Cybercriminals are opportunists, and what better opportunity than to send an ATO link to people on the eve of the end of the financial year (EOFY). Jackpot! That’s certainly what the scammers are hoping for with this latest email scam that’s being blocked by MailGuard.
The email sender display name is ‘Australian Taxation Office’ and the display address is info(at)qair(dot)store, which is likely to be a compromised account. The domain is reserved, but not active, and it was registered in 2022. It also has credentials for an Amazon SES (Simple Email Service) account, allowing the cybercriminals behind the scam to associate a different unique sender address with each scam email sent.
Here are a few examples below of some of the sender addresses:
010001904c83da53-71403cea-ba17-4150-a003-b91bccec6c43-000000(at)amazonses(dot)com
010001904c8419cf-912324e9-b69b-4e8b-8858-983a2f21edeb-000000(at)amazonses(dot)com
010001904c8145f2-9c13bd01-3062-4857-ac35-5de6b3f999a6-000000(at)amazonses(dot)com
And, here’s an example of what the email itself looks like:
The email is intentionally brief, to encourage curious recipients to click through to learn more, and the second page in the sequence is very simple, introducing myGov and Australian Taxation Office (ATO) branding to boost authenticity. While to many of us, a page like this one may seem odd and clumsy, it is there by design to avoid detection by email security filters, for as long as possible. Those services will initially scan the first page and in doing so will discover an image and a link to another site. Those items alone are not cause for concern, since they don't have any fields asking for a username and password. Inserting this page, as awkward as it may seem for human interaction, means it won't be immediately flagged by security filters until further trawling of the other related links is done. Here's what that next page looks like.
The final step in the phishing sequence is a form that carefully mimics the look and feel of a myGov page to boost authenticity. It encourages recipients to enter their myGov credentials to sign in. Completing the form, victims will be disclosing their username or email and password, granting the scammers access to the myriad services provided by myGov.
The ATO website provides guidelines for linking your myGov account to the ATO, plus the Australian government website says, ‘myGov is a simple and secure way to access government services online all in one place.’ It’s a hot target for scammers looking to steal credentials. There are 3.3 million app users accessing services 782,000 times per day.
Our team are continually intercepting variations on these scams that originate from different parties, but with a common theme. Here are some examples from April this year, in January 2023 and October 2023, and they go even further back, like this one from April 2017.
myGov offers the following advice to all users:
“myGov is delivered by Services Australia. We will never send you an email or SMS with a hyperlink directing you to sign in to your myGov account. Always access myGov by typing in the web address yourself.
Services Australia and myGov will never send you an email or text message asking for your:
- username
- password
- myGov PIN
- secret questions and answers
- personal details.
When you are signed in to myGov, the messages in your myGov Inbox are secure. It’s safe to open links included in myGov Inbox messages.”
MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its financial well-being.
MailGuard urges users not to click links or open attachments within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
