Malicious Emails Target BP Pulse CustomersElectric Vehicle Charging Firm Investigating Criminal Campaign
Criminals have been targeting customers of British electric vehicle charging infrastructure provider BP Pulse with malicious emails. Recipients say the emails appear to have originated from legitimate BP email accounts.
BP Pulse says it's carrying out "a detailed investigation" into the attacks.
Owned by the oil giant BP and based in Milton Keynes, England, BP Pulse is one of the U.K.'s largest electric vehicle charging companies, operating an electric vehicle charging network with more than 7,000 EV charging points across the country as well as supplying electric vehicle charging infrastructure for home, business and public use.
Until December 2020, BP Pulse was known as BP Chargemaster; BP acquired Chargemaster in 2018.
In recent days, BP customers report receiving what appear to be authentic emails from BP Chargemaster. At least some of the emails have a malicious Excel spreadsheet attached, which, if executed, appears to attempt to install additional code on the system.
"We are aware that a number of people have received emails that appear to have come from BP Chargemaster email addresses. These have not been sent by us," a spokesman for BP tells me. "We are urgently carrying out a detailed investigation and, as a precaution and to minimize any risk, we have notified all those who could potentially be impacted by the incident. However, we believe only a small number of those notified may have received these emails."
BP declined to specify how many customers might have been targeted or fallen victim to these attacks.
"We have asked [customers] to be cautious of any email addresses received from @bpchargemaster.com, as this is no longer actively used," the company's statement says. "We take the protection of data very seriously and are sorry for any concern this may cause. We will provide further information as appropriate."
Alert: Disregard All 'BP Chargemaster' Communications
The email alert from "firstname.lastname@example.org" recently sent to customers - a copy of which was shared with me by a customer - advises customers to beware of the BP Chargemaster emails. "Please treat any emails you may receive form this domain as suspicious and be vigilant," it states, advising customers to avoid clicking any links or opening any attachments the emails might contain.
Header information for the malicious emails - a copy of one was shared by a BP Pulse customer - reveals that the messages originated from BP's Rackspace-hosted email accounts, per the “Sender Policy Framework” authentication information contained in the email. SPF specifies which mail servers are authorized to send email from a specific domain to help spam services to block spoofed emails.
One BP Pulse customer shared a copy of the Microsoft Excel spreadsheet attached to the email they'd received, which, when run through a malware-analysis tool, appears to be designed to run macros that contact servers in Russia and Belarus to download additional executable files.
The location of those servers is no smoking gun as to the location of whoever might have crafted this attack.
But such files are designed to work as "droppers" that install and execute additional malware on a victim's system. While it's not clear what types of malware this particular attack might have attempted to install, common types of malicious executables include ransomware, cryptocurrency miners, keystroke loggers and banking Trojans.
BP Pulse customers have reported via social media posts that the malicious emails appear to have been sent from BP Chargeback email accounts with usernames of individuals with whom they'd previously interacted.
In other words, it appears that attackers gained remote access - either by getting admin-level access or by phishing individual employees or brute-forcing accounts - to email infrastructure used by BP, accessed contact lists tied to those BP email accounts and then sent malicious emails to individuals previously contacted via the email account.
BP declined to comment beyond the statement that it provided, which notes that its investigation is continuing.
GDPR: Data Minimization Requirement
In its notification to customers, BP says it's reported the incident to Britain's Information Commissioner's Office.
The ICO says breach notifications should only be filed if Europeans' private information may have been exposed or if a breach traces to suspected security shortcomings inside an organization.
Attackers accessing systems that are no longer used, but still remain active, is a common occurrence.
One famous case involves London-based telecommunication firm TalkTalk, which in 2015 suffered a breach that resulted in the theft of customer data. It discovered a hack of outdated and unpatched systems that it had acquired from Italian telecommunications firm Tiscali in 2009 and failed to keep updated. In 2016, ICO hit TalkTalk with a then-record fine of 400,000 pounds (worth $555,000 today).
One of the core principles of the EU's General Data Protection Regulation, which came into full effect in May 2018, is data minimization.
"GDPR requires you to be clear about the purposes for which you collect personal data, to only collect the minimum amount of personal data you need for those purposes and to only store that data for the minimum amount of time you need it for," the ICO states.
One open question about the email attacks against BP Pulse customers is if they trace to data, infrastructure or other systems which - no longer being "actively used" by BP - should have already been retired.