Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM
Connect Directly

Oil & Gas Firms Hit By Cyberattacks That Forgo Malware

New spin on the 'Nigerian scam' scams crude oil buyers out of money with bait-and-switch.

An unusual type of targeted attack underway for two years uses legitimate Windows file functions and a few homemade scripts -- but no malware -- to infiltrate companies in the oil and gas maritime transportation industry.

Researchers at Panda Labs first discovered the attack campaign early last year, which had slipped by antivirus software and hit around 10 companies since it launched in August of 2013. The attackers are stealing information from oil cargo organizations and then using that information to pose as legitimate firms in scams against oil brokers.

"This is an innovative targeted attack" but not an APT (advance persistent threat) or cyberespionage, says Luis Corrons, technical director of Panda Labs. "They use no malware; I'm not sure if they're not using malware because they don't know how to … They were stealing credentials without malware."

The attack campaign, dubbed Phantom Menace by Panda, was first spotted by the security team at an oil and gas transportation company in the U.K.  It began with a convincing-looking spearphishing email with a phony PDF file that when opened by the victim user, was empty. "It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that's it. There are no malicious" code tools, he says.

Panda was able to root out the stolen files from an FTP server used by the attackers, and drill down into the attack itself, which turns out to be a new spin on the Nigerian scam. It works like this: the scammer contacts an oil broker and offers them anywhere from 1- 2 million barrels of Bonny Light Crude Oil (BLCO) -- at a bargain price -- from a town in Nigeria called Bonny that's well-known for oil with low sulfur content, which makes it a low-corrosive grade product.

"They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement," Corrons says. "They [the broker] goes there, and there is nothing," no oil or supplier, he says.

"Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies" that they can use in the scam to pose as legitimate oil firms, he says.

Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.

The initial infiltration of the victim systems once the phony PDF is opened works like this: an executable file using an Adobe Acrobat Reader icon self-extracts, creates the folder, and moves six files into that folder. It runs a series of files it planted, and ultimately uses a .bat file to modify the Windows registry such that each time the computer starts, it runs its .bat file to grab usernames and passwords from the mail client and browser, and then save them in a text file.

There are additional steps to mask the folders, including disabling the Windows firewall. The last step is using FTP to upload the stolen files to the attackers' own FTP server.

"Why would you bother to buy or build a Trojan," which could be detected, Corrons says. The legit files fly under the radar.

Corrons and his team found some 865 unique files of stolen information in the FTP server, all of which were from the oil and gas maritime transportation sector.

Unmasking An Attacker

The researchers also have been able to identify one of the likely attackers involved. But in the end, that may not matter: none of the victims will report the attack to law enforcement. Panda's theory is that's because they don't see it as a pure breach: none of the information and credentials stolen from the victims was actually used against them, but instead was used against other companies. They don't want to report that they were duped for fear of negative publicity, according to Panda. "They prefer to keep a low profile, change their credentials, and continue to operate just as if nothing had happened."

And if law enforcement has no official complaints filed, there's no investigation, Corrons notes. "The broker who lost the money was unofficially buying the oil … from the underground," he says.

"The guy [attacker] leaves free," he says.

Panda began tracking the attackers by following the FTP connection used to send the stolen credentials. That took them to a free FTP service, where one of the attackers had registered for it. While his name and location information was fake, it appears the city was not -- the village of Ikeja in Nigeria, which is also known as "computer village" in the country, due to its large concentration of technology vendors.

They also traced his gmail.com address, and they were able to decipher his name: "We took the 9 characters that made up the email address and started combining them to see if we could form an alias, a first name, a last name or similar. And we got it," Panda says in a report on the campaign.

The suspected attacker is a Nigerian national, and they found his Twitter, Facebook and LinkedIn accounts as well. He's a resident of Ikeja who owns a goods transport company. "Too many coincidences. So, even though all the evidence seems to indicate that this is the person responsible for the attack, there is no way for us to prove it. It would require the police to launch an investigation and obtain information about the FTP connections, etc., in order to get the IP address of the person who signed up to the service and find the culprit," Panda said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...