ASIC targeted again in a large-scale phishing scam

Posted by Katherine Chong on 24 August 2017 10:56:33 AEST

Another large scale run of fake ASIC emails was deployed yesterday. The first message was delivered at 08:46:21 AEST on the 23rd August, and purports to be an ABN registration renewal notification.

The email is seemingly legitimate, due to the professional formatting and grammatical accuracy.

The display and sending address are “ASIC Messaging Service” and asic.transaction.no-reply@australiangovernement.com respectively. The servers used to send the emails are located in France, and the domain was registered just a day before the phishing run.

ASIC JS payload_Aug 23.png

The notice does not ask for payment, but rather, a seemingly benign request to click a link to view, print or save the renewal letter. The link is to a ZIP file which contains malicious JavaScript payload.

As 94.7% of all websites use JavaScript, this scripting language presents a massive opportunity for cyber attackers. The insidious characteristic of a JavaScript payload, is that it doesn’t require user interaction to run.

The malicious payload is most likely a Javascript dropper, which downloads and deploys malware/trojans. To avoid detection, the Javascript code downloaded is usually obfuscated and not human readable.  Some variants will also detect when executed in a sandbox environment and not action, thus making it harder to work out what it would do on a desktop environment. Often, they auto-delete after the malware installation.

ASIC JS download_Aug 23.png

Giveaways that this is a fraudulent email:

  • The domain name – there is a misspelling of “government.” Australian government websites have the domain suffix / top level domain “.gov” (ASIC’s official domain is asic.gov.au).
  • It is not personalised with the recipient’s details (business name, ABN, account number).
  • The signatory, Damien Bronstad (based on a web search), is not an actual employee at ASIC.

ASIC, and other government departments such as the ATO and ACCC, and companies with large customer bases, are regular victims of brand jacking. This is the fifth ASIC branded email phishing scam detected by MailGuard this calendar year, off the back of a scam last month of unprecedented scale.

ASIC does send out email notifications 30 days prior to the renewal due date, however, their recommended payment method is via their online portal.

Our Operations team have determined that 100% of MailGuard's customers have been protected and are monitoring for variants.

For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Keep Informed with Weekly Updates

 

^ Back to Top

Topics: Malware email scam Cybersecurity cybercrime hoax email brandjacking Australian brands JavaScript malware

Back to Blog

Comments:


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all