Clearsky Security regularly monitors and tracks phishing and fraud campaigns by looking for impersonating domain names. Recently we detected multiple domains impersonating shipping and logistics companies being registered. We suspect that these companies have become the target of Business Email Compromise scams (aka BEC or “CEO fraud”)
Targeted organisations include Singaporean Executive Ship Management, VersaCold (Canada’s largest supply chain company), and Tollgroup (the/ leading provider of express road-freight within Australia) and more.
In the case of VersaCold, the malicious domain registered is versacoldl[.]com, impersonating versacold.com. In the case of Executive Ship Management, the malicious domain is executiveshlp[.]com which impersonates executiveship.com (l instead of i). And for Toll Group, tollgroup-as[.]com was registered instead of tollgroup.com.
This campaign targets companies in other industries as well, for example IKEA group, Amdocs, and Russian Standard (the biggest Russian Vodka brand).
The registrant name used in of all these domains is “Ian Stingly”, with email address ian.gold@millindrinks.com. By conducting Reverse Whois search using domaintools.com, we can see other impersonating domains registered with these details (shipping and logistics companies are marked in red):
This kind of malicious activity serves to create infrastructure for Business Email Compromise scams. These scams usually start with an email from the “CEO” to employees from a domain name similar to the real one. Between October 2013 and February 2016, the FBI received reports from 17,642 companies that lost $2.3 billion in BEC fraud.
Companies can mitigate this threat by :
- Monitoring for new domains that may impersonate the organization and block them as soon as possible.
- Increasing employee awareness, in various ways, including periodical training sessions and publishing advisories about the threat.