Campaign snapshot - September 24th, 2024
Table of contents
Examining the mechanics of double brokering
Addressing double brokering with email security
Preventing double brokering scams
Related products
The profile of a cybercriminal differs from one group or individual to the next, with the list of motives varying from actor to actor. But one of the most common driving factors is financial gain, with cybercriminals constantly finding novel methods and tactics to exploit businesses for money.
While it may not be your typical headline-grabbing attack on a household name, freight and transportation organizations have been taking a sizable hit due to their prominent role in the global supply chain. Cloudforce One has been actively monitoring impersonation attempts, whereby a threat actor will create a fake transport company and trick victims into loading the necessary details to enable them to intercept or disrupt the transaction. This is known as Double Brokering – a man in the middle attack where a threat actor targets freight and transportation companies with fraudulent transactions.
These scams have been rising rapidly in the last few years, with one freight solution provider having seen a 400% increase in complaints since 2022. In another recent example, Cloudforce One tracked and blocked about 10 of these incidents per month for a Fortune 500 food and beverage company since the start of 2024.
Double brokering has become prevalent due largely to the numerous transportation companies that exist to distribute the goods we need for everything.
With double brokering, the attacker first impersonates a freight broker — the organization that connects shippers with goods. The actor then acts as a middleman between the sending and receiving companies. This type of scam has become prevalent in part because there are a plethora of transportation companies to impersonate. Additionally, many of these legitimate companies do not own a website to conduct their business. As a result, threat actors can impersonate these brokering companies by setting up a website in their name to conduct their fraudulent transactions.
The scam often starts with a fraudulent email. An example double-brokering phishing message is shown in the image below. The actor, using an impersonated transportation company domain, inquires about a load that needs to be delivered. They include the motor carrier number of a legitimate transport company and request full information about the load.
If the target believes that the email is legitimate, they might then reply with the load information, including where it needs to be picked up, the destination, the quantity, and the weight. The actor then bids on the load by offering a discounted price that may entice the target to accept it. Once the offer is accepted, the actor contacts a legitimate cargo carrier and offers that load at a lower price. If they succeed, the actor pockets the difference.
These scams can result in more than just monetary loss. For example, if the threat actor gives the load to a cargo carrier with poor reliability or safety ratings, it might be delayed, damaged, or lost during shipment. That could result in reputational harm and additional financial losses, especially if the shipment is not properly insured. The actor might also accept payment from a shipper but then fail to pay a carrier.
It is vital for freight and transportation companies to do their due diligence when conducting these types of transactions. Since double brokering scams are often initiated through email, some of the same best practices used for avoiding phishing scams are applicable. For example, recipients should verify the legitimacy of the sender by analyzing the sending domain.
Threat actors often create a fraudulent domain by adding “LLC” or “INC” at the end of a legitimate company name. For example, xyzshipping[.]com is the legitimate domain, while xyzshippingllc[.]com is fraudulent.
Email security tools designed to block and isolate phishing threats can also significantly reduce the risk of these double brokering scams. The right tools can detect impersonated or compromised accounts using machine learning analysis. These same tools can simultaneously protect against other types of email threats, including phishing scams that attempt to steal credentials or implant malware.
With freight being a critical component of the global supply chain, double brokering scams will continue to flourish if not properly actioned upon. Cloudflare has been mitigating double brokering scams since January 2024. We have been vigilantly observing these cases and taking action when needed to ensure the safety of our clients.
Cloudflare Email Security uses advanced machine learning and artificial intelligence (AI) technology to uncover new phishing and business email compromise (BEC) schemes, as well as new tactics used by actors to bypass legacy solutions in real time. Our detections leverage WHOIS data to determine the age of the domain and when it was created. Additionally, our Social Graph model matches the newly created domain with historically known vendors of our client to determine the likelihood of a potential lookalike domain. In combination, this allows Cloudflare to make near real-time determinations on the legitimacy of the emails.
Since Cloudflare observes these types of BECs consistently, the aggregated data results in more enhanced prevention and detection methods. By further fine tuning these methods through human analysis by our PhishGuard Team we aim to make the internet a better and safer place.
See more recent trends and recommendations for preventing successful phishing attacks in the 2023 Phishing Threats Report. To see Cloudflare Email Security in action, get a free phishing risk assessment.
About Cloudforce One
Cloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that detect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political gain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with publishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions. We identify and defend against attacks with unique insight that no one else has.
The foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which encompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the Internet, giving us unparalleled visibility into global events – including the most interesting attacks on the Internet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the point of launch, and turn intelligence into tactical success.