Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Hackers Are Targeting the Shipping Industry (bbc.com)

Posted by msmash on from the need-upgrade dept.

An anonymous reader shares a report: When staff at CyberKeel investigated email activity at a medium-sized shipping firm, they made a shocking discovery. "Someone had hacked into the systems of the company and planted a small virus," explains co-founder Lars Jensen. "They would then monitor all emails to and from people in the finance department." Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number. "Several million dollars," says Mr Jensen, were transferred to the hackers before the company cottoned on. After the NotPetya cyber-attack in June, major firms including shipping giant Maersk were badly affected. In fact, Maersk revealed this week that the incident could cost it as much as $300 million in profits. But Mr Jensen has long believed that that the shipping industry needs to protect itself better against hackers -- the fraud case dealt with by CyberKeel was just another example. The firm was launched more than three years ago after Mr Jensen teamed up with business partner Morten Schenk, a former lieutenant in the Danish military who Jensen describes as "one of those guys who could hack almost anything." They wanted to offer penetration testing -- investigative tests of security -- to shipping companies. The initial response they got, however, was far from rosy.

1 of 48 comments (clear)

  1. Never trust email 100% by ErichTheRed · · Score: 4, Informative

    Large companies often have this problem. At the end of all the financial safeguards, double and triple checks, and hidebound processes for moving money around, the actual way it's done is very dependent on a human recognizing a message is from a trusted source. Billion-dollar companies have a bunch of payroll people literally emailing or EDI-ing unencrypted Excel files to their payroll processor showing who to pay what amount, and the only security on that process is that "I'm the payroll clerk, so I know what's going on." Same goes for invoices -- if something looks legit, and it looks like it came from a vendor, it gets paid.

    If a company wants to keep these manual processes in place, they need to ensure the channels these messages run over are totally secure. At least train people to pick up a phone and call if they see something out of the ordinary.