Red Team Insights

Cargo Theft Attack Chain

In the shadows where cybercrime meets organized theft, a new breed of criminal has emerged. They don't wear masks or carry weapons. They wield keyboards and exploit trust. Between August and November 2025, nearly two dozen coordinated campaigns weaponized legitimate remote access tools to infiltrate trucking carriers and freight brokers. Their target: billion-dollar cargo shipments moving across America's highways. Using phishing emails disguised as rate confirmations, these threat actors installed remote monitoring software, harvested credentials, and accessed dispatch systems in real-time. They tracked high-value loads, hijacked bookings, and coordinated with crime rings to intercept trucks carrying everything from energy drinks to copper worth millions. Average loss per incident: $356,787. This is the convergence of digital intrusion and physical crime. This is cyber-enabled cargo theft.

Cyber-Enabled Cargo Theft: Attack Chain

Understanding how threat actors progress from initial access to physical theft

Stage 1
✉️
Initial Access
Load board compromise, email hijack, or phishing
Minutes to Hours
  • Phishing emails targeting logistics staff
  • Compromised load board credentials
  • Business email compromise (BEC)
  • Social engineering attacks
Stage 2
🔗
Malicious Link
Rate confirmation or carrier packet with .exe/.msi link
Minutes to Hours
  • Fake rate confirmation documents
  • Malicious carrier packets
  • Links to credential harvesting sites
  • Example domain: Rateconfirm1.net
Stage 3
⬇️
RMM Installation
Legitimate tools: SimpleHelp, ScreenConnect, AnyDesk
Minutes to Hours
  • Remote monitoring and management tools
  • SimpleHelp, ScreenConnect, AnyDesk
  • Signed software bypasses antivirus
  • Persistent remote access established
Stage 4
🔓
Access Gained
Full remote system control established
Minutes to Hours
  • Complete system access achieved
  • Appears as legitimate IT support
  • Can monitor user activity in real-time
  • Access to all files and applications
Stage 5
🔑
Credential Harvesting
Steal TMS, load board, email credentials
Hours to Days
  • TMS (Transportation Management System) credentials
  • Load board login information
  • Email account passwords
  • Tools: WebBrowser PassView, credential stealers
Stage 6
🔍
Operational Intelligence
Access dispatch systems, routes, high-value loads
Hours to Days
  • Monitor dispatch operations in real-time
  • Identify high-value cargo shipments
  • Access route and delivery schedules
  • Gather carrier and driver information
Stage 7
🚚
Physical Theft
Book loads, hijack shipments, coordinate with crime rings
Days to Weeks
  • Book loads using stolen credentials
  • Hijack legitimate shipments in transit
  • Coordinate with organized crime networks
  • Average loss: $356,787 per incident
Attack Prevented
Critical Window: Stopping attack in stages 1-3 prevents all downstream damage.
Nearly 24 campaigns since August, 2025
STOP THE CHAIN: Verify before clicking | Enable MFA | Report suspicious activity
November 20, 2025

Watch for These Red Flags

🚩

Suspicious Emails About Loads

Red Flag #1
Watch for emails containing load 'rate confirmations,' or 'broker agreements'—especially if they contain download links to .exe or .msi files. Legitimate documents should be PDFs, not executable software.
Click to see more details ▼
  • Unexpected attachments with .exe, .msi, or .zip extensions
  • Requests to download software to view documents
  • Emails from addresses that look almost right but have subtle differences
  • Urgent language pressuring immediate action
🚩

Domains That Look Almost Right

Red Flag #2
Attackers use domains like rateconfirm-dot-net instead of your normal broker's site, centraldispaCH-dot-net (note the missing 'T' in dispatch), or iIove-pdf-dot-net. If it looks slightly off—trust your instincts.
Click to see more details ▼
  • Look for typos or character substitutions (e.g., 'rn' instead of 'm')
  • Check for extra hyphens or unusual domain extensions
  • Verify the sender's domain matches previous legitimate emails
  • Hover over links before clicking to preview the actual URL
🚩

Unexpected Software Installation Requests

Red Flag #3
No legitimate freight transaction requires you to install remote access software to view a rate sheet or load details. If someone asks you to install SimpleHelp, ScreenConnect, TeamViewer, or any remote tool to 'view documents,' stop immediately.
Click to see more details ▼
  • Never install software requested via email or chat
  • Legitimate IT support will use approved company channels
  • Remote access tools give complete control of your computer
  • Contact your IT team if you're unsure about any software request
🚩

Urgent or Pressure Tactics

Red Flag #4
Criminals exploit the time-sensitive nature of freight. Beware of unusual urgency to book loads or install software to 'not miss out' on opportunities.
Click to see more details ▼
  • Pressure to act immediately without verification
  • Threats of losing the load if you don't respond quickly
  • Requests to bypass normal company procedures
  • Take a breath and verify—legitimate opportunities will wait
🚩

Load Board Accounts Behaving Oddly

Red Flag #5
If your load board credentials stop working, you see loads you didn't post, or you receive password reset emails you didn't request—your account may be compromised.
Click to see more details ▼
  • Unexpected password reset notifications
  • Loads posted or accepted that you don't recognize
  • Unable to log in with correct credentials
  • Change passwords immediately and contact the load board provider
🚩

System Anomalies

Red Flag #6
Watch for missing bookings from your TMS, unauthorized changes to dispatcher phone extensions, new devices added to your systems, or blocked notifications that normally go through.
Click to see more details ▼
  • Missing or altered records in your TMS
  • Phone system changes you didn't authorize
  • Unknown devices connected to your network
  • Report any anomalies to IT immediately
November 20, 2025

Action Items Checklist

1

Implement multi-factor authentication on ALL load board and email accounts—no exceptions.

Enable MFA immediately across all systems to prevent unauthorized access even if credentials are compromised.

2

Block the installation of unauthorized remote access tools on company computers. Your IT team can configure this.

Prevent RMM tools like SimpleHelp, ScreenConnect, and AnyDesk from being installed without IT approval.

3

Train your entire team to identify these tactics. Forward this alert to dispatchers, owner-operators, and anyone who handles load communications.

Share threat intelligence and train all staff on phishing recognition and social engineering tactics.

4

If you receive a suspicious email, don't click—verify. Call the sender using a phone number you find independently, never one provided in the email.

Always verify requests through a separate communication channel before clicking links or downloading files.

5

Report incidents immediately. Contact the FBI at 1-800-CALL-FBI, your local field office, or file a report at IC3.gov.

Rapid reporting helps law enforcement track campaigns and protect other companies in the industry.

November 20, 2025

Built by OT penetration pioneers who've broken into hundreds of critical infrastructure organizations worldwide. We deliver actionable intelligence on the attack chains that matter, the controls that fail, and the defenses that work.

Need help with your cybersecurity?

info@phishcloud.com
📄 Read the Full Bulletin
November 20, 2025
Scroll to Top