Phishing emails impersonating Maersk, one of the largest container shipping companies, targeted more than 18,000 people since the beginning of the year. The email address imitated the legitimate company’s email address but led to a phishing page designed to look like Maersk’s shipping portal login page. The campaign peaked in March, endangering the supply chain of millions of businesses worldwide.

WhoisXML API researchers combed through the Domain Name System (DNS) and other intelligence sources to see how Maersk and other shipping companies are being impersonated via look-alike domain names. Among our findings are:

• 1,100+ domains and subdomains added since 1 March 2022 containing the names of 10 of the largest shipping companies
• Only two of these properties could be publicly attributed to legitimate shipping companies
• 980+ cybersquatting resources resolved to 1,000+ unique IP addresses
• Dozens of domains hosted suspicious login pages that mimicked legitimate sites

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis of Shipping-Related Properties

Who Owns the Cyber Resources?

We discovered 600+ domains and 500+ subdomains added between 1 March and 15 June 2022. While this sample may not be as large as the 13,000+ e-commerce domains we uncovered, they are still a cause for concern. After all, it could only take a few malicious domains to steal user credentials or convince key personnel to transfer funds to a supplier or CEO impersonator.

This study focused on 10 of the largest container shipping and logistics companies. They are listed in the table below, along with the search strings we used on Domains & Subdomains Discovery. The strings were chosen to remove as many false positives as possible.

Only two domains could be publicly attributed to the legitimate shipping companies. These domains shared the same registrant email address as the official domain of one of the organizations in this study.

What Content Do the Resolving Properties Host?

Several domains were either parked or hosted 404 or index pages. Others hosted content that suggests businesses unrelated to container shipping or logistics. These may belong to legitimate organizations bearing similar names as the shipping companies.

However, we found more than 40 properties that hosted suspicious login pages. Below are some examples of Maersk and CMA-CGM look-alike login pages.

Other login pages were hosted on Zendesk, while some pointed to Webmail and cPanel login pages hosted on Duck DNS and Sleck Express. A few examples are shown below.

While legitimate companies could have created these subdomains and hosted content, it is also possible for threat actors to be behind them.

Have Any of the Resources Been Used Maliciously?

As of 15 June 2022, seven cybersquatting properties have been reported as malicious by various malware engines. Five were newly registered domains (NRDs), while two were subdomains.

One of the malicious subdomains—accessoneline33[.]duckdns[.]org—is similar to more than a dozen Duck DNS subdomains bearing the strings “access,” “online,” and a series of numbers. Some of these subdomains hosted Webmail and cPanel login pages, including those provided as examples above.

Businesses heavily rely on their supply chains for day-to-day activities. A cyber attack on a shipping company carrying products or accessories and parts could cripple their operations, similar to the supply chain attack Toyota suffered early this year.

Monitoring cybersquatting domains and subdomains that could serve as vehicles for such attacks can help protect businesses.

If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.