Oil Storage Scammers at Port of Rotterdam

Scammers "selling" oil they do not have! Read Russian Oil Scam and Scam Websites
User avatar
Caped Crusader
Site Admin
Posts: 3634
Joined: Tue Feb 23, 2016 12:14 pm

Oil Storage Scammers at Port of Rotterdam


Unread post by Caped Crusader » Wed Dec 27, 2017 9:07 pm

Caution: Storage Spoofing at Port of Rotterdam (English version)
FERM - 30 November 2017

At FERM we regularly take a closer look at a topical subject that relates to cybersecurity in the port of Rotterdam – both at our periodic get-togethers and on our website ferm-rotterdam.nl.

You can visit the FERM website to read about phishing and other digital threats for SMEs, for example, or about CEO fraud: a perennial favourite among cybercriminals (articles in Dutch only, for now). In our latest series of articles, we will be paying attention to the concept of ‘storage spoofing’. We kick off the series with an interview with Ronald Backers, who works as a Business Intelligence Adviser for the Port of Rotterdam Authority.


Let’s start by giving a definition of ‘storage spoofing’ itself. We came up with this umbrella term to describe all varieties of the sale of non-existent storage capacities and stocks of resources and materials at the terminals in Rotterdam’s port area. The ‘marks’ for this type of fraud are national and multinational companies that either operate or are looking for storage facilities in the port area, as well as all potential buyers of the goods stored at these terminals. These goods are offered under false pretences but turn out to be non-existent.

At FERM, we study the development of this type of fraud and trends within this variant, with a specific focus on prevention. Among other things, we do this by approaching the issue from a number of different perspectives. This includes targeted companies (and firms that have already been affected), the Public Prosecutor’s office and the Seaport Police, and by sharing concrete tips and recommendations.


Storage spoofing isn’t a new phenomenon. “It has been going on for five or six years by now,” says Ronald Backers. “A fake order is posted online – by a supplier of JP54, for example, who claims to have 1 or 2 million barrels in store.” JP54 is a specific type of kerosene that is used as an aviation fuel. “The ‘seller’ then purposely steers towards some form of advance payment, with the intent of misleading the victim. After that, the perpetrators usually disappear without a trace.” When the client arrives in the port to collect the order, it turns out the terminal doesn’t store the product in question. In some cases, the storage facility itself doesn’t even exist.

“These transactions are often accompanied by all sorts of documents, which involve a variety of forged stamps and certificates. The criminals also set up fake versions of the terminals’ websites to draw the victims into a sale.” These fake company websites often vanish as quickly as they appear: the criminals tend to shut them down after a few attempts or a successful transaction so that they can try the same scam somewhere else, under a new name.


In practice, it proves difficult to root out storage spoofing entirely. A lot of companies – particularly internationally – are insufficiently familiar with the business community in the port area, which makes it easier for criminals to seduce them with an ‘attractive’ but fraudulent offer.

“It’s a persistent problem – it keeps rearing its head,” says Backers. At the same time, we aren’t powerless when it comes to fighting it. “For example, the Port of Rotterdam Authority’s Facts & Figures brochure includes a listing of all companies and terminals set up in the port. This helps you to check whether an offer’s legitimate.” While this is a start, it isn’t fail-safe, with all the copies and fake versions of company names and websites going round. The scammers often make use of the very same listing to establish credentials for their fictional enterprise. That's why we will be posting a list of all companies and their official websites shortly. In the meantime, please find our blacklist of known fake websites at ferm-rotterdam.nl/blacklist.


Do previous attempts have any distinguishing aspects that we can use as teaching material? “We can definitely see a number of recurring details,” says Backers. “To start, the offer usually concerns 1 or 2 million barrels: often JP54, but also D2, for example – a type of diesel fuel. In addition, many cases have a Russian connection.” This could be a Russia-based sender, for example, or .ru in the domain name of the website or email.

Backers also regularly finds emails of this kind in his own inbox. They’re often sent via Gmail and other channels that diverge from those commonly used for official corporate communications. The sender claims to have a quantity of product X in store and makes an attractive business proposal. “While I do file them for reference, I generally don’t respond to them. Unless they mention an existing terminal of course, in which case I get in touch with the terminal in question to inform them.” He also receives emails asking him whether he knows of anyone selling JP54. Or the sender claims to be looking for a facility to store this product. This could indicate that the scammers are fishing for companies that trade in this product, so that they can take on their name when they contact their unsuspecting marks.

The emails also show that storage spoofing is alive and kicking. This means that in the period ahead, we will need to increase our focus on this particular problem, in the hope of developing new tips and guidelines for companies in order to reduce their risk of falling prey to this type of fraud. We will shortly be publishing the next article in this series on ferm-rotterdam.nl, so stay tuned. And if you have any information or experiences you would like to share, please find us at contact@ferm-rotterdam.nl.


Caution: Storage Spoofing (part 2) - Too good to be true
- 7 December 2017

We kicked off our series on storage spoofing with an interview with Ronald Backers, who works as a Business Intelligence Adviser for the Port of Rotterdam Authority. In this installment, we look into various similarities between different attempts at storage spoofing, based on case studies provided by the founder and CEO of a trading company in the port area who served as a source on the subject.

In our previous article we wrote, among other things, about ‘suppliers’ who offer non-existent stocks for sale at attractive rates and about the specific products that these fraudsters claim to own. However, according to our source, the clearest sign that you are actually dealing with an attempted fraud is the kind of deal that you are offered, and the specifics of how the ‘seller’ handles the transaction.

A concrete example: an email comes in from a company in Russia. They offer to sell a product like JP54, D2 or D6 – already stored at a facility in Rotterdam – at an attractive price level. “The purported ‘seller’ then makes the offer a bit more specific. Sure the product is for sale, but it has to be transferred to different storage tanks – at short notice. And all of a sudden, ‘a friend of his’ pops up, who has some spare storage capacity ‘for 3-5 days’…”

“The seller presents hard proof like websites, invoices and all sorts of forged documents. And then you get the invoice, which naturally needs to be paid immediately. They charge amounts of USD 100,000 to 450,000 for this kind of storage facilitation. The banks used for the transaction are obscure establishments based in some other country. And that’s where you see the spoof: the buyers think they have scored a huge bargain. They think that with a modest investment, they have landed a new volume that can be put on the market. However, the physical product is nowhere to be found.”

“When I offer a car for sale online, I tell the prospective buyer ‘Listen, it’s sitting in a car park in the city center – you’re welcome to come and check it out.’ This emphatically isn’t the case with these attempts at storage spoofing. The companies may offer more or less official-looking documents, but as soon as you start asking questions about the company, the location or the origin of the products, it all becomes very vague or they stop responding to your queries. Suddenly they can no longer be reached for a few days. Or they send you the tank coordinates, a link to a website they have made themselves or forged documents.”

“We have a DD department (DD for ‘due diligence’, which involves checking transactions with the appropriate care), which extensively checks everything that comes in. Oil trading is mainly based on bank compliance – unless your name’s Shell or Exxon, that is. Everything complies very clearly with current regulations and legislation and is conducted via the official channels. What we often see in storage spoofing is Gmail and Yahoo addresses, which are a pretty clear sign that something fishy is going on. That’s your first red flag right there. And the same applies to the documents they send. What’s more: we have a Port Intelligence department that we can use to track everything that goes in and out. A simple check is often all you need to blow a story out of the water.”

“As it is, the stories are always about Russian owners and Russian tank farms. You don’t even find those here!” But if you aren’t aware of that kind of context, it becomes a lot harder to navigate the wide range of deals offered in the port area. And if you don’t know ‘how it’s done’ or how parties relate to one another or which parties there are, you run a far larger risk of becoming the victim of a scam. And this makes storage spoofing a particularly high risk at the international level: you have companies that aren’t familiar with the ins and outs of the port area. Which is one reason why we are also offering these articles in English. Because that’s the second threat posed by storage spoofing as a phenomenon: the danger of it becoming a negative business case for the port area. “You may get a situation where people think ‘Gosh, Rotterdam is full of crooks’.”

“You know: the other thing with storage spoofing,” he continues, “is that greed plays a role. When something’s ‘too good to be true’ it generally is.” We see the same thing going on in attempts to scam people via phishing or, for example, CEO fraud (linked articles in Dutch only). You know the feeling: everything seems to be in order, but something feels ‘off’ - starting with the unusual pricing in the deal on offer.

That is why you should always check the so-called ‘red flags’ – by which you can also recognise a phishing email, incidentally: a strange email address, an excessively positive tone, lots of language errors or weird translation choices, a curious looking URL behind a link or an unusual, impersonal salutation. And remember: ‘too good to be true’ is often indeed too good to be true.

“Just last week we had an example of someone who listened to his gut feeling on this.” The offer in question involved the fuel type JP54 – the same product that plays a key role in countless other storage spoofing attempts, according to Ronald Backers. And that doesn’t even exist, incidentally. Another car analogy (“everyone understands those”): “Imagine someone’s offering a Mercedes Z30. You and I know there’s no such thing, but someone who isn’t knowledgeable about BMW or Mercedes models is an easy target – blinded by the prospect of a really good bargain.”

“Another example: Ferrari produces around 300 cars per month – by hand. So if someone is suddenly offering 3,000 vehicles in one go, something’s very fishy indeed. Of course, we are traders: it’s not the first time we meet someone who thinks they have the golden goose. But there are enough warning signs that should have you wary at the very least. And on top of that, they do everything in barrels, while over here, we use tonnes or cubic metres.” Or, to stick to car analogies: “When someone offers a brand-new Ferrari for 50,000 euro, you can be sure something strange is going on...”

Read our introduction to storage spoofing here and check out the current blacklist of fake websites.


Storage Spoofing (part 3) - Public Prosecution Service
- 14 December 2017

FERM has set out on an information campaign regarding storage spoofing and the various ‘suppliers’ who offer non-existent stocks in the port of Rotterdam. In Part I we introduced the subject with Ronald Backers, Business Intelligence Adviser for the Port of Rotterdam Authority, and in Part II we looked into several real-life examples of attempted fraud.

