Published in cybersecurity, maritime email | 12 minutes reading time

What is spear-phishing, and how do you protect your fleet?

Stay up to date!

* By subscribing to the latest news from our blog, you consent to us storing your email address, and sending you monthly emails. You can, at any time, retract this consent.

Spear-phishing attacks are at the heart of many of the most serious, and expensive, data breaches we have seen in the maritime sector over the past year. What precautions can you take to help protect your ships and assets?

It’s fair to say that the year 2020 will go down in history. In the maritime industry, 2020 will also be remembered as the year when cyber incidents skyrocketed. As Government Tech puts it: The COVID-19 crisis brought a cyber pandemic

2021 has continued in the same vein; the number of cyberattacks on shipping has been increasing week on week. In particular, we have seen a marked escalation in spear-phishing. 

What exactly is spear-phishing? What does a typical spear-phishing mail look like? And how do you protect against malware attacks like Emotet and Trickbot, which exploit human vulnerabilities and become trickier by the day?

Spear-phishing vs. phishing

Spear-phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email. The purpose is to trick a recipient into completing a desired action – typically financial in nature. 

Unlike phishing emails, which are sent to hundreds, sometimes thousands, of recipients (mass distribution), spear-phishing is highly targeted and targets a specific individual or a company. Attackers do this by pretending to know you, using personalised information.

 

Social engineering: The deliberate manipulation of people to gain unauthorised access to data, applications or systems. It typically involves tricking a person into divulging sensitive or confidential information, or providing access to IT or OT networks, and it usually takes place via a malicious hyperlink or attachment contained within an email. Common social engineering tactics involve subject lines that attempt to take advantage of emotions (urgent communications regarding a death or birth), responsibilities (reviewing and approving documents or contracts) and natural tendencies (e.g. generosity, pity).


Phishing: Sending emails to a large number of potential targets asking for particular pieces of sensitive or confidential information. Such an email may also request that a person visits a fake website using a hyperlink included in the email.


Spear-phishing: Like phishing, but the individuals are targeted with personal emails, often containing malicious software or links that automatically download malicious software.


Source: BIMCO

 

Easy to take the bait

Spear-phishing emails typically appear to be from a trusted source, usually a contact from the recipient’s address book. This makes them more challenging to detect. For example, a request to a Master on board, apparently from the ship’s agent, requesting money. Often, the information for these attacks has been gathered from social media, public information on the Internet, and from compromised email accounts.

To make matters worse, spear-phishng emails are often duplicates of messages sent in the past, e.g. from other shipping companies or maritime authorities. This increases the likelihood of the unsuspecting target clicking on malicious attachments or links.

Ramifications

What are some of the possible consequences if one of your onboard crew members take the bait? He would reveal sensitive information, install malicious programs (malware) on the ship’s network or execute the first stage of an advanced persistent threat (where an intruder establishes a long-term presence on a network in order to steal highly sensitive data).

 

Spear-phishing example

The following Emotet example illustrates a spear-phishing attack’s progression and potential consequences:

  1. A spoofed email is sent to the Master from someone claiming to be the fleet management of a company called Nautical Department. 
  2. The email alleges that the Cyprus ‘Department of Merchant Shipping’ is being renamed into ‘Deputy Ministry of Shipping’, and that the Cyprus contact point for receiving the SSAS security alerts has been amended. The email goes on to say that as a consequence of this renaming, all Ship Security and Alert systems on board all vessels have to be reprogrammed. 
  3. The email invites the Master to open an enclosed attachment containing a circulation.

 

phishing email example

 

  1. Once the Master clicks on the attachment, Emotet begins downloading to his computer. 
  2. Emotet will then harvest his emails to create new legitimate-looking phishing campaigns out of these. It will also start spreading internally by exploiting unpatched vulnerabilities found in the network. 

 

Virus scanners struggle to catch up

As discussed in a previous blog article, firewalls are extremely limited in their capacity to prevent phishing email attacks. To illustrate our point, here’s a graph from the Dualog system showing which scanners were alone in catching a virus over a period of x days in September 2020. 

 

Viruses caught by a single scanner

Viruses caught by a single scanner (viruses caught by multiple scanners are excluded from this graph). All viruses are Emotet.

 

Each scanner is represented with a colour. On the first day, the red-coloured scanner was the only one catching the virus, meaning it was the only scanner updated with the new signature. The next day, a different scanner (the green-coloured one) was the one able to detect the virus, and so on. Each time Emotet was detected, only one scanner could do it – none of the others. 

This demonstrates that to stay protected, you need to have multiple virus scanners in place, and they need to be continually updated.

 

How to mitigate against spear-phishing?

The targeted nature of spear-phishing emails makes them difficult to detect, and firewalls are easily bypassed. Relying on one single endpoint protection measure will leave you highly vulnerable.

So what mitigation measures should you implement to safeguard your fleet from spear-phishing attacks such as Emotet and Trickbot?

You need to have multilayered protection. This is what optimal spear-phishing protection looks like: 

  • First and foremost, train your crew to be very careful with macro-enabled documents, even if it is a Microsoft update, or you receive a message saying your licence needs to be updated. As a rule of thumb, never enable macros.

  • Be careful with links, even in old documents. They are changed, and might point to a malware site. 

  • Use a multilayered email gateway with multiple top-of-the-line virus scanners. An enterprise-grade maritime email defence system should have multiple scanners, and they need to be updated frequently – at least every half hour – to get the latest and greatest signature base. As seen in the example above, a virus such as Emotet will, in many cases, be caught by only one of the scanners. 

  • Use a maritime DNS filter that blocks access to C2 and malware sites. A maritime-optimised DNS blocker will stop for instance Anchor DNS (command-and-control). It might even stop the infection if you click on the link, or if you open the attachment and the macro is enabled to run. Read more: What are command-and-control (C2) callbacks?

  • Block all emails with macro-enabled documents. If you really need some of these documents to enter the vessel, you can whitelist those senders. Do not accept macros from anyone. 

  • Block all emails with password-protected archives from unknown senders. Emotet has been very successful with password protected archives. People think they are secure with such a document, but they are not. Only allow password-protected archives from whitelisted senders.

  • Utilise SPF/DKIM/DMARC to protect against your domain being forged in an email attack. To make sure you’re not being used in an attack, or if you see some fraudulent email claiming to be for instance Inmarsat, look at the DMARC record. Having SPF/DKIM/DMARC implemented will safeguard your own domain from being used in such attacks, and you will also see if someone else is faking a domain. 

  • Put your printers on either a USB cable or behind a separate DMZ zone in your firewall. Emotet will try to hide in your printers, so don’t have your printers on the network, or if you have it on the network, put it behind a separate DMZ zone in your firewall. Don’t put it on the same network as the business or crew network. Put it on a separate network behind your firewall, so it cannot do any harm if it gets infected. 

  • Use hard-to-guess passwords, preferably with two-factor authentication on as many services as possible. Emotet and Trickbot have employed brute force attacks, using a huge list of passwords in an attempt to spread across your internal network. 

  • Do not store passwords in the browser. It’s convenient but very unsafe. Almost any virus will read all those passwords, and they will have access to whatever you have access to. Use a separate password manager. 

  • Update all software and applications regularly. As we have seen, Trickbot and Emotet use worm-spreading technology, and they will exploit whichever vulnerable software system they find. So if you have an outdated server sitting there, or an outdated printer or IoT device, these will be infected. 

  • Use an online endpoint protection that updates its signatures frequently. That is really important with zero-day viruses. 

  • Disable administrative shares. This is the number one spreading technique used by Emotet.  

Read more: The current Emotet malware threat: How can you protect your fleet?

Summary: Implement DNS protection and email protection

A successful Emotet or Trickbot attack can expose sensitive information, interrupt your shipping operations and even damage your brand reputation. Downtime and recovery costs can be devastating.

Mitigation is possible, but you need more than endpoint protection. Traditional email filters use outdated methods to block threats, and most are ineffective in the fight against spear-phishing. 

To secure your shipping company and vessels against spear-phishing, implement an enterprise-grade, maritime-optimised email security gateway.

New call-to-action

What is spear-phishing, and how do you protect your fleet?
Written by Rune Larsen, Service Marketing Manager

Rune Larsen is Service Marketing Manager in Dualog, with responsibilities for user experience design, visual design and marketing of existing and new services. Educated in business strategy and marketing from the Arctic University of Norway, he has more than 25 years of experience from the creative industry, where he worked as a writer, consultant, designer and creative director in various advertising agencies and design studios. He's been orchestrating brand identity projects, design work and brand building campaigns for a wide range of organisations. He brings a passion for great design to the team, never compromising on the importance of the 'experience' part of UX. When not at the office, he enjoys hiking with his wife or is busy being a football coach for his youngest daughter. His fitness regime involves either running or cross-country skiing. Rune is an avid reader of business-related books, and he loves the occasional bottle of Barolo.

Related blog posts