an oil and gas transportation company in the U.K.  It began with a convincing-looking spearphishing email with a phony PDF file that when opened by the victim user, was empty. "It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that's it. There are no malicious" code tools, he says.

Panda was able to root out the stolen files from an FTP server used by the attackers, and drill down into the attack itself, which turns out to be a new spin on the Nigerian scam. It works like this: the scammer contacts an oil broker and offers them anywhere from 1- 2 million barrels of Bonny Light Crude Oil (BLCO) -- at a bargain price -- from a town in Nigeria called Bonny that's well-known for oil with low sulfur content, which makes it a low-corrosive grade product.

"They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement," Corrons says. "They [the broker] goes there, and there is nothing," no oil or supplier, he says.

"Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies" that they can use in the scam to pose as legitimate oil firms, he says.

Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.

The initial infiltration of the victim systems once the phony PDF is opened works like this: an executable file using an Adobe Acrobat Reader icon self-extracts, creates the folder, and moves six files into that folder. It runs a series of files it planted, and ultimately uses a .bat file to modify the Windows registry such that each time the computer starts, it runs its .bat file to grab usernames and passwords from the mail client and browser, and then save them in a text file.

There are additional steps to mask the folders, including disabling the Windows firewall. The last step is using FTP to upload the stolen files to the attackers' own FTP server.

"Why would you bother to buy or build a Trojan," which could be detected, Corrons says. The legit files fly under the radar.

Corrons and his team found some 865 unique files of stolen information in the FTP server, all of which were from the oil and gas maritime transportation sector.

Unmasking An Attacker

The researchers also have been able to identify one of the likely attackers involved. But in the end, that may not matter: none of the victims will report the attack to law enforcement. Panda's theory is that's because they don't see it as a pure breach: none of the information and credentials stolen from the victims was actually used against them, but instead was used against other companies. They don't want to report that they were duped for fear of negative publicity, according to Panda. "They prefer to keep a low profile, change their credentials, and continue to operate just as if nothing had happened."

And if law enforcement has no official complaints filed, there's no investigation, Corrons notes. "The broker who lost the money was unofficially buying the oil … from the underground," he says.

"The guy [attacker] leaves free," he says.

Panda began tracking the attackers by following the FTP connection used to send the stolen credentials. That took them to a free FTP service, where one of the attackers had registered for it. While his name and location information was fake, it appears the city was not -- the village of Ikeja in Nigeria, which is also known as "computer village" in the country, due to its large concentration of technology vendors.

They also traced his address, and they were able to decipher his name: "We took the 9 characters that made up the email address and started combining them to see if we could form an alias, a first name, a last name or similar. And we got it," Panda says in a report on the campaign.

The suspected attacker is a Nigerian national, and they found his Twitter, Facebook and LinkedIn accounts as well. He's a resident of Ikeja who owns a goods transport company. "Too many coincidences. So, even though all the evidence seems to indicate that this is the person responsible for the attack, there is no way for us to prove it. It would require the police to launch an investigation and obtain information about the FTP connections, etc., in order to get the IP address of the person who signed up to the service and find the culprit," Panda said.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.