Cyber-criminals employing Machiavellian tactics to dupe ASIC & CBA customers

Posted by Katherine Chong on 04 October 2017 14:34:23 AEDT

Frequently targeted ASIC and CBA have again been impersonated in new email scams circulating from this morning (AEDT). These scams are particularly deceitful as they are so well-crafted, with no grammatical errors and on-brand formatting.

Our Operations team have determined that 100% of MailGuard's customers have been protected and are monitoring for variants.

Details of the ASIC payload email:

The large-scale email run, requesting payment for a business name renewal, looks to be a legitimate notification from ASIC. The display name is “ASIC Messaging Service,” and the sending and display address is asic.transaction.no-reply(at)ato.gov.r-au.com. The domain r-au.com was registered yesterday with a China-based registrar.

ASIC JS payload_Aug 23.png

The email links to an archive file containing a malicious JavaScript file:

ASIC scam download Oct 4.png

Details of the CBA phishing scam:

Whilst a relatively small campaign, the CBA phishing email is insidious as it is true to the company’s branding and customer communications. The email is simple HTML with no branding / logo – this mimics CBA’s actual email notifications, per the comparison screen shots below:

CBA phishing scam_email comparison Oct 4.png

The sender display name is ‘CBA Payment’, with the display and sending addresses having the aliases payment.com@ and root@. The display and sending addresses were being sent from different hosts, ostensibly to make it more difficult for email filtering services to identify and blacklist.

Below is a short list of host names that were used in the phishing run:

dns19965.phdns.es

s15426588.onlinehome-server.info

s18573288.onlinehome-server.com

u16318931.onlinehome-server.com

vmx11912.hosting24.com.au

Complete with ‘customised’ account details, such as the last four digits of the account number, amount due and payment due date, the notice prompts recipients to click through to make an online payment. The phishing page is an exact replication of the CBA NetBank login.

Victims entering their login details are likely to have their credentials scraped. This is alarmingly easy to do, without any web developer experience, given the plethora of publicly available how-to’s for cybercriminals.

CBA phishing scam_login comparison Oct 4.png

Avoid being duped:

  • Non-personalisation, or incorrect, details: These emails do not address you by name, and the ASIC notice does not specify which business name is due for renewal. They also contain incorrect details, such as your account number, amount owed, business name renewal date, etc.
  • The sending domain name: The official top-level domains are asic.gov.au and cba.com.au. Cyber perpetrators are cunning, and will register (or hijack) domains that are very similar to the official ones.
  • Double-check any required action with the company itself: For instance, call the company to verify and confirm details. The real CBA email notification advises customers to not reply to any emails, and to check the inbox in your NetBank account to confirm the authenticity of emails.

ASIC does send out email notifications 30 days prior to the renewal due date, however, their recommended payment method is via their online portal. You can check the renewal due date for your business on the ASIC register. ASIC advises that they will not:

  • Ask you to make a payment over the phone
  • Make a payment to receive a refund
  • Ask for your credit card or bank details directly by email or phone

Similarly, the Commonwealth Bank states that they do not send emails requesting customers to confirm, update or disclose their confidential banking information.

For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering to your business security. You’ll significantly reduce the risk of zero-day (previously unknown threats) and new variants of malicious email from entering your network.

Keep Informed with Weekly Updates

 

^ Back to Top

Topics: Phishing Malware email scam Cybersecurity CBA cybercrime ASIC ASIC scam Survivingcybercrime cybercrime statistics hoax email brandjacking Australian brands

Back to Blog

Comments:


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all