Annamaria Montagnese 11 July 2016 17:23:22 AEST 3 MIN READ

CyberCrime Network Behind AGL Targets Australia Post with New Cerber Ransomware Scam

In a new email scam breaking early Monday, the same cybercrime network behind the recent AGL attacks appear to have moved their focus to Australia Post. The email claims that a package was unable to be delivered because nobody was home, and asks recipients to click a link.

This is a different approach to that employed in earlier Australia Post scams. Previously the link in the email would take recipients to a fake Australia Post landing page with a captcha code, but now the link takes users directly to a ‘download’ page with no captcha required. We assume the attackers have made this change to make it easier for victims to install the malware, thereby increasing the chances of infection.

MailGuard Hybrid AI (Artificial Intelligence) Threat Detection Engines were first to detect this attack, with other vendors failing to mark the email as malicious earlier today.

Here is a screenshot of the type of email to watch out for.


When recipients click ‘Request package info’ the landing page below will launch prompting unsuspecting users to ‘Open’ or ‘Save’ the file.  


In the final step, victims click on the file (.zip below) which commences downloading the malicious code for the cerber ransomware via the victims’ browser.


Different to previous attacks, this time around the downloaded file is a .js (Javascript) dropper instead of the usual .exe (executable).

The .js file contains obfuscated code (as shown below) which is a tactic that cybercrime networks employ to avoid detection by anti-virus vendors, making it difficult for the AV to determine if the code is malicious.


Cybercrime networks are continually adapting their approach to avoid detection, and this is yet another example.

Why is Ransomware dangerous?

When Ransomware files are run by the email recipient or web user, the malware encrypts files on both the local device and possibly the entire network. The user or business may then be held to ransom, with a Bitcoin fee usually demanded in return for the decryption key for the files.

The only other option is for the business to stay offline and recover previous backups to get back online. Many users are left with no choice other than to pay the ransom, which can be for tens of thousands of dollars.

How can I protect myself from these types of email scams?

To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:

  • Seem suspicious and ask you to download files or click any links within an email to access your account or other information.
  • Are purporting to be from businesses you may know and trust, yet use language that is not consistent with the way they usually write (including multiple grammatical errors)
  • Ask you to click on a link within the email body in order to access their website. If unsure call the company/person directly and ask whether the email is legitimate

If unsure, do not click links or download files contained within the email and contact the purported sender directly to verify the authenticity of the email.

We recommend that you share these tips with your staff to make them aware of these campaigns. By employing a cloud email and web security solution like MailGuard, you will reduce the incidence of these new variants of malicious email entering your network.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

If you’re experiencing problems, you can speak to a cloud security specialist on 1300 30 44 30 or email

Keep Informed with Weekly Updates

^ Back to Top