|
Phishing emails impersonating Maersk, one of the largest container shipping companies, targeted more than 18,000 people since the beginning of the year. The email address imitated the legitimate company’s email address but led to a phishing page designed to look like Maersk’s shipping portal login page. The campaign peaked in March, endangering the supply chain of millions of businesses worldwide.
WhoisXML API researchers combed through the Domain Name System (DNS) and other intelligence sources to see how Maersk and other shipping companies are being impersonated via look-alike domain names. Among our findings are:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We discovered 600+ domains and 500+ subdomains added between 1 March and 15 June 2022. While this sample may not be as large as the 13,000+ e-commerce domains we uncovered, they are still a cause for concern. After all, it could only take a few malicious domains to steal user credentials or convince key personnel to transfer funds to a supplier or CEO impersonator.
This study focused on 10 of the largest container shipping and logistics companies. They are listed in the table below, along with the search strings we used on Domains & Subdomains Discovery. The strings were chosen to remove as many false positives as possible.
Company Name | Search Strings Used |
---|---|
Maersk | “maersk” |
CMA-CGM | “cma + cgm” |
COSCO | “cosco” |
Hapag-Lloyd | “hapag + lloyd” |
YangMing Marine Transport | “yangming” |
Matson | “matson” |
Unifeeder | “unifeeder” |
Wanhai Lines | “wanhai” |
Ocean Network Express (ONE) | “oneline” and “one-line,” excluding “phone,” “loneliness,” and “zone” |
Arkas Container Transport | “arkasline” and “arkas” |
Only two domains could be publicly attributed to the legitimate shipping companies. These domains shared the same registrant email address as the official domain of one of the organizations in this study.
Several domains were either parked or hosted 404 or index pages. Others hosted content that suggests businesses unrelated to container shipping or logistics. These may belong to legitimate organizations bearing similar names as the shipping companies.
However, we found more than 40 properties that hosted suspicious login pages. Below are some examples of Maersk and CMA-CGM look-alike login pages.
Other login pages were hosted on Zendesk, while some pointed to Webmail and cPanel login pages hosted on Duck DNS and Sleck Express. A few examples are shown below.
While legitimate companies could have created these subdomains and hosted content, it is also possible for threat actors to be behind them.
As of 15 June 2022, seven cybersquatting properties have been reported as malicious by various malware engines. Five were newly registered domains (NRDs), while two were subdomains.
One of the malicious subdomains—accessoneline33[.]duckdns[.]org—is similar to more than a dozen Duck DNS subdomains bearing the strings “access,” “online,” and a series of numbers. Some of these subdomains hosted Webmail and cPanel login pages, including those provided as examples above.
Businesses heavily rely on their supply chains for day-to-day activities. A cyber attack on a shipping company carrying products or accessories and parts could cripple their operations, similar to the supply chain attack Toyota suffered early this year.
Monitoring cybersquatting domains and subdomains that could serve as vehicles for such attacks can help protect businesses.
If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC