Skip to content ↓ | Skip to navigation ↓

A security firm has identified a new malware-free scam that an attacker is using to steal credentials from oil brokers and swindle customers based in Germany, Spain, and across Asia.

According to a report published by Panda Security, the attack campaign, which the firm has dubbed ‘Phantom Menace’, was first spotted by a security team located at a UK-based oil and gas transportation company.

The scam works by contacting a targeted oil broker and offering them an amount of BLCO (Bonny Light Crude Oil) ranging between 1 and 2 million barrels for $50,000 – $100,000.

“They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement,” explains Luis Corrons, technical director of Panda Labs.

“They [the broker] goes there, and there is nothing,” no oil or supplier, he says.

Phantom_MenaceEach phishing email comes with a PDF file that, when opened, reveals nothing but runs an executable file in the background. This file extracts itself, creates a folder, and moves six files containing the broker’s credentials to a remote server.

Armed with legitimate credentials, the scammer can then pose as the broker and make fraudulent oil offers to buyers.

“This is an innovative targeted attack” but not an APT (advance persistent threat) or cyberespionage, says Corrons.

The attack campaign first attracted the attention of Panda Security when researchers found that none of their available antivirus engines were able to detect the scam.

Further analysis revealed that Phantom Menace uses legitimate tools and applications and runs different scripts to perform the actions described above, thereby evading most AV software.

Panda Security reasons that the campaign avoids the use of malware in order to complicate signature threat creation or because the individual behind the scam lacked the skills to integrate malicious code into their scheme.

Allegedly, researchers at Panda Security were able to trace the identity of the attacker and have notified the Spanish Civil Guard of their whereabouts.