MailGuard Editor 05 March 2015 20:48:00 AEDT 2 MIN READ

Russian Cyber Criminals Target Australians Again With Cryptolocker Virus

Just when you thought it was over! Cyber gangs based in Russia are targeting Australians again after a couple months of peace for us down under. These criminals have been focusing on targeting USA and Europe most recently.

The latest scam is an email purporting to be from Australia Post, alerting the email recipient of a supposed parcel that was delivered to their residence.

Aus Post Phishing Email

As per standard phishing emails, the recipient is asked to ‘click a link’ within the email which takes the user to a fake website. A very clever way for these scammers to confirm your email address is by having the user click the ‘unsubscribe’ link contained within the email.

An example URL (as seen in the screenshot below) is ustr-post.org. This specific domain was only registered today, and these cyber criminals are registering new ones all the time. These new domains have been set up with legitimate SPF records in an effort to pass anti-spam filtering.

The website in this specific example appears to be an exact replica of the Australia Post website.

Website with circle

By completing the authentication process on the page and clicking download, the user is downloading a zip file which contains an executable file (or .exe).

Enter Cryptolocker.

Once executed, it infects the user’s workstation and encrypts the user’s files, making them inaccessible to the user before commonly demanding a bitcoin ransom to provide the decryption key.

While malware attached to emails can be stopped effectively by email filters, these ransomware scams appear as phishing emails containing ‘links’ to malware instead of sending the malware itself.

MailGuard security specialists have seen a number of Cryptolocker viruses targeting Australian businesses. They appear to be testing in small batches and MailGuard anticipate large volumes to be flooding inboxes in the coming days and weeks.

Email users need to be aware of the tell-tale signs of Cryptolocker (and other spam containing malware).

Do not click links within emails that:

  • Are not addressed to you by name or have poor English
  • Are from businesses that you were not expecting to hear from
  • Ask you to download any files, namely with a .exe file extension
  • Take you to a landing page or website that does not have the legitimate URL i.e. auspost.com.au

If you are ever unsure, always search for the company name yourself and go directly to their website. Never visit websites from links within emails that seem suspicious.

User education, daily data backup and multi-layered defence systems will help to reduce email users and business falling victim to these scams and being held to ransom. Defence systems include desktop AV, email and web filtering.

MailGuard have quarantined a large number of these fake Australia Post notifications and are constantly assessing these new variants to protect clients from future attacks.