Daniel Graziano 25 August 2015 15:48:45 AEST 2 MIN READ

Crypto Ransomware Attack Disguised as Australia Post Targeting Australians

MailGuard have successfully identified and blocked another email crypto run by cyber criminals based in Russia. These offenders are impersonating Australia Post and directing attacks at Australians alerting the email recipient of a supposed parcel that was delivered to their residence.

Here is a screenshot of the type of email to watch out for.


As you can see above, the email appears to originate from Australia post addressing the recipient directly (by first and last name) in the subject line, and in the email itself. One notable mistake the offenders have made is the poor grammar in the email subject line, ‘The courier have not redeem package’.

The recipient is prompted to click the ‘request label’ button, in order to attain their ‘shipping label’ and pick up their package.

Once the button is clicked, the victim is redirected through one of the thousands of dynamic domains the perpetrators use (which enables them to avoid having their IP blacklisted), until the user finally arrives on a landing page that is an exact replica of the Australia Post website.


This particular scam includes ‘parcel finder’ in the domain name. Whilst this obviously isn’t the official Australia Post URL, a naïve victim might not notice the unofficial domain as it is still relevant to their request. It is, however, critical that you exit non-legitimate websites and avoid entering personal details into any of the requested fields.

By completing the captcha verification process on the page and clicking ‘Download Information’, a download box appears prompting the user to download ransomware disguised as tracking information.

Whilst malware attached to emails can be stopped effectively by email filters, these crypto ransomware emails indirectly deliver their malware via multi-tiered redirected URL's instead of sending the malware by attaching to the email itself.

As a precaution, we urge you not to click links within emails that:

  • Are not addressed to you by name or have poor English
  • Are from businesses that you were not expecting to hear from
  • Ask you to download any files, namely with a .exe file extension
  • Take you to a landing page or website that does not have the legitimate URL

Educating staff and employing cloud-based email filtering and web filtering, complimented by multilayered defences including desktop antivirus, anti-malware and anti-spyware will go a long way to mitigating the risk from a wide range of email scams.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top