Threat actors are conducting targeted phishing and social engineering campaigns against freight brokers, carriers, and logistics providers, using malicious links to deploy remote monitoring and management (RMM) tools. Once installed, these tools give attackers full control of victims’ systems, enabling them to hijack cargo shipments, impersonate carriers, and reroute physical goods.
The activity has been ongoing since at least January 2025, with campaigns increasing sharply since August, according to Proofpoint. Nearly two dozen separate operations have been observed — each distributing up to a thousand emails — primarily targeting North American logistics firms, though related attacks were also detected in Brazil, Mexico, India, Germany, Chile, and South Africa.
.jpg "Freight Brokers Hit by RMM-Based Cyber Attacks Aimed at Physical Cargo Theft | Black Hat Ethical Hacking")
Email response sent to carriers hooked by the load-board lure
Source: Proofpoint
Digitized Cargo Theft
Cargo theft — traditionally the physical hijacking or rerouting of trucks and trailers — has evolved into a cyber-physical hybrid crime. Attackers exploit the digital supply-chain layer, using compromised accounts and fake freight listings to deceive carriers and gain remote access to dispatch systems.
Once RMMs like ScreenConnect, PDQ Connect, Fleetdeck, N-able, SimpleHelp, and LogMeIn Resolve are installed, attackers can:
- Control dispatcher systems remotely
- Modify or cancel legitimate bookings
- Block notifications or emails
- Add rogue devices to dispatcher phone extensions
- Book and reroute shipments under the victim carrier’s identity
These manipulations allow attackers to intercept or redirect valuable cargo, such as food, beverages, and electronics, to fraudulent destinations for resale or export.
The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. exceed $35 billion annually.