Jaclyn McRae 07 April 2017 15:23:50 AEST 2 MIN READ

Breaking: Fraud receipt contains dangerous attachment

 A fake receipt being distributed in bulk this afternoon is hiding a malicious attachment.

Disguised as a transaction confirmation from online payment company eWAY, the bogus receipt contains a malicious macro capable of downloading malware.

The cybercriminals behind the scam go to great lengths to infect their targets with malware, including giving written instructions on downloading and enabling the malicious attachment.

The fake eWAY email comes from a newly-registered domain, estoreway.info, as opposed to the legitimate Australia-based site, eway.com.au.

The message tells victims their purchase has been approved, and says their new items will be delivered to the address provided in the attached invoice. But within the Word attachment is a malware downloader macro.

eway mailguard phishing.jpg

The document is password-protected in a further bid by the fraudsters behind the scam to convey legitimacy and a false sense of security.

Indications it’s a scam

While the email looks relatively sophisticated at first glance, strange grammar choices and the liberal use of exclamation marks and capital letters in the subject line – “Receipt of APPROVED order!!!” – are good indications that it’s not the work of a reputable brand.

The sender address – informdesk@estoreway.info – is another red flag for anyone savvy enough to Google the real domain name of eWAY.

For those unlucky enough to have clicked the dodgy attachment, the subsequent instructions showing recipients how to ‘enable editing’ should ring alarm bells. This effectively give cybercriminals the right to access your computer.

Eway phishing MailGuard3 (002).jpg

The risks posed by macros

By enabling a macro, email recipients are allowing criminals to automatically install malicious files, such as Trojans or keyloggers.

A keylogger is a form of spyware that can collect and record your keystrokes. It can see what you write in an email, what password you enter on a banking website, or any other information you provide online.

Trojans sit quietly in the background, taking actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is dangerous because you may not notice it is there, recording your actions. It might not be discovered until months later, when you realise your bank account has been accessed by a stranger.

How can I protect myself from email scams?

To reduce the risk of being tricked by a scam, you should immediately delete any emails that:

  • Seem suspicious and ask you to open or download files that you were not expecting
  • Contain macro-enabled Word documents and require you to enable, or run, the macro
  • Ask you to click on a link within the email body in order to access their website. If unsure call the company/person directly and ask whether the email is legitimate.


Click here to download your free executive guide, Surviving the Rise of Cybercrime, by MailGuard CEO and founder Craig McDonald.


Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update, or follow us on Twitter @MailGuard.

Keep Informed with Weekly Updates


^ Back to Top