Threat researchers at Proofpoint are tracking a wave of targeted phishing operations against transportation and logistics providers that convert cyber intrusions into physical cargo theft. Industry estimates regularly cite annual losses above $30 billion, and the scale of these attacks is beginning to affect supply chain resilience.
Attack vector: load board account takeover and social engineering
The initial entry point is the compromise of accounts on freight broker platforms and load boards—marketplaces where shippers and carriers match loads. With legitimate credentials in hand, adversaries post fraudulent tenders and initiate email outreach to carriers. Reply messages embed malicious links disguised as routine resources or attachments.
Abusing legitimate RMM for stealthy, persistent access
Clicks lead to the installation of legitimate remote monitoring and management (RMM) tools such as Fleetdeck, LogMeIn Resolve, N-able, PDQ Connect, ScreenConnect, and SimpleHelp. Because RMM software is widely used for IT support, its activity often blends into normal operations, extending attacker dwell time. As Proofpoint notes, RMM use enables longer undetected access compared to traditional malware.
Scale and tradecraft: from phishing to thread hijacking
The campaigns are opportunistic: adversaries target any carrier that responds to a fake request. Beyond bulk email, attackers insert links into existing business conversations by abusing compromised mailboxes (thread hijacking). Researchers have observed nearly two dozen such operations in recent months.
Credential theft and lateral movement into dispatch systems
After the foothold, operators perform network reconnaissance, deploy credential extractors such as WebBrowserPassView, and expand access to additional accounts. This increases the likelihood of seizing key systems—from trip planning and TMS portals to dispatch dashboards—where route and load data can be modified.
From IT breach to physical theft: rerouting real shipments
With administrative control, attackers book loads in the victim’s name, coordinate logistics, and alter planning or dispatch entries to redirect high‑value freight to accomplices. Stolen goods are monetized via online resale or overseas export, turning a low‑cost phishing email into a high‑margin physical theft.
Geography and links to organized crime
Proofpoint reports global activity with concentrations in Brazil, Chile, Germany, India, Mexico, South Africa, and the United States. The campaigns likely involve organized criminal groups, reflected in their familiarity with sector workflows, terminology, and IT services unique to logistics.
Timeline and related activity clusters
The current wave has been observed since June 2025, with attacker infrastructure active since at least January. A potentially related cluster operated from 2024 through March 2025, focusing on ground transport and using information‑stealing malware—including DanaBot, Lumma Stealer, NetSupport, and StealC. Regardless of payload, the objective is consistent: stealthy remote access and data theft leading to operational manipulation.
Defensive guidance for carriers, brokers, and 3PLs
Strengthen authentication: Enforce MFA on load boards, email, TMS/dispatch systems; rotate passwords and prohibit reuse. Where available, adopt phishing‑resistant MFA (FIDO2/WebAuthn) for admin accounts.
RMM governance: Maintain an allowlist of approved RMM tools mapped to named administrators; restrict use by time, network, and device; log and alert all RMM sessions to the SOC; block unknown RMM binaries and installers in EDR/XDR; monitor for lateral movement via RMM.
Email security and brand protection: Implement SPF, DKIM, and DMARC with reject policies; disable auto‑forwarding; detect thread‑hijack anomalies and link rewriting; train users to validate load requests and attachments; monitor for lookalike domains and impersonation attempts.
Operational controls: Require independent, out‑of‑band verification for changes to routes, pickup/drop‑off locations, and payment instructions; conduct access reviews in planning and dispatch platforms; segment networks and enforce least privilege; centralize logging to detect unusual bookings or rapid account changes.
Cybercriminals are increasingly turning digital access into physical losses by abusing legitimate RMM tools and infostealers to persist inside carrier environments. Accelerating MFA adoption, tightening RMM policies, hardening email defenses, and instituting out‑of‑band validation for logistics changes will materially reduce the risk of load board compromise and help detect shipment redirection before cargo goes missing.
