MailGuard intercepted an email scam this morning that's meant to look like a message from ASIC; the Australian Securities and Investments Commission - see image above.
ASIC is the Australian Government body responsible for business-name registrations, among other things. This scam email is instructing the recipient to download a ‘certificate of registration,’ which is an MS Word .doc file attachment. We detected malicious macros in the .doc file, which are the mechanism for delivering the threat in this email scam.
Macro Scams
People tend to think of .doc as a harmless file format, which makes it a useful delivery device for cybercriminals looking to get their malware onto victim’s machines.
Macro-based malware scams used to be much more common. They have reduced in number in recent years, but the technique still works, so it hasn’t gone away completely.
Macros are pieces of code embedded in MS Office files. Normally they are benign and used to automate tasks in applications, but they can also be used by scammers to download malware like keyloggers.
A keylogger is a covert software app which records everything a user types on their keyboard, and can then transmit that data to a remote location. Keyloggers allow scammers to get hold of sensitive data like credit card numbers and passwords.
A cybercrime victim whose computer has been infected with a keylogger may not know about it until much later, because scammers often sell the stolen data they collect to third parties. The victim won’t know they’ve been hit until their bank account has been emptied or their credit card is mysteriously maxed out.
Scam Techniques
Although this email has a very simple design the scammers have taken some care to disguise their intentions. The sender display name on the email header shows ‘ASIC Messaging Service’ and the sender address is asic.transaction.no-reply[at]governmentgateway[dot]org, which looks at least semi-legitimate. But governmentgateway[dot]org is actually a new URL that was registered yesterday in China - a hotspot for cybercrime at the moment.
To help make their fake email look more convincing, these ASIC scammers have used some real information in their message. It contains links to actual ASIC web-pages in its text and also uses the name of a real ASIC executive - Rosanne Bell - as the signatory on the bottom of the message.
ASIC is an organisation regularly impersonated by scammers. Australian Government bodies have an aura of authority and trustworthiness which scammers can leverage to ease people’s suspicions.
This is a timely reminder that it’s important to check the validity of emails with attachments, even if they appear to be from trusted sources, like ASIC. Small clues like a fake sender URL may be the only indication that the message you’re reading is dangerous.
Protect Your Inbox
MailGuard has prevented this email scam from reaching our customer’s inboxes. Unfortunately, this is a large-scale attack, so there will be plenty of these messages landing in unprotected email accounts today.
- Always hover your mouse over links within emails and check the domain they’re pointing to. If they look suspicious or unfamiliar don’t open them.
- Nine out of 10 cyber-attacks are delivered via email, so it's essential to have the best email filtering in place to protect your systems.
- For a few dollars per staff member per month, you can have the peace of mind of MailGuard's comprehensive cloud-based email and web filtering. You’ll significantly reduce the risk of zero-day (previously unknown) threats and stop new variants of malicious email from entering your network
Keep up to date on the latest scams by subscribing to MailGuard updates or follow us on social media. If you’re experiencing problems, you can speak to a cloud security specialist on 1300 30 44 30
