Frequently targeted ASIC and CBA have again been impersonated in new email scams circulating from this morning (AEDT). These scams are particularly deceitful as they are so well-crafted, with no grammatical errors and on-brand formatting.
Our Operations team have determined that 100% of MailGuard's customers have been protected and are monitoring for variants.
Details of the ASIC payload email:
The large-scale email run, requesting payment for a business name renewal, looks to be a legitimate notification from ASIC. The display name is “ASIC Messaging Service,” and the sending and display address is asic.transaction.no-reply(at)ato.gov.r-au.com. The domain r-au.com was registered yesterday with a China-based registrar.
The email links to an archive file containing a malicious JavaScript file:
Details of the CBA phishing scam:
Whilst a relatively small campaign, the CBA phishing email is insidious as it is true to the company’s branding and customer communications. The email is simple HTML with no branding / logo – this mimics CBA’s actual email notifications, per the comparison screen shots below:
The sender display name is ‘CBA Payment’, with the display and sending addresses having the aliases payment.com@ and root@. The display and sending addresses were being sent from different hosts, ostensibly to make it more difficult for email filtering services to identify and blacklist.
Below is a short list of host names that were used in the phishing run:
dns19965.phdns.es
s15426588.onlinehome-server.info
s18573288.onlinehome-server.com
u16318931.onlinehome-server.com
vmx11912.hosting24.com.au
Complete with ‘customised’ account details, such as the last four digits of the account number, amount due and payment due date, the notice prompts recipients to click through to make an online payment. The phishing page is an exact replication of the CBA NetBank login.
Victims entering their login details are likely to have their credentials scraped. This is alarmingly easy to do, without any web developer experience, given the plethora of publicly available how-to’s for cybercriminals.
Avoid being duped:
- Non-personalisation, or incorrect, details: These emails do not address you by name, and the ASIC notice does not specify which business name is due for renewal. They also contain incorrect details, such as your account number, amount owed, business name renewal date, etc.
- The sending domain name: The official top-level domains are asic.gov.au and cba.com.au. Cyber perpetrators are cunning, and will register (or hijack) domains that are very similar to the official ones.
- Double-check any required action with the company itself: For instance, call the company to verify and confirm details. The real CBA email notification advises customers to not reply to any emails, and to check the inbox in your NetBank account to confirm the authenticity of emails.
ASIC does send out email notifications 30 days prior to the renewal due date, however, their recommended payment method is via their online portal. You can check the renewal due date for your business on the ASIC register. ASIC advises that they will not:
- Ask you to make a payment over the phone
- Make a payment to receive a refund
- Ask for your credit card or bank details directly by email or phone
Similarly, the Commonwealth Bank states that they do not send emails requesting customers to confirm, update or disclose their confidential banking information.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering to your business security. You’ll significantly reduce the risk of zero-day (previously unknown threats) and new variants of malicious email from entering your network.
