Protecting oil and gas industry from email threats: part two

The Phantom Menace: fraud

Targeted attacks impacting oil and gas organisations usually focus on the big-ticket transactions inherent to the industry, and seek to capitalise on their efforts by deluding the victims into sending them large deposits for oil orders. Panda Security, a leading computer software company in Spain, investigated a targeted attack that employed or used a fake .pdf containing compressed files, encryption instructions, and files designed to affect the registry of the device each time the system restarted (Operation Oil Tanker, 2015) . The file, later referred to as the Phantom Menace, was a self-extracting executable file capable of bypassing the latest malware behaviour filters and leaking sensitive personnel information and corporate resources in a text file back to the original sender. This attack was very troubling because of its ability to remove traces of its actions from the registry, allowing it to do the damage and leave little to no clues. With the sensitive information and resources in hand, hackers were easily able to pose as legitimate oil producers who were offering extremely competitive oil prices -prices that seemed especially attractive given Saudi Arabia’s dominance of the market at that time. The Phantom Menace hackers used the order forms and business insights to craft an illusion that they were, in fact, a legitimate oil producer. The oil brokers were then prompted to pay an 'advance fee' in order to finalise their crude and refined orders. However, once the advance fee or deposit was sent, neither their oil nor their contact to the oil producer could ever be found.

Even if oil brokers, producers, and distributors use antivirus, anti-malware, and the necessary endpoint protections, they are still vulnerable to socially engineered attacks via email. The human component of receiving and opening a seemingly harmless email can leave an entire organisation’s resources and strategies open to prying eyes. Those at Panda Security said that for those in the oil and gas industry:

The most concerning fact to the antivirus research community and those at Panda Security, was not only that the Phantom Menace was able to avoid detection, but also that it was able to extract all the information it needed without utilising any malware. The only point of prevention hinged on the ability of the user to somehow know that the senders were impostors. However, there are few security solutions available to comprehensively protect against a socially engineered attack like the Phantom Menace.

Email protection solutions

Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to secure an organisation’s network from all of these potential motives, protecting the organisation from targeted attacks is not impossible, and it doesn’t have to cost a fortune.

Investing in advanced security architecture now may save a corporation from targeted attacks in the future. As the risks associated with not investing in one can lead to losses in revenue, market share, and reputation, the costs of recovery far outweigh the initial investment in preventative measures.

In order to combat the growing challenges of protecting against orchestrated email scams, oil and gas professionals should look for email security systems that use advanced threat detection and prevention, and are equipped to detect spear phishing scams. Traditional email security products are typically not designed to detect and block spear phishing attacks, and most spam filtering products rely on prior detection and black lists in order to flag an email as spam. Also, many spear phishing attacks make use of unknown threats or zero-day vulnerabilities that not all anti-malware engines will be able to detect. Organisations can improve their email threat protection by taking the following precautions:

Use multiple anti-malware engines:

Multi-scanning leverages the power of the different detection algorithms and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as protecting against attacks designed to circumvent particular antivirus engines. In addition, since anti-malware vendors address different threats at different times, using multiple scan engines will help detect new outbreaks much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines. When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different engines are avoided.

Sanitise email attachments:

Many spear phishing emails include malicious Word or PDF attachments, so as a precautionary measure it is highly recommended to sanitise incoming email attachments in order to remove any embedded threats that may go undetected by antivirus engines.

Set attachment limits:

By blocking potentially dangerous email attachment types such as .exe files and scripts, it is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that are renamed as .txt files do not get through the company’s filters.

Enforce an email content policy:

With user-based email content policies, such as keyword and attachment filtering, organisations can ensure that no confidential content or intellectual property is sent out through email.

Implement an SFT server:

A secure file transfer server allows an organisation to easily send and receive large and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user authentication, the interception of potentially valuable information can be prevented.

Utilise advanced threat detection and prevention:

Ultimately, organisations need to make sure their email security system is backed by powerful anti-malware engines, as the performance of the email security program will hinge on the engine’s ability to detect, prevent, sanitise, or quarantine the suspicious email or attachment.

Scan running processes on endpoints:

If email-born threats have already entered your network, scanning running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.

By having these added layers of security incorporated into the organisation’s email security infrastructure, those in the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to fraud, or having to conduct costly image campaigns.

Read the article online at: https://www.oilfieldtechnology.com/digital-oilfield/27112015/protecting-oil-and-gas-industry-from-email-threats-part-two/