* By subscribing to the latest news from our blog, you consent to us storing your email address, and sending you monthly emails. You can, at any time, retract this consent.
Spear-phishing attacks are at the heart of many of the most serious, and expensive, data breaches we have seen in the maritime sector over the past year. What precautions can you take to help protect your ships and assets?
It’s fair to say that the year 2020 will go down in history. In the maritime industry, 2020 will also be remembered as the year when cyber incidents skyrocketed. As Government Tech puts it: The COVID-19 crisis brought a cyber pandemic
2021 has continued in the same vein; the number of cyberattacks on shipping has been increasing week on week. In particular, we have seen a marked escalation in spear-phishing.
What exactly is spear-phishing? What does a typical spear-phishing mail look like? And how do you protect against malware attacks like Emotet and Trickbot, which exploit human vulnerabilities and become trickier by the day?
Spear-phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email. The purpose is to trick a recipient into completing a desired action – typically financial in nature.
Unlike phishing emails, which are sent to hundreds, sometimes thousands, of recipients (mass distribution), spear-phishing is highly targeted and targets a specific individual or a company. Attackers do this by pretending to know you, using personalised information.
Social engineering: The deliberate manipulation of people to gain unauthorised access to data, applications or systems. It typically involves tricking a person into divulging sensitive or confidential information, or providing access to IT or OT networks, and it usually takes place via a malicious hyperlink or attachment contained within an email. Common social engineering tactics involve subject lines that attempt to take advantage of emotions (urgent communications regarding a death or birth), responsibilities (reviewing and approving documents or contracts) and natural tendencies (e.g. generosity, pity).
Phishing: Sending emails to a large number of potential targets asking for particular pieces of sensitive or confidential information. Such an email may also request that a person visits a fake website using a hyperlink included in the email.
Spear-phishing: Like phishing, but the individuals are targeted with personal emails, often containing malicious software or links that automatically download malicious software.
Spear-phishing emails typically appear to be from a trusted source, usually a contact from the recipient’s address book. This makes them more challenging to detect. For example, a request to a Master on board, apparently from the ship’s agent, requesting money. Often, the information for these attacks has been gathered from social media, public information on the Internet, and from compromised email accounts.
To make matters worse, spear-phishng emails are often duplicates of messages sent in the past, e.g. from other shipping companies or maritime authorities. This increases the likelihood of the unsuspecting target clicking on malicious attachments or links.
What are some of the possible consequences if one of your onboard crew members take the bait? He would reveal sensitive information, install malicious programs (malware) on the ship’s network or execute the first stage of an advanced persistent threat (where an intruder establishes a long-term presence on a network in order to steal highly sensitive data).
The following Emotet example illustrates a spear-phishing attack’s progression and potential consequences:
As discussed in a previous blog article, firewalls are extremely limited in their capacity to prevent phishing email attacks. To illustrate our point, here’s a graph from the Dualog system showing which scanners were alone in catching a virus over a period of x days in September 2020.
Viruses caught by a single scanner (viruses caught by multiple scanners are excluded from this graph). All viruses are Emotet.
Each scanner is represented with a colour. On the first day, the red-coloured scanner was the only one catching the virus, meaning it was the only scanner updated with the new signature. The next day, a different scanner (the green-coloured one) was the one able to detect the virus, and so on. Each time Emotet was detected, only one scanner could do it – none of the others.
This demonstrates that to stay protected, you need to have multiple virus scanners in place, and they need to be continually updated.
The targeted nature of spear-phishing emails makes them difficult to detect, and firewalls are easily bypassed. Relying on one single endpoint protection measure will leave you highly vulnerable.
So what mitigation measures should you implement to safeguard your fleet from spear-phishing attacks such as Emotet and Trickbot?
You need to have multilayered protection. This is what optimal spear-phishing protection looks like:
A successful Emotet or Trickbot attack can expose sensitive information, interrupt your shipping operations and even damage your brand reputation. Downtime and recovery costs can be devastating.
Mitigation is possible, but you need more than endpoint protection. Traditional email filters use outdated methods to block threats, and most are ineffective in the fight against spear-phishing.
To secure your shipping company and vessels against spear-phishing, implement an enterprise-grade, maritime-optimised email security gateway.
Rune Larsen is Service Marketing Manager in Dualog, with responsibilities for user experience design, visual design and marketing of existing and new services. Educated in business strategy and marketing from the Arctic University of Norway, he has more than 25 years of experience from the creative industry, where he worked as a writer, consultant, designer and creative director in various advertising agencies and design studios. He's been orchestrating brand identity projects, design work and brand building campaigns for a wide range of organisations. He brings a passion for great design to the team, never compromising on the importance of the 'experience' part of UX. When not at the office, he enjoys hiking with his wife or is busy being a football coach for his youngest daughter. His fitness regime involves either running or cross-country skiing. Rune is an avid reader of business-related books, and he loves the occasional bottle of Barolo.