MailGuard has successfully blocked another attempt by cyber criminals to spread malware through a targeted email campaign posing as Australia Post.At the time of report, 98% of antivirus engines we scanned the infected file against were not detecting it as malicious.
In a similar scam impersonating Australia Post, the scammers have tried to fool recipients into thinking they’ve missed the delivery of a new package.
As you can see from the screenshots below, there are multiple variations of this email scam currently circulating.
In one instance, the email directs readers to click on the ‘Save parcel info’ button, in order to download package collection information; in the second, almost identical example, users are asked to download a package label.
By sending two versions of the same spam, with varying copy and headlines, scammers are working hard to bypass spam filtering rules which try to block malicious campaigns based on specific content features.
In both cases, the email appears to be sent by Australia Post, with the latter addressing the recipient directly using their first and last name. However, one clear grammatical mistake, shown in the first example’s headline “A mailman have not deliver the item to you.”, should warn readers of its illegitimacy.
Once the red button has been clicked, users are then directed to one of thousands of domains the scammers have set up – each with a dynamic, customised URL – again making it more difficult for web protection software to identify and block the content.
Recipients are then directed to a professionally-designed landing page which is almost a carbon-copy of Australia Post’s site.
Despite the clearly unrecognisable URL, some unassuming readers will be fooled into completing the displayed verification process and clicking ‘Download Information’.
A download prompt then appears requesting the user download a .zip attachment containing malware.
A growing trend for advanced techniques.
This case shows that cyber criminals are increasingly employing more advanced and sophisticated techniques in an attempt to bypass spam filters.
This scam is successfully sent from multiple "compromised" mail servers, most likely initiated via a botnet, making it harder for spam filters to block the content.
We’ve identifiedthat cyber criminals have implemented tracking mechanisms to record recipients that have opened the original email, and downloaded the package. This information is fed back to the perpetrators that can target the more naïve users for future attacks.
How to protect yourself.
In cases where emails like this are able get through to your inbox, it’s really important that you don’t open emails that:
- Appear to be sent from a reputable company, but include careless grammatical mistakes
- Include news you weren’t expecting, like the delivery of an unknown parcel
- Ask you to download files, particularly with a .exe or .zip file extension
- Take you to a landing page with an unofficial-looking URL.
Sharing our tips and blog will help to educate staff so that they are aware of malicious campaigns in future. However, with advanced social engineering techniques being employed by cyber criminals all the time, it’s important that you protect yourself in the event that these emails are opened.
By employing advanced, cloud-based email and web filtering protection, you can prevent spam and malware campaigns from hitting and infecting your network, giving you peace of mind.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly security update.