Victims Ahoy! Gold Galleon Crew Sets Course for Shipping Execs

Researchers from the Secureworks Counter Threat Unit (CTU) have recently uncovered a threat group known as Gold Galleon, who have been targeting victims via Business Email Compromise (BEC).

BEC is a targeted phishing technique where criminals attempt to gain access to business email accounts, typically those of Financial Directors or finance/account executives, which enables them to intercept the emails and transactions between two companies. At an appropriate time, they then modify the financial details of transactions to direct funds to their own accounts. What makes the Gold Galleon crew unique amongst other BEC groups is that they appear to be focussing their attacks solely on global maritime shipping businesses and their customers.

CTU researchers have observed Gold Galleon targeting firms across the globe including in South Korea, Japan, Singapore, Norway, US, Egypt and Saudi Arabia. As described above, their attacks start with a spear phishing email containing a malicious attachment intended to compromise the victim. If the malware is successfully deployed, the group then monitor existing business transactions and, when the time comes for the exchange of payment details, they intervene and change the destination bank account on the invoice to one controlled by themselves.

To help mitigate the threat of BEC, companies are encouraged to raise awareness to help prevent employees from clicking on spear phishing emails. Staff involved in invoice payments should be particularly vigilant and should also confirm any suspicious payment instructions via a previously established non-email mode of communication (e.g by phone). We also recommend that users thoroughly check email addresses for accuracy or any subtle changes of single characters as the use of spoof accounts which have made minor changes to trusted email addresses is also a common technique. Whilst some of these measures do undoubtedly add more time to the payment and verification process, it does provide a greater level of assurance and may help prevent such attacks from occurring in the future.

Our Parent company PGI offer a Phishing Vulnerability Assessment. We will send a series of mock malicious e-mails to your staff to gauge their vulnerability to compromised links, followed by training for your staff.

For more information on the exclusive services Halcyon Super Yacht Security provide click here