What looked to be an ordinary malware attack on a computer at an oil-trading firm turns out to have been part of a targeted attack on the industry at large, according to a report from Panda Security. It began, as it so often does, with someone on their work computer opening an email attachment they shouldn’t have. This attachment, instead of producing one of the many trojans, worms or viruses already watched for by antivirus programs, merely unpacked a few common scripts and tools often used by Windows programs — thus avoiding detection. These scripts request credentials from various places on the computer, send what they find home via a File Transfer Protocol connection, then rename themselves just in case the computer starts getting suspicious. And that FTP server was full of data from other oil companies that had been targeted.
A diagram from Panda Security illustrating how they tracked down the perpetrator of the hack through credentials used for a free service and a scrambled email address.
Panda Security found an associated account registered by someone in Ikeja — a suburb of Lagos, the most populous city in Nigeria. And Nigeria, of course, is practically synonymous with email fraud, usually someone claiming to need your money to access millions from corrupt banks or free a royal family member. Panda’s theory is that these oil industry credentials would be used in a version of that scam, offering oil for sale at enticing prices and using legitimate-looking contacts and documents. But we’ll never know for sure — the companies targeted have opted not to press charges, perhaps wary of looking vulnerable to such simple (but clever) cyberattacks. “If our theory is correct, the information stolen from these companies has not been used against them, but to defraud other people, oil buyers,” the Panda Security report said. “It is for that reason that the companies which have had their credentials compromised prefer not to report the attack for fear of having their name in the spotlight.”
You can read the full story of the hack Panda has dubbed “The Phantom Menace” at the company’s website.
First published May 18 2015, 11:54 AM