The barrage of criminal intent email campaigns masquerading as popular SMB and consumer brands Telstra and Xero continues today. The very large-scale attacks were detected from 9.03am AEST September 26, and are ongoing. Whilst 100% of these emails were blocked by MailGuard, we are monitoring for variants.
This is the third Telstra-branded scam in as many weeks, and the second Xero-branded scam over the same period. Both purport to be an invoice notification, containing a link to a malicious Javascript payload. The sending domains were registered with a domain name registrar in China on the 18th and 24th of September. Both emails contain links directing to a compromised SharePoint site hosting a ZIP file containing a malicious JavaScript file.
MailGuard analysts have advised that a significant volume of malicious email attacks use JavaScript as the payload, as it executes on any web browser (rather than a specific application), increasing the success rate of an exploit.
There has also been a medium scale outbreak of CBA-branded phishing emails, from 7.10am until 11.52pm AEST today. This ‘New Security Message’ email urges recipients to update their account details due to suspected unauthorized access.
Details of the scams:
Unlike the plain text email that was disseminated yesterday, this fake Telstra HTML-formatted email appears very close to the real thing. A side-by-side comparison with a legitimate invoice shows even the sending and display address telstraemailbill_noreply(at)telstra.businessdirs.com is almost a clone of the actual address, telstraemailbill_noreply3(at)telstra.online.com.
The Xero invoice similarly encourages recipients to view their invoice, which in this case, appears as a PDF attachment, but is actually a link to download the malware.
The CBA scam, while delivered in a simple HTML email with no images or logos, is insidious, as it claims recipient accounts have been frozen due to unsuccessful login attempts. Although the display name is CBA, the emails were sent from an array of sending addresses, which MailGuard assumes to be compromised accounts:
biur(at)emprojekt.jgora.pl cwbow(at)cwbow.info edwin.giraldo(at)grupogiraldo.info erik.giraldo(at)grupogiraldo.info forms(at)webalive.biz hookin2hockey(at)hockey.org.au info(at)citiworks.nl info(at)ds-immobilien.info info@fsicr.com info(at)gezondaanzee.nl info(at)glotco.com info(at)guncorp.nl info(at)jmbgroep.nl info(at)midi-unit.nl info(at)org-vac.nl inscripciones(at)chilegbc.cl mail(at)adappt.info marja(at)mw-art.nl mick(at)mickvolendam.nl shahs(at)manasresources.com studio(at)mixtup.nl susanne(at)estezet.nl
The link to a phishing site requests users for their credit card information, presumably designed to harvest personal credentials. Below is the comparison of the fake login page with the real one. The phishing page appears to be hosted on a compromised host on WordPress.
Avoid being duped:
Remember – if the email is not customised with your name or account information, it most likely is not authentic. However, the heightened sophistication of phishing emails and landing pages, such as graphics, formatting and grammar, means that it is increasingly more difficult to distinguish between a real email from that of an imposter.
To protect your business’ data and customer / employee privacy, do not rely on staff behaviour – all businesses are susceptible to email attacks (91% of all cyber attacks arrive via email), and require robust, layered defence for this threat vector.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering to your business security. You’ll significantly reduce the risk of zero-day (previously unknown threats) and new variants of malicious email from entering your network.