There’s a new email scam out today linking to a fake Go Via invoice. MailGuard detected this email attack mid-morning today. At the time MailGuard intercepted this email, no other security vendors were detecting it.As you can see in the screenshot above, this scam email advises the recipient that their ‘invoice statement’ is ‘available for download.’ The download link goes to .zip archive on a compromised SharePoint account. This archived folder contains a malware payload, so the intention of this attack is probably to install a trojan of some kind on victim’s computers.
Go Via is a toll-road billing service based in Brisbane, Australia. The company provides toll payment accounts for motorists.
Like banks and telco’s, toll-road payment companies get more than their fair share of attention from scams. (MailGuard intercepted another scam using CityLink branding last Thursday.)
Go Via fits the profile for the sort of business that scammers like to impersonate, because they have a large customer base, are well trusted, and routinely communicate with their customers through web portals and email.
Go Via has had their business name ripped off by brandjacking scams before and advise their customers to ensure that emails they receive are genuine.
You can see from the screenshot that this particular scam email is not very well designed. The cybercriminals behind the attack have tried to make it look more convincing by using images in the body of the message, but the links haven’t worked properly and the images aren’t visible to the recipient.
Design glitches like missing images are red-flags that indicate an email may be suspicious. Other common indicators of scam emails are:
The scammers sending out this email have created a new domain name ‘govian[dot]org - trying to mimic the actual Go Via URL, which is govia[dot]com[dot]au
The govian[dot]org URL was registered on Dec 18 in China and has no connection with the actual Go Via company.