Initially this run has only been targeted at a small number of users, however the high quality of the execution suggests that it may be a pre-cursor test ahead of a larger scale attack.
MailGuard have identified and blocked this new phishing scam variation from the telco giant, Telstra, which is signed by Telstra executive Gerd Schenkel, Executive Director, Digital Sales and Service.
The email claims to be offering a refund for a bill which was paid twice. This is a common tactic used by cybercriminals to entice recipients to follow through with the phishing scam. The email is not personally addressed to the recipient and rather addresses them as ‘Customer,’ which is one of the first signs of a scam. This tactic has been seen in similar fake emails leveraging the Telstra brand.
Here is a sample of the phishing email:
The email is sent from "@online.telstra.com", which is used legitimately by Telstra and does not publish an SPF record. An SPF record is a type of Domain Name Service (DNS) record that will identify which mail servers can send email from or on behalf of your domain. They stop cybercriminals from forging your domain, just as they have in this instance.
Hovering over the link where it says ‘Log in to My Account’ shows the URL contains the words ‘telstraservice05’ which is not a Telstra owned domain, however it is close enough to a legitimate Telstra domain to confuse victims.
After clicking the link, users are directed to a fake Telstra ‘My Account’ landing page which appears to be a legitimate Telstra site. The links all work and a user would be none the wiser that this is a phishing site other than the URL at this point.
The first page requires the username and password of the user’s Telstra account. Clicking ‘Log In’ takes the user to the second phishing page:
The form asks for sensitive personal and banking information, giving cyber criminals access to your credit card number, and other personal details such as address and date of birth, which can be used to create a fake identity and impersonate the victim.
Hitting ‘Next’ submits these details to the cyber criminals, and redirects users to a final landing page suggesting the refund was successfully submitted, even offering a receipt number for proof of the transaction.
To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:
- Appear to be from a well-known organisation, typically a bank or service provider and are not addressed to you by name and may include poor grammar.
- Ask you to click on a link within the email body in order to access their website. If unsure call the company directly and ask whether the email is legitimate
- Offer money, reward or gift to entice you to hand over your personal details
- Ask you to submit personal information that the sender should already have access to or should not be requesting from you in the first place
Telstra offer a feedback and complaints service where you can report email or phone scams where Telstra are being impersonated.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.