Storage Spoofing Port of Rotterdam
News 8 januari 2018

Storage Spoofing (part 4) - Practical tools for pro-active prevention

We have already published four articles in the FERM series on Storage Spoofing, which shed a light on this form of cybercrime in order to raise awareness among entrepreneurs in the port area. The main objective of this series is pro-active prevention.

[this article in Dutch? Click here]

‘Storage spoofing’ is an umbrella term that we came up with to describe all varieties of the sale of non-existent storage capacities and stocks of resources and materials at terminals in Rotterdam’s port area. The ‘marks’ for this type of fraud are Dutch and foreign companies that either operate or are looking for storage facilities in the port area, as well as all potential buyers of the goods stored at these terminals. These goods are offered under false pretences, but turn out to be non-existent.

After a general introduction to this phenomenon (article 1), we discussed concrete examples with one of the entrepreneurs in the port (2) and pulled up a chair with the Public Prosecutor (3) to see it from the perspective of the judicial authorities. In this instalment, we will be talking with Michael Noorlander in his capacity of Information Security Manager at the international tank storage firm Vopak, as Noorlander has some experience with this issue.

You don’t have to remind Michael Noorlander of what a hot topic storage spoofing has become, or the serious threat posed by this type of fraud – particularly to international traders. In the periodic Port ISAC, a highly confidential cybersecurity platform for parties in the port area, Noorlander has more or less taken on the role of ambassador for this theme, after producing a tool that allows users to keep up to date on developments in this field. More about this tool later on.

REPUTATION DAMAGE

“Just like dodgy mechanics are a big concern for sector organisations like BOVAG, the port area can also be affected by repeated storage spoofing incidents,” says Noorlander. And there are enough examples to choose from. From defrauded clients of our clients, who transfer EUR 10,000 to set a sale in motion – or some other ‘419-type scam’ – to cases where an existing company’s name and data are used to set up a fraudulent deal.

And the latter problem is more or less why we contacted Vopak for the latest article in this series. Over the past few years, Noorlander and his colleagues have seen quite a few documents come by in which criminals appropriated and abused the storage company’s name. Reviewing the archived materials, it becomes clear that the fraud can get quite extensive. We find entire correspondences between potential buyers and intermediaries who claim to be employees or business relations of Vopak. When asked, they confirm that the deal involves existing storage capacity or products. But after that it becomes next to impossible to contact them, or they simply vanish into thin air: ‘I am out of office, so I cannot assist you’ or ‘Due to my hectic schedule, I may not respond so fast’

FORGERIES

One of the forged documents bears the URL vopakterminal.com. Another includes the website address vopakterminaleuropoort.nl. Because just like the companies referred to in a previous article of this series, Vopak was affected by a copy of its website. After filing a report, Vopak was able to get the fake website taken down.

While Noorlander is satisfied with the support offered by the office of the Public Prosecutor, he is less enthusiastic about our limited options to do something about these fake websites in practice. It makes sense that this is difficult in an international setting. But it should be possible to deal more effectively with Dutch domain names. “It’s very easy to register a domain name, but taking it offline is a very complicated matter. And when your name or identity is being misused, incident response actually does not extend beyond your national borders. Apparently, the police and other authorities have very few means to take on criminals operating sites from other countries. Which can be frustrating.”

“When it becomes clear that parties are misusing a company name, an organisation like SIDN (a top-level domain registrar) should be able to take action via a fast-track objection procedure. Right now, criminals still have weeks of time to abuse a fake website after the objection has been filed.”

COST-BENEFIT

There’s no need to fence off the internet. But stricter regulations for setting up domain names wouldn’t be a bad idea. While this can hardly be considered a restriction of our online freedom, it would create an opportunity for an extra check – to determine whether the party launching the domain name is the company in question. While hardly an iron-clad solution, it does raise the threshold for spoofing a website and makes the free internet a lot safer.

FERM urges affected parties to file a report – for reasons also set out in our previous article. Nevertheless, in a general cost-benefit analysis, we admit that there’s still room for improvement. The entire process of removing a website – with the faint hope that it doesn’t immediately pop up somewhere else – costs a lot of time and money.

VOPAK'S APPROACH

Earlier on, we mentioned a tool that Noorlander has developed to act more quickly and effectively on new incidents of spoofing. “After encountering these fake sites, we decided to pro-actively check domain names against a series of relevant terms. There are the more obvious search terms like ‘Vopak’ and ‘Terminal’, but you can also include product names or groups like LNG and Chemical and terminal names like Botlek and Europoort. This little tool checks new international domain database registrations against different combinations based on our list of words.”

DNS TOOL

Noorlander shows us the results of such a ‘scan’. A simple search using the term ‘vopak’ yields a whole list of results, including the sites’ DNS details and country of origin. We come across everything from fopak.com and vipak.com to voapk.com and ovpak.com. “The latter two are registered in Romania, even though we aren’t active in that country – at which point you know something’s up.”

“Internally, we can take all sorts of measures in response – including blocking those addresses in our firewall and proxy, as well as all our email filters. What’s more, in practice, there tend to be months between the registration of a domain name and the launch of an actual website. This means that you can see them coming from miles away, so that you can take action in advance.”

“While this is a start, ultimately, all it does is protect Vopak itself. From a practical standpoint, it’s a good idea to share this tool with all the other FERM members, so that we can all benefit from it.”

In concrete terms, we could consider setting up a feed on the FERM website that shares information as it comes in. This would allow the connected companies to update their security with details that bar unreliable websites within a far wider network.

As a starting point, we drew up a blacklist of all known suspicious websites, as a complement to the Facts & Figures brochure published by the Port Authority. Users can refer to this brochure, which lists details on all existing companies and terminals in the port, to check whether a website is legitimate.

“Enough ideas to set to work on developing FERM into the platform for collaboration we intend it to become. A kick-off session for this tool project, during which we can share information and hold a broad discussion about our collaboration, could be a good starting point.”

SHARING INFORMATION

Basically, the key issue is indeed sharing relevant information. There’s a huge difference between different companies in the port area – which range from leading multinationals to small local players. But smaller firms should also acknowledge that they are at risk. So we’d like to take this opportunity to issue a call: if you have come across elements of this form of cybercrime and have valuable information that hasn’t been reflected in this series, don’t hesitate to contact us. The solution lies in raising awareness within the chain, and setting up new initiatives for an effective response.

This leaves one key question unanswered: how can we reach international trading firms – the potential victims? They are the ones most affected by this fraud. While companies like Vopak do not suffer any direct financial losses due to the abuse of their name, they want to do their utmost to protect the clients of our clients. At the end of the day, these international businesses are the ones that need to know what’s going on. With the FERM initiative, we have taken a step in the right direction, and we will work to raise awareness beyond our own community.