Annamaria Montagnese 31 May 2016 14:11:54 AEST 2 MIN READ

AGL Scam Carrying Crypto Ransomware Torrentlocker Hits Australian Inboxes

A massive phishing email with links to a crypto ransomware payload is hitting Australia inboxes today en-masse.

This is the second AGL scam in as many weeks. Last week another fake AGL email scam was circulating delivering Trojan malware.

The current scam looks similar to recent phishing runs impersonating other well-known brands like AusPost and AFP. These attacks appear to be coming from the same group of cyber criminals.

Here is a sample of today's AGL email which has many variations:MailGuard_Fake_AGL_Email_Scam_With_Links_To_Crypto_Ransomware_Email_Sample_1_31_May_2016.jpg

The scam email appears to be from AGL, advising the recipient of their current bill. The email is personalised for each recipient and provides a link for the recipient to view their electricity bill online.

Here is a sample of the first page recipients are directed to:


The landing page asks the user to enter in a ‘Captcha’ code. Once completed, the page downloads a .zip file containing a Javascript dropper. The dropper when executed then downloads Torrentlocker from a remote location.


The URLs for the websites which the recipients are sent to vary greatly. It appears there are a large number of compromised webservers serving out the landing pages and malware.

Why is Ransomware dangerous?

When Ransomware files have been run by the email recipient or web user, the malware actually encrypts files on both the local device and possibly the entire network. The user or business may then be held to ransom, with a Bitcoin fee usually demanded in return for the decryption key for the files.

The only other option is for the business to stay offline and recover previous backups to get back online. Many users are left with no choice other than to pay the ransom, which can be for tens of thousands of dollars.

How can I protect myself from these types of email scams?

To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:

  • Seem suspicious and ask you to download files or click any links within an email to access your account or other information.
  • Are purporting to be from businesses you may know and trust, yet use language that is not consistent with the way they usually write (including multiple grammatical errors)
  • Ask you to click on a link within the email body in order to access their website. If unsure call the company/person directly and ask whether the email is legitimate

If unsure, do not click links or download files contained within the email and contact the purported sender directly to verify the authenticity of the email.

AGL also share tips on how phishing and hoax emails operate on their website.

We recommend that you share these tips with your staff to make them aware of these campaigns. By employing a cloud email and web security solution like MailGuard, you will reduce the incidence of these new variants of malicious email entering your network.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top