A succession of small to very large phishing campaigns impersonating major Australian brands Telstra, the ATO (Australian Taxation Office) and Queensland tolling payments provider GoVia, have been blocked by MailGuard in the past 24-hours.
All of the phishing scams are financial notices, asking GoVia customers to ‘View your go via tax statement’, offering a link to your Telstra email bill and an ATO penalty notice. All are designed to dupe recipients into opening the .ZIP attachments with a view to downloading malicious software, or to steal sensitive personal information that can be used in a later attack.
Cybercriminals target the brands we know. GoVia, the ATO and Telstra are frequently victims of brand impersonation by cybercriminals, for instance, go via was targeted in August, the ATO in February, and Telstra last month. The brand equity and broad customer base of these companies facilitate click-throughs for cyber perpetrators.
Details of the scams:
The Telstra-branded email is plain text, and is not as convincing nor as sophisticated as the HTML emails purporting to be from GoVia and the ATO. However, the Telstra email does contain disclaimers about privacy protection and non-solicitation of payment details via email – which may be enough to convince recipients that it’s the real thing.
Screen shots of the emails are below:
The sending domains of the Telstra and GoVia emails were registered in China just a few days ago. All emails were 100% blocked by MailGuard. The team is scanning for new variants, as the GoVia and ATO attacks are ongoing.
What do the malicious payloads do?
The Telstra and GoVia links go to a compromised SharePoint site hosting a .ZIP file containing malicious JS files. The malicious payload is most likely a Javascript dropper, which downloads and deploys malware/trojans. Analysis by MailGuard reveals that the payloads are designed to:
- Steal private information from local Internet browsers, and
- Install for autorun at Windows startup
As 94.7% of all websites use JavaScript, this scripting language presents a massive opportunity for cyber attackers. The insidious characteristic of a JavaScript payload, is that it doesn’t require user interaction to run.
The ATO phishing email contains a ZIP attachment containing a JAR (Java Archive) payload, which is known to open a backdoor to the computer once the malicious component is installed. According to a Microsoft blog from April, 2017, JAR files are increasingly being used by cybercriminals, as a new tactic to evade detection (the more common malicious fie types are MIME, PDF, text, HTML and DOCX).
Avoid being duped:
- No personalization –generic salutations like “Dear Customer” and “Good Day” are giveaways
- Look at the sending address (not the display name) – you can tell whether it’s from a legitimate sender, e.g. telstraemailbill_noreply@btmcontent.com, do_not_reply@ffx2.net and mdaminmuda@snaenergy.com.my
- Don’t click through, or click to open, any attachments in a suspect email. Always call the company to verify if you’re not sure.
- Permanently delete the email from your inbox (i.e. from your ‘Trash’ folder)
It is a good idea to be across the latest phishing tactics, and what to look out for. Take our test to see if you can spot the phish.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.
