17 July 2013 19:13:00 AEST 1 MIN READ

ATO Refund Notification Steals Passwords

Cloud email security specialist MailGuard prevented fast breaking malware from impacting its business clients yesterday morning. The fast-breaking malware attack was purportedly from the Australian Tax Office.

Investigation into desktop anti-virus software programs showed only a few had updated hours after the launch of the attack. This allowed delivery of the malware which came in the form of an executable file inside a zip file, designed to steal passwords and other confidential information.

The suspect email, with the subject “Australian Taxation Office – Refund Notification”, was launched in two waves. The first wave was between 9:30am and 10am AEST 16 July 2013. Ninety minutes later, at 11:30am AEST the second wave started and quickly reached up to triple the volume of the first.

The message contains information that the recipient is eligible for a refund. It then gives directions to download and open the attached file. Once activated the malware payload steals passwords and other confidential information without using keystroke logging. Instead, passwords are extracted directly from files used by applications that store them.

Fast breaking trojans are dangerous and can spread rapidly. Just after 10am AEST, independent industry aid Virus Total reported that the suspect email was only being detected by around 10 of the 47 major AV providers.

MailGuard recommends to business and individual recipients of this email, and others like it, do not open it. Unexpected emails and their attachments, should never be opened. Financial organisations, like banks and the ATO, just don’t send this type of email.