Scamwatch round-up – ATO, Xero, Bingle and Zoho brands hijacked

Scamwatch round-up – ATO, Xero, Bingle and Zoho brands hijacked

New phishing attacks targeting some of the most popular known organisations

ARN provides a weekly wrap of the phishing scams, malware attacks and security breaches impacting organisations across Australia.

This week, ATO, Xero, Bingle and Zoho have all had their brands hijacked by scammers in separate email scams, with car insurance provider, Bingle, the first company to fall victim.

On Monday 15 January, emails with the subject “Notification of car insurance” were sent around saying the company had received an application for car insurance and asking recipients to download a certificate through a link contained within the message.

The company issued an alert on the day showing two examples of the scam. The second had a different message telling recipients that “there was a problem” with the data in their certificate and asking them to download a scanned copy.

“This email has not been sent by Bingle, and should be deleted immediately. Do not open any attachments or click on any links within this email,” Bingle wrote in its website.

Email filtering company, MailGuard, intercepted and blocked these emails received by its users revealing the link took recipients malicious .zip file containing a JavaScript payload.

The sender email address was admin(at)victorychurch(dot)net(dot)au, which according to MailGuard appears to be a valid website for a South Australian church. MailGuard also said that the sender address for this fake Bingle email was using a MailChimp account.

Screenshot (Bingle)
Screenshot (Bingle)

On 16 January, another phishing scam was revealed by Mailguard, this time using online file storage company, Zoho, brand.

The email message is sent using different display names and it is sharing a .zip file, supposedly a tax report. Recipients are informed of a $8,919 GST bill.

According to MailGuard, links in the email point to the legitimate Zoho Docs service hosting an archive file containing malicious JavaScript code. The sender domain,, was registered with a company based in China on 14 January 2018.

Screenshot (MailGuard)
Screenshot (MailGuard)

 On the same day, a brand jacking scam targeting accounting software firm, Xero, customers was also picked up by MailGuard.

“The email, with the subject ‘Your Xero Invoice’, advises the recipient that their Xero subscription invoice is attached and that the amount is due to be debited from their credit card,” MailGuard wrote in a blog post.

The emails came from subscription(dot)notifications(at) registered a day before the scam and had “Xero billing notifications” as the display name.

As most companies with a large number of customers, Xero’s brand is constantly used in email scams with the most recent ones taking place in December and September 2017.

Screenshot (MailGuard)
Screenshot (MailGuard)

The Australian Taxation Office (ATO), another highly targeted brand, has again been used to deceive Australians on 17 January.

With the subject “Enclosed tax form”, the email asked recipients to fill up a form accessed via a link within the message. According to MailGuard, the link pointed to a JavaScript malware file in a .zip archive.

“Cybercriminals execute ATO brandjacking scams regularly. The ATO is a well-trusted name for Australians; the authority of respected government institutions lend credence to scams of this sort,” MailGuard wrote.

In 2017, there were several occurrences of similar scams purporting to be from the ATO including one in July and two in September.

Screenshot (MailGuard)
Screenshot (MailGuard)

Following the global Spectre and Meltdown security flaws found in Intel, AMD and ARM Holdings chips, late last week cybersecurity vendor, Malwarebytes, alerted the community to fake patches being used to spread malware.

“While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs,” Malwarebytes Lead Malware Intelligence Analyst, Jérôme Segura, wrote in the company’s blog.

According to the Australian Government Stay Smart Online page, there were concerns that similar emails could be sent to Australians.

Screenshot (Malwarebytes)
Screenshot (Malwarebytes)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags zohomailguardATOxeroscammeltdownspectreStaySmartOnlineBingle

Show Comments