Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:55 PM
Connect Directly

Oil & Gas Firms Hit By Cyberattacks That Forgo Malware

New spin on the 'Nigerian scam' scams crude oil buyers out of money with bait-and-switch.

An unusual type of targeted attack underway for two years uses legitimate Windows file functions and a few homemade scripts -- but no malware -- to infiltrate companies in the oil and gas maritime transportation industry.

Researchers at Panda Labs first discovered the attack campaign early last year, which had slipped by antivirus software and hit around 10 companies since it launched in August of 2013. The attackers are stealing information from oil cargo organizations and then using that information to pose as legitimate firms in scams against oil brokers.

"This is an innovative targeted attack" but not an APT (advance persistent threat) or cyberespionage, says Luis Corrons, technical director of Panda Labs. "They use no malware; I'm not sure if they're not using malware because they don't know how to … They were stealing credentials without malware."

The attack campaign, dubbed Phantom Menace by Panda, was first spotted by the security team at an oil and gas transportation company in the U.K.  It began with a convincing-looking spearphishing email with a phony PDF file that when opened by the victim user, was empty. "It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that's it. There are no malicious" code tools, he says.

Panda was able to root out the stolen files from an FTP server used by the attackers, and drill down into the attack itself, which turns out to be a new spin on the Nigerian scam. It works like this: the scammer contacts an oil broker and offers them anywhere from 1- 2 million barrels of Bonny Light Crude Oil (BLCO) -- at a bargain price -- from a town in Nigeria called Bonny that's well-known for oil with low sulfur content, which makes it a low-corrosive grade product.

"They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement," Corrons says. "They [the broker] goes there, and there is nothing," no oil or supplier, he says.

"Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies" that they can use in the scam to pose as legitimate oil firms, he says.

Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.

The initial infiltration of the victim systems once the phony PDF is opened works like this: an executable file using an Adobe Acrobat Reader icon self-extracts, creates the folder, and moves six files into that folder. It runs a series of files it planted, and ultimately uses a .bat file to modify the Windows registry such that each time the computer starts, it runs its .bat file to grab usernames and passwords from the mail client and browser, and then save them in a text file.

There are additional steps to mask the folders, including disabling the Windows firewall. The last step is using FTP to upload the stolen files to the attackers' own FTP server.

"Why would you bother to buy or build a Trojan," which could be detected, Corrons says. The legit files fly under the radar.

Corrons and his team found some 865 unique files of stolen information in the FTP server, all of which were from the oil and gas maritime transportation sector.

Unmasking An Attacker

The researchers also have been able to identify one of the likely attackers involved. But in the end, that may not matter: none of the victims will report the attack to law enforcement. Panda's theory is that's because they don't see it as a pure breach: none of the information and credentials stolen from the victims was actually used against them, but instead was used against other companies. They don't want to report that they were duped for fear of negative publicity, according to Panda. "They prefer to keep a low profile, change their credentials, and continue to operate just as if nothing had happened."

And if law enforcement has no official complaints filed, there's no investigation, Corrons notes. "The broker who lost the money was unofficially buying the oil … from the underground," he says.

"The guy [attacker] leaves free," he says.

Panda began tracking the attackers by following the FTP connection used to send the stolen credentials. That took them to a free FTP service, where one of the attackers had registered for it. While his name and location information was fake, it appears the city was not -- the village of Ikeja in Nigeria, which is also known as "computer village" in the country, due to its large concentration of technology vendors.

They also traced his gmail.com address, and they were able to decipher his name: "We took the 9 characters that made up the email address and started combining them to see if we could form an alias, a first name, a last name or similar. And we got it," Panda says in a report on the campaign.

The suspected attacker is a Nigerian national, and they found his Twitter, Facebook and LinkedIn accounts as well. He's a resident of Ikeja who owns a goods transport company. "Too many coincidences. So, even though all the evidence seems to indicate that this is the person responsible for the attack, there is no way for us to prove it. It would require the police to launch an investigation and obtain information about the FTP connections, etc., in order to get the IP address of the person who signed up to the service and find the culprit," Panda said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.