Frequently targeted ASIC and CBA have again been impersonated in new email scams circulating from this morning (AEDT). These scams are particularly deceitful as they are so well-crafted, with no grammatical errors and on-brand formatting.
Our Operations team have determined that 100% of MailGuard's customers have been protected and are monitoring for variants.
Details of the ASIC payload email:
The large-scale email run, requesting payment for a business name renewal, looks to be a legitimate notification from ASIC. The display name is “ASIC Messaging Service,” and the sending and display address is asic.transaction.no-reply(at)ato.gov.r-au.com. The domain r-au.com was registered yesterday with a China-based registrar.
The email links to an archive file containing a malicious JavaScript file:
Details of the CBA phishing scam:
Whilst a relatively small campaign, the CBA phishing email is insidious as it is true to the company’s branding and customer communications. The email is simple HTML with no branding / logo – this mimics CBA’s actual email notifications, per the comparison screen shots below:
The sender display name is ‘CBA Payment’, with the display and sending addresses having the aliases payment.com@ and root@. The display and sending addresses were being sent from different hosts, ostensibly to make it more difficult for email filtering services to identify and blacklist.
Below is a short list of host names that were used in the phishing run:
dns19965.phdns.es
s15426588.onlinehome-server.info
s18573288.onlinehome-server.com
u16318931.onlinehome-server.com
vmx11912.hosting24.com.au
Complete with ‘customised’ account details, such as the last four digits of the account number, amount due and payment due date, the notice prompts recipients to click through to make an online payment. The phishing page is an exact replication of the CBA NetBank login.
Victims entering their login details are likely to have their credentials scraped. This is alarmingly easy to do, without any web developer experience, given the plethora of publicly available how-to’s for cybercriminals.
Avoid being duped:
ASIC does send out email notifications 30 days prior to the renewal due date, however, their recommended payment method is via their online portal. You can check the renewal due date for your business on the ASIC register. ASIC advises that they will not:
Similarly, the Commonwealth Bank states that they do not send emails requesting customers to confirm, update or disclose their confidential banking information.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering to your business security. You’ll significantly reduce the risk of zero-day (previously unknown threats) and new variants of malicious email from entering your network.