MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Don’t click: Zero-day Optus invoice scam deploys malware

Written by Jaclyn McRae | 05 September 2016 02:36:23 Z

A large run of fake Optus emails uses realistic branding and varying body content to deceive victims and outrun anti-spam algorithms.

The payload email, detected by MailGuard today, urges recipients to click a link to view an invoice purportedly from the telecommunications company.

Those who click the link are directed to a malicious website – registered in Russia less than 24 hours ago with the aim of mimicking the real Optus site – which downloads and installs a Trojan.

Only three of 67 other security vendors detected the malicious URL. 

The emails have a range of headings – including ‘Account overview’ and ‘Mobile and Fixed Broadband overview’.

They each contain a customer account number, invoice number and invoice amount – but those numbers vary between recipients, with the intention of attempting to evade anti-spam scanners.  

The title of the link leading to the malicious download also differs between recipients, for added sophistication, while a detailed email footer is another ploy to aid the deception.

Those who click to see their fake invoice are directed to a fake Optus page. Titled ‘Getoptusbill.com’, the dodgy domain was registered in Russia less than 24 hours ago.

Clicking ‘Download’ on this page brings up a dialog box. The downloaded file contains an obfuscated Javascript file; when executed it downloads and installs a Trojan with the aim of stealing personal information.

The scam has all the hallmarks of similar payload emails that have mimicked large Australian organisations in recent months, including Australia Post and Australian Federal Police.

Why is Trojan malware dangerous?

Trojans sit quietly in the background, and can take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is dangerous because the user may not notice it running in the background until they are made aware – this can be weeks or even months after the event.

How can I protect myself from these types of email scams?

To reduce the risk of being tricked by one of these scams, immediately delete any emails that:

  • Seem suspicious and ask you to download files or click any links within an email to access your account or other information.
  • Are purporting to be from businesses you may know and trust, yet use language that is not consistent with the way they usually write (including grammatical errors).
  • Ask you to click on a link within the email body in order to access their website.

If you’re unsure, do not click links or download files contained within the email. Contact the purported sender directly to verify the authenticity of the email.

Find more tips on identifying email scams by subscribing to MailGuard’s blog.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

^ Back to Top
View full post