Daniel Graziano 16 September 2015 13:52:30 AEST 2 MIN READ

High Volume Crypto Ransomware Attack Disguised as Australia Post

MailGuard have successfully identified and blocked an email crypto ransomware run by cyber criminals impersonating Australia Post today.

This zero day outbreak is directing attacks at Australians alerting the email recipient of a supposed parcel that was delivered to their residence.

Warning: Whilst similar to previous attacks, over 90% of antivirus vendors we scanned this zero day against were not detecting malware on the compromised websites these emails linked to.

Here is a screenshot of the type of email to watch out for:

Australia_Post_Crypto_Email_Sample_Blog

The email appears to originate from Australia post addressing the recipient directly (by first and last name) in the subject line, and in the email itself. One notable mistake the offenders have made is the poor grammar in the email subject, "The courier did not redeem package" and the email body, "A mailman have not redeem". 

The recipient is prompted to click the ‘request label’ button, in order to attain their ‘shipping label’ and pick up their package.

Once the button is clicked, the victim is redirected through one of the many domains the perpetrators have hijacked to use (which enables them to avoid having their IP blacklisted). The email recipient arrives on a landing page that is an exact replica of the Australia Post website.

Australia_Post_Crypto_Landing_Page_Sample

By completing the captcha verification process on the page and clicking ‘Download Information’, a download box appears prompting the user to download ransomware disguised as tracking information.

Whilst malware attached to emails can be stopped effectively by email filters, these crypto ransomware emails indirectly deliver their malware via multi-tiered redirected URLs instead of sending the malware by attaching it to the email itself.

As a precaution, we urge you not to click links within emails that:

  • Are not addressed to you by name or have poor English when appearing to be from a reputable Australian company
  • Are from businesses that you were not expecting to hear from
  • Ask you to download any files, namely with a .exe file extension
  • Take you to a landing page or website that does not have the legitimate URL of the company the email is purporting to be sent from
  • Are from businesses/individuals you were not expecting to hear from or that you aren’t 100% positive are from a trusted source

Educating staff and employing cloud-based email filtering and web filtering, complimented by multilayered defences including desktop antivirus, anti-malware and anti-spyware will go a long way to mitigating the risk from a wide range of email scams.


Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top