Phishing Campaign Targets Freight and Logistics Orgs in the US, Europe
Summary:
The "Diesel Vortex" operation, active from late 2025 through February 2026, represents a highly industrialized approach to logistics-themed cybercrime. This Russian-speaking group utilized a Phishing-as-a-Service (PhaaS) architecture to deploy over 50 distinct phishing domains, resulting in the theft of 3,474 credential pairs from more than 1,600 unique victims. The group’s technical infrastructure was remarkably disciplined, employing advanced "cloaking" techniques to hide their phishing pages from security researchers and automated scanners. This included IP blacklisting of known security vendors, User-Agent filtering to block search engine crawlers, and the use of Cyrillic homoglyphs in email headers to bypass traditional spam filters. Beyond simple credential harvesting, the group specifically targeted financial instruments unique to the trucking industry, such as Electronic Funds Source (EFS) fuel cards, and even integrated a dedicated module for check fraud. Their operations were managed via a sophisticated Telegram-based console, where operators used a series of bots—such as "TesterAlarm" and "BlankAllert"—to interact with victims in real-time, allowing them to solicit one-time passwords (OTPs) and bypass multi-factor authentication seamlessly.
Security Officer Comments:
The Diesel Vortex campaign highlights a significant maturation in the threat landscape targeting the freight and logistics sectors. The group's "GlobalProfit" internal blueprint reveals they were not merely hackers, but a structured criminal enterprise with a business model focused on "rate confirmation fraud" and cargo redirection. This poses a severe risk to our members because the threat actors demonstrate a deep understanding of the trust-based relationships between brokers, carriers, and shippers. By compromising platforms like DAT Truckstop and RMIS, these actors can impersonate legitimate carriers to "double-broker" loads, effectively disappearing with the cargo while the legitimate parties are left with the legal and financial fallout. Furthermore, their use of "live" phishing operators means that even employees who have received standard MFA training may be deceived by the high-pressure, real-time nature of the attack. For an industry that relies on rapid, high-volume transactions to keep supply chains moving, the friction introduced by such targeted fraud can result in significant operational delays and loss of brand reputation.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...-freight-and-logistics-orgs-in-the-us-europe/
The "Diesel Vortex" operation, active from late 2025 through February 2026, represents a highly industrialized approach to logistics-themed cybercrime. This Russian-speaking group utilized a Phishing-as-a-Service (PhaaS) architecture to deploy over 50 distinct phishing domains, resulting in the theft of 3,474 credential pairs from more than 1,600 unique victims. The group’s technical infrastructure was remarkably disciplined, employing advanced "cloaking" techniques to hide their phishing pages from security researchers and automated scanners. This included IP blacklisting of known security vendors, User-Agent filtering to block search engine crawlers, and the use of Cyrillic homoglyphs in email headers to bypass traditional spam filters. Beyond simple credential harvesting, the group specifically targeted financial instruments unique to the trucking industry, such as Electronic Funds Source (EFS) fuel cards, and even integrated a dedicated module for check fraud. Their operations were managed via a sophisticated Telegram-based console, where operators used a series of bots—such as "TesterAlarm" and "BlankAllert"—to interact with victims in real-time, allowing them to solicit one-time passwords (OTPs) and bypass multi-factor authentication seamlessly.
Security Officer Comments:
The Diesel Vortex campaign highlights a significant maturation in the threat landscape targeting the freight and logistics sectors. The group's "GlobalProfit" internal blueprint reveals they were not merely hackers, but a structured criminal enterprise with a business model focused on "rate confirmation fraud" and cargo redirection. This poses a severe risk to our members because the threat actors demonstrate a deep understanding of the trust-based relationships between brokers, carriers, and shippers. By compromising platforms like DAT Truckstop and RMIS, these actors can impersonate legitimate carriers to "double-broker" loads, effectively disappearing with the cargo while the legitimate parties are left with the legal and financial fallout. Furthermore, their use of "live" phishing operators means that even employees who have received standard MFA training may be deceived by the high-pressure, real-time nature of the attack. For an industry that relies on rapid, high-volume transactions to keep supply chains moving, the friction introduced by such targeted fraud can result in significant operational delays and loss of brand reputation.
Suggested Corrections:
- Implement Hardware-Based MFA: Transition from SMS and push-base notifications to FIDO2/WebAuthn-compliant security keys (like Yubikeys). Diesel Vortex uses "live" phishing to intercept one-time codes in real-time; hardware keys are inherently resistant to this type of interception.
- Deploy Homograph Detection: Configure email gateways to flag or block emails containing Cyrillic Unicode homoglyphs. This prevents the group’s "eMаnаgеr" and "TIMOCOM" spoofing tactics from reaching employee inboxes.
- Enforce Out-of-Band (OOB) Verification: Establish a mandatory policy where any request to change payment instructions, fuel card (EFS) settings, or delivery locations must be verified via a pre-established, trusted phone number, never through email or chat links.
- Aggressive Domain Monitoring: Use brand protection tools to monitor for typosquatted or lookalike domains. Diesel Vortex relies on these "squatted" domains to build trust with victims.
- IP and User-Agent Filtering: While the attackers use cloaking, defenders can flip the script by monitoring for unusual User-Agent strings and traffic originating from known VPS providers frequently used by the group to host their "GlobalProfit" panels.
- Session Management: Shorten the Session Time-to-Live (TTL) for critical logistics and brokerage portals. This reduces the window of opportunity for an attacker to use a captured session token before it expires.
- Telegram Community Awareness: Educate drivers and dispatchers specifically about the risks of phishing links within industry Telegram groups. Diesel Vortex uses these communities as their primary "hunting grounds" for new victims.
- DNS Filtering: Implement a protective DNS service to block resolutions to the known "lpanel" infrastructure and other domain clusters identified in the research.
https://www.bleepingcomputer.com/ne...-freight-and-logistics-orgs-in-the-us-europe/