Our vast network of how things work is very large. Most people order things like food, beverages, snacks and the like and have no idea how its getting to your door.
Some may have apps like Parcel Appp delivery tracking or Parcel Tracker which have interfaces like web and email delivery of incoming shipments so you can track them through an app or website.
Your favorite delivery service like UPS in the United States may have their own apps where you can monitor inbound and outbound shipments through their networks.
The other two linked herein I’ve used and demoed on the podcast, and they’re both good for what they are. Both may have subscription or low cost options and both are accessible.
This is one way to keep track of your shipments.
But this article and the stealing of freight goes well beyond your typical shipping company, as they probably use other partners like airlines and other trucking partners to move the goods across the country if not the world.
The opening set of paragraphs state some very interesting info, including what RMM stands for, the amount of emails that are sent at any given time, and maybe other things that could be of value.
Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods.
Researchers tracked the activity to June, but they found evidence of these types of campaigns delivering NetSupport and ScreenConnect since January.
According to email security firm Proofpoint, these attacks is becoming more popular, with nearly two dozen campaigns recorded since August, each of them sending up to a thousand messages.
What interested me the most was the fact that at least 1,000 emails were being sent at any given time. This, is absolutely crazy. What isn’t talked about in the article is whether they use other domains to lure people in, although it does state social engineering is part of what the MO is.
While North American entities are targeted, one paragraph says that it isn’t just coming from that part of the world.
The targets are primarily North American entities; however, Proofpoint has also observed similar activity in Brazil, Mexico, India, Germany, Chile, and South Africa.
As discussed, the whole goal here is to intercept the shipments while in transit. This is what is discussed next. The paragraph states:
Cargo theft involves stealing commercial shipments by hijacking trucks or trailers in transit, by re-routing them, or by impersonating legitimate carriers. The goods are then redirected to fraudulent pickup points.
How the actor or actors are doing this is discussed within the article and it seems like something i’d recognize from the beginning.
One thing they do is either get you, or you already have a remote monitoring and management tool installed. As then, as we learn from within the article, actors use their own devices to communicate directly with the people who think they are talking directly with the dispatch center.
Did you know that losses may be estimated in the billions?
The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. to $35 billion annually.
How could these companies not know they have been pilfered, especially if they don’t use these tools to begin with? I could see if they used these tools, but if not, social engineering is the tell tale sign, and at least I’d know not to install things I know I’m not using in my environment.
What we also need is an example on how the company is contacted, what might be said to install these tools, and then what is used for communication between them and dispatch so they could impersonate that center.
As discussed, the attacker(s) are trying to get at various things.
The attacker’ primary goal is to install RMMs like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve on the target companies’ systems, which give them full remote control, reconnaissance, and credential harvesting capabilities.
How they do this is probably straight forward, yet not much is known how, I.E. email, SMS, other methods.
All the article says is the following:
To achieve this goal, they use compromised accounts for load boards to post fraudulent freight listings, or breach broker and dispatcher email accounts, and then hijack email threads to lead victims to a malicious URL.
Picture Smart says:
The image is a screenshot of an email from Marathon Transport Inc. with the subject “Posted Load Details.” The email provides shipment details including pickup and drop-off times (8:00 AM to 6:00 PM), weight of 20,000 lbs, commodity as dry merchandise (palletized), and instructions for a tarp if flatbed or stepdeck is used. The sender, Patrick Flores from the Operations Department, also includes a link for the online setup packet and contact information at 1310 Northwest 197th Street, Miami, Florida.
This could be one example of such an email, and maybe your candy, my cookies, your delivery of alcohol or other drinks may not be targeted, but then again, it could be if its part of a larger delivery on its way to a distribution center to get sorted and sent on its way to you.
The article continues:
According to the researchers, the threat actor achieves their goal by sending emails directly to asset-based carriers, freight brokerage firms, and integrated supply-chain providers, but this occurred mostly for larger entities.
Picture smart says:
The image shows an email titled “Requested Signed Paperwork” sent from “Re-Admin Eder” to the same address. The email body apologizes for a delay and mentions an attached signed Bill of Lading (BOL) for reference. Below the message is a large blue icon indicating a PDF attachment named “ilove-pdf.net.” The email interface includes options like Reply, Reply All, Forward, Archive, Junk, Delete, and More, with a timestamp of 13:11.
Here’s where the social engineering part comes in.
At this stage, social engineering plays a key role, where the attackers tailor their messages for urgent load negotiations and exploit trust in load packets, showing knowledge of how the freight industry operates.
The external pages are well crafted and appear legitimate by placing convincing carrier branding, and lead to downloading executables or installer MSI files that install an RMM tool.
By means of these tools, which are legitimate software, the attacker can control the compromised machine and can modify bookings, block dispatcher notifications, add their own devices to dispatcher phone extensions, and book loads under the compromised carrier’s identity.
“These RMMs are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp,” Proofpoint explains.
“Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView,” the researchers say.
Reconnaissance and credential harvesting indicate a wider attack purpose that includes pivoting deeper in the compromised environments.
Picture smart says:
The image is a flowchart illustrating a cyberattack on a cargo shipping system. It starts with a threat actor compromising a broker load board account. Then, the threat actor posts a fake load. Malicious replies with links are sent to responding carriers. These links lead to Remote Monitoring and Management (RMM) tools that hijack carrier accounts. The compromised carrier accounts are used to bid on real loads, ultimately attempting cargo theft by exploiting the real shipping process.
There’s a lot more, including the fact that these tools are legitimate tools. I could pick apart the entire article, but this should be enough to give you an idea of what is happening here.
To read the entire thing, please read it by reading Hackers use RMM tools to breach freighters and steal cargo shipments and pass this along to your people who may be in this industry. They need to know what’s happening.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.