Scamwatch round-up – AusPost, EnergyAustralia, MYOB, Xero and CityLink brands hijacked

Scamwatch round-up – AusPost, EnergyAustralia, MYOB, Xero and CityLink brands hijacked

More .zip JavaScript files attempts to install malware into recipients computers

ARN provides a weekly wrap of the phishing scams, malware attacks and security breaches impacting organisations across Australia.

This week, AusPost, EnergyAustralia, MYOB, Xero and CityLink have all had their brands appropriated by scammers in separate email scams.

With Christmas approaching, cyber criminals have taken the opportunity to use the Australian Post brand in a fake ‘Your parcel has not been delivered’ scam, which hit local inboxes on 11 December.

The email intends to make recipients think that Australian Post is holding an undelivered parcel for them. The email contains a link to ‘Get Dispatch Note’, which would take recipients to a .zip file that contains malware.

“MailGuard isolated and halted the malicious file before it could do any harm, but this kind of malware file can do a lot of damage, installing spyware or viruses,” email filtering company, MailGuard wrote in a blog post.

Screenshot (MailGuard)
Screenshot (MailGuard)

On 12 December, MailGuard picked up another email scam with a message designed to look as an invoice created using MYOB.

The email subject was ‘Invoice INV-04085 from DXJ Company’ with a message advising the recipient that they have an outstanding invoice requiring payment.

The ‘sender’ address shown in the email messages is ‘noreply[at]sage-one[dot]net’. According to MailGuard, the domain ‘sage-one[dot]net’ - was created on a Chinese domain registrar the day before.

If recipients were to click on the link it would take them to a .zip JavaScript file asking to be downloaded and opened.

According to MailGuard, the JavaScript appears to be a 'dropper' - a type of malware which downloads spyware and viruses to a compromised computer without the user’s knowledge.

“It is never a good idea to open a .zip file from a link in an email, because zipped folders are often used to disguise malware.”

Screenshot (MailGuard)
Screenshot (MailGuard)

A large-scale email scam pretending to be from EnergyAustralia was picked up by MailGuard on 13 December.

This is a well-crafted scam with ‘EnergyAustralia’ as the display name, however the sender URL is australianenergysolutions[dot]com; a URL that was registered the day before in China, according to MailGuard.

Like the previous scams, the fake bill notification email links to a .zip JavaScript file which contains malware in JavaScript format.

Screenshot (MailGuard)
Screenshot (MailGuard)

Two different scams were identified on 14 December. The first one was a large volume of fake invoice reminders, using Xero’s brand. The email contains a link which pretends to point at an invoice but actually goes to a .zip JavaScript file containing trojan malware.

“Trojans are designed to covertly install harmful programs like ransomware and viruses on victim’s computers. In an office environment, trojan attacks can lead to widespread damage, not only to the machines directly affected but also to other computers connected to them on the network,” MailGuard wrote.

This is a simple text email scam with the sender’s address appearing to be from Xero. The actual address domain is xerostatic[dot]com, which was recently registered.

Screenshot (MailGuard)
Screenshot (MailGuard)

And the last one was a fake email from Melbourne’s toll-road payment platform, CityLink.

The email has the purpose of deceiving recipients into thinking they have an outstanding fine requiring payment.

The sender display name is ‘CityLink’ but the sender domain URL is ‘citylinkres[dot]com’ which is not an authentic CityLink domain.

The link in this message leads to a malware download with the goal to install itself on the recipient’s computers.

Screenshot (MailGuard)
Screenshot (MailGuard)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags javascriptscamzipAusPostfake bill


Show Comments