Gold Galleon BEC Attacks

The group behind a widespread international business email compromise (BEC) campaign have been identified. The Gold Galleon group have been primarily targeting maritime industries in Europe and the USA but have also attacked organisations in the government, finance, health and engineering sectors.

Threat ID:: CC-2300
Category:
Threat Severity:: Low
Threat Vector:
Published:: 25 April 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

A BEC attack is an advanced form of spear phishing attack targeted at an organisation's finance department or executives. Targeted organisations are typically smaller and would be expected to conduct business overseas.

Gold Galleon collects a wide variety of open-source information including operational hours and employee lists on their targets. They will also leverage marketing tools to extract email addresses from organisations' websites and collect recipients lists. Once a sufficient amount of information is collated, highly specific emails are constructed and sent to an individual or department. These emails contain a malicious attachment containing a number of tools including Agent Tesla, Pony and Hakweye. Gold Galleon will use these tools to monitor financial transactions before intercepting these messages and altering invoice and banking details so that the money is delivered to accounts controlled by the group.

Remediation steps

Type	Step
	Implement two factor authentication to limit the ability of attackers to use stolen credentials. Corporate email control panels should be monitored for suspicious redirect rules. Auto-forwarding emails should be blocked from going outside an organisation. Ensure users have sufficient training and are aware of the techniques and risks of BEC attacks. Implement robust policies surrounding involving and the transfer of funds, especially in the case of international transfers. Digital signatures should be used to ensure non-repudiation and verification of a message's originator.

Type

Step

Implement two factor authentication to limit the ability of attackers to use stolen credentials.
Corporate email control panels should be monitored for suspicious redirect rules.
Auto-forwarding emails should be blocked from going outside an organisation.
Ensure users have sufficient training and are aware of the techniques and risks of BEC attacks.
Implement robust policies surrounding involving and the transfer of funds, especially in the case of international transfers.
Digital signatures should be used to ensure non-repudiation and verification of a message's originator.

Last edited: 17 February 2020 12:43 pm