The third and present article was written in collaboration with Public Prosecutor Jacqueline Bonnes (Cybercrime and Digital Evidence) about experiences and recommendations of the Public Prosecution Service.

The police are responsible for the practical side of criminal investigations. They collect evidence, interview witnesses and victims, and arrest suspects. And they are required to keep a complete record of the case in the form of an official report. However, the Public Prosecution Service has ultimate responsibility for investigations. The police have to render account for their actions to one of the officers of the Public Prosecution service, known as the public prosecutor.


“Over the past two years, we have seen five or six companies reporting that they were victimised by this form of cybercrime,” says Bonnes. Except these companies weren’t defrauded buyers, but entrepreneurs whose website was copied in order to dupe potential ‘marks’. “These incidents are difficult to resolve, because as soon as one of these websites is taken offline, another one pops up somewhere else.”

“What’s more: identifying the perpetrators is very complicated, since it’s often very difficult to retrace their digital tracks due to VPNs or Tor. Besides, in itself, copying a website isn’t illegal. However, we can support companies that are affected by this issue via legal procedures, by taking the websites offline or having them destroyed.”

For example, in the case of one of the victimised companies, the General Manager’s name had been abused to lend credence to the attempted scam. At that point, the Public Prosecutor’s office is allowed to intervene: abuse of someone’s personal details has been a punishable offence since 2014.


The office of the Public Prosecutor does not have any concrete examples of victims who actually paid for non-existent storage or products. “Even though there’s still a lot we can do immediately after someone has filed a report. Particularly when money’s involved – via Europol, we can retrieve a payment far more often than you may think.” But presumably the affected companies aren’t based in the Netherlands, meaning that the Dutch Public Prosecutor isn’t their point of contact. “That is why our main focus is on prevention and intervention to minimise reputation damage: a legal interest that needs to be protected.” In other words, prevent the port from gaining a bad name because storage spoofing and other forms of cybercrime disrupt day-to-day trading.

If criminals nevertheless manage to pull off a successful storage spoofing scam, the main thing for the affected company – and by extension the police – is to collect as much information as possible. Websites, contact information, telephone numbers, IP addresses – you name it. And similar to many cases of cybercrime, an attempt to defraud is already a perfectly legitimate reason to notify the authorities. Both the police and the companies themselves can use the collected data to map out the current situation. “That’s why we are very glad that FERM and the Port Authority are paying attention to this issue. Because information is a very important part of prevention.”


Something already hinted at in previous articles in this series is that information awareness plays a key role. “Besides offering information and support, we also call on entrepreneurs to shoulder their own responsibility, since this can nip a lot of these problems in the bud.” Entrepreneurs will need to be more than simply ‘be aware of the issue’. We can show them where the threats lay, how to recognise an attempted scam and how to handle it. But you also need to arm yourself pro-actively as an organisation.

By asking questions like ‘Why aren’t all our communications encrypted?’ for example. Or ‘Why don’t we consistently check the https connection?’ ‘What kind of chain security measures have we taken; what kinds of barriers – physical and digital – have we raised to keep out cybercriminals?’ Bonnes: “Through intelligent collaboration, consultation and sharing all relevant information, we can actually devise new barriers against this fraud. Indeed, that’s what makes the Port ISAC such an important initiative. We hope to build a community that actively encourages prevention.”


What’s more: we can also learn a lot by looking at what the other side’s up to. Because regardless of what we do to keep them out, malicious parties/hackers/criminals will always find a new ‘loophole’.

Which isn’t to say that all smart people are working for the ‘baddies’, emphasises Bonnes. “Because we’re not sitting still either. Just consider the results achieved by Rotterdam’s Seaport Police, or the National Police Force’s Team High Tech Crime.” Or the work put into nomoreransom.org. “Make no mistake, we’re in the majority here on the right side of cybersecurity – but we have to work together.”


And finally, we’d like to mention another interesting development: VeiligheidsAlliantie regio Rotterdam (Rotterdam Region Security Alliance, or VAR). This partnership between 32 municipal administrations, the police and the Public Prosecutor’s office in the Rotterdam region also pays a lot of attention to cybercrime.

Within the region, VAR serves as a platform for sharing knowledge and experiences. In addition, VAR contributes to regional collaboration between partners by actively identifying issues, putting them on the agenda, launching new initiatives and connecting different parties. And VAR has a keen eye for the diverse nature of security issues in the region. Ultimately, these issues are best handled via local, tailor-made solutions.

The VAR initiative was born from a wish on the part of various regional mayors to play a key role for SMEs in this context – just like FERM. Indeed, the two platforms communicate the same basic message.

Bonnes: “Get out there and help each other, work together. The SME sector has insufficient protection in place.” Checking out the website – and specifically the cybercrime section (available in Dutch only) – is definitely worth your while. Here, you can find figures and background stories, documentation about data security and information about the role citizens and entrepreneurs can play in increasing awareness and prevention.


Read our first article here, the second article here and check out the current blacklist of fake websites. Tips, advice or information on current cases? Please find us at contact@ferm-rotterdam.nl.

Post Reply
Stop 419 Scams and Scammers : Disclaimer