The Coast Guard Cyber Command Intelligence Department alerted maritime stakeholders last week that typosquatting campaigns operated by cyber criminals continue to target the Marine Transportation System.
Typosquatting targets people who, as the name indicates, make a mistake when typing a URL into a web browser. Users may then be directed to a malicious website that incorporates the common misspelling into its URL yet presents itself as a legitimate website. Once at the fake website, the user may be fooled into revealing sensitive information.
Maritime Cyber Alert 01-22, issued by U.S. Coast Guard Cyber Command in March, reported “a recent uptick in malicious actors using spoofed business websites to target the Marine Transportation System (MTS).”
“Multiple MTS partners have discovered well-constructed, fake websites masquerading as their legitimate business websites. These sites are created presumably to steal information from or install malware on customers’ devices interacting with the sites,” the alert said. “These spoofed websites are not designed to impact the maritime organization directly but resemble watering-hole style attacks where the intended targets are individuals and entities visiting the site. The spoofed websites are professional in appearance and quite sophisticated, some of which are presenting as .com domains. This level of detail can make it difficult to discern a real site from a fraudulent one.”
USCG said last Friday that the attacks are ongoing as “malicious cyber actors continue to spoof U.S. port facility domains using typosquatting techniques in attempts to re-direct users to malicious websites that have similar domain names.”
Misspellings of several U.S. port facility domains “have recently been registered, likely for malicious purposes,” USCG Cyber Command Intelligence Department reported, and “these events have been analyzed and investigated.”
One way to deter typosquatting is for a maritime organization to claim the common misspellings before malicious actors do.
“Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains,” USCG said. “Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.”
USCG also recommended that maritime organizations consider using services such as WHOIS databases that can help track newly acquired domains. “In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary,” the alert noted. “Consider monitoring for domains created with a similar structure to your own, including under a different TLD.”
USCG also recommended maritime entities be mindful of cyber hygiene, including avoiding clicks on links from third parties. “Treat all traffic transiting your network – especially third-party traffic – as untrusted until it is validated as being legitimate,” USCG said.
Cyber events can be reported to a local Coast Guard Captain of the Port or the Coast Guard Cyber Command 24×7 watch at 202-372-2904 or [email protected].
“Your willingness to comply and report in a timely manner helps the U.S. respond quickly and effectively and makes the maritime critical infrastructure more secure,” USCG said.