The barrage of criminal intent email campaigns masquerading as popular SMB and consumer brands Telstra and Xero continues today. The very large-scale attacks were