Jaclyn McRae 05 September 2016 12:36:23 AEST 3 MIN READ

Don’t click: Zero-day Optus invoice scam deploys malware

A large run of fake Optus emails uses realistic branding and varying body content to deceive victims and outrun anti-spam algorithms.

The payload email, detected by MailGuard today, urges recipients to click a link to view an invoice purportedly from the telecommunications company.

Those who click the link are directed to a malicious website – registered in Russia less than 24 hours ago with the aim of mimicking the real Optus site – which downloads and installs a Trojan.

Only three of 67 other security vendors detected the malicious URL. 

The emails have a range of headings – including ‘Account overview’ and ‘Mobile and Fixed Broadband overview’.

Zero-day_Optus_email_invoice_scam_deploys_malware1-1.jpg

They each contain a customer account number, invoice number and invoice amount – but those numbers vary between recipients, with the intention of attempting to evade anti-spam scanners.  

The title of the link leading to the malicious download also differs between recipients, for added sophistication, while a detailed email footer is another ploy to aid the deception.

Zero-day_Optus_email_invoice_scam_deploys_malware2-1.jpg

Those who click to see their fake invoice are directed to a fake Optus page. Titled ‘Getoptusbill.com’, the dodgy domain was registered in Russia less than 24 hours ago.

Zero-day_Optus_invoice_email_scam_deploys_malware3-1.jpg

Clicking ‘Download’ on this page brings up a dialog box. The downloaded file contains an obfuscated Javascript file; when executed it downloads and installs a Trojan with the aim of stealing personal information.

Zero-day_Optus_email_invoice_scam_deploys_malware4-1.jpg

MailGuard-Zero-day_Optus_email_invoice_scam_deploys_malware5-1.jpg

The scam has all the hallmarks of similar payload emails that have mimicked large Australian organisations in recent months, including Australia Post and Australian Federal Police.

Why is Trojan malware dangerous?

Trojans sit quietly in the background, and can take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is dangerous because the user may not notice it running in the background until they are made aware – this can be weeks or even months after the event.

How can I protect myself from these types of email scams?

To reduce the risk of being tricked by one of these scams, immediately delete any emails that:

  • Seem suspicious and ask you to download files or click any links within an email to access your account or other information.
  • Are purporting to be from businesses you may know and trust, yet use language that is not consistent with the way they usually write (including grammatical errors).
  • Ask you to click on a link within the email body in order to access their website.

If you’re unsure, do not click links or download files contained within the email. Contact the purported sender directly to verify the authenticity of the email.

Find more tips on identifying email scams by subscribing to MailGuard’s blog.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top