Australia endured another week of malware masquerading as well-known brands, including Telstra, the ATO, CBA, MYOB, Xero, go via, Virgin Media and eFax Corporate.
Twice this week Telstra’s brand was used in different email scams. The first was caught by email filtering company, MailGuard, just before 9 AM on Monday and had the subject Telstra Bill – Arrival Notification.
Information security company, InfoTrust, said that such attacks are made possible largely due to an absence of sufficient email authentication controls against the email sending domains used by these organisations, leaving their domains vulnerable to attack.
“Organisations can secure their domains and email eco-system through a strict implementation of email authentication controls incorporating SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain Message Authentication Reporting and Conformance), which provides a means for organisations to completely shut the door on unauthorized spoofing of their domains,” an InfoTrust spokesperson told ARN.
The email included a note advising customers that ‘Telstra will never ask you to provide credit card, or banking details via email’.
With a further link to ‘To find out more about the measures that we are taking to protect telstra.com members from email fraud, please go to http://www(dot)telstra(dot)com/phishing’ (altered).
The sending domain ‘enterprisebusinesscenter(dot)com’ was registered yesterday with a registrar in China.
The second email scam hiding behind Telstra’s brand took place on Tuesday around 9 AM. This particular attack had a HTML- formatted message very similar to a real Telstra email.
Comparing the fake email against a real one it can be easy to miss the difference in the sending email address. A legitimate invoice shows telstraemailbill_noreply(at)telstra.businessdirs.com which is almost identical to the actual address, telstraemailbill_noreply3(at)telstra.online.com.
Meanwhile, a fake Xero invoice was also identified on Tuesday 26 September. It also tells recipients to view their invoices, which appears to be a PDF attachment but it is a link that downloads a malware.
A “medium” scale email phishing scam purporting to be from the Commonwealth Bank of Australia (CBA) was also doing the rounds on Tuesday from 7 AM until just before midday.
The ‘New Security Message’ email urged recipients to update their account details due to suspected unauthorized access. The email tells recipients their accounts have been frozen due to unsuccessful login attempts.
The link to a phishing site requests users for their credit card information, presumably designed to harvest personal credentials. Below is the comparison of the fake login page with the real one. The phishing page appears to be hosted on a compromised host on WordPress, revealed MailGuard.
Furthermore, two large scale email scams pretending to be the ATO and MYOB were also identified by MailGuard on Wednesday 27 September.
“The ATO-branded email about a tax refund from FY17 is well-timed, given the impending October 31 deadline for tax lodgements," MailGuard wrote in a blog post.
"It is in basic HTML format, and has two display and sending addresses: refund(at)ato.com and ato+zj4y9j69zss9-12O96F(at)ato.com. The sender is forging the domain ato.com, which is a legitimate domain owned by an industrial equipment vendor based in Chicago."
This attack is more sophisticated compared to others. The link in the email takes the recipient to a Google search result, linking to a website that redirects to a fake MyGov website on another host.
The fake MyGov website is very similar to the real MyGov website - the recipient is asked to provide personal details including credit card details, driver's license, email and password.
The site is being hosted on a compromised host and if the phishing form is submitted, it redirects to the legitimate ATO site, intended to assure users that they have just filled out a legitimate ATO form.
The MYOB email scam follows the same rules as the other attacks. The HTML-formatted fake invoice has a button to View invoice.
The scam uses names of real ASX-listed companies with the display and sending addresses varying each time.
Other attacks this week included an impersonation of Queensland’s eToll operator go via, similar to the one from 13 September.
The message was well formatted, with authentic appearing branding and coming from a display name of ‘go via’ with the sending email address of ‘<do_not_reply(at)govia(dot)cwebu(dot)com’ (altered) advising customers that their tax invoice statement was available for download.
Virgin Media and eFax Corporate scams were also identified on 27 September.
The display name is Virgin Media and the sender address and display address is webteam(at)virginmedia.smebusinesslink(dot)com. The sending domain smebusinesslink(dot)com was registered with a Chinese registrar on 24 September.
The eFax Corporate scam claims that the recipient have received a fax from an unknown sender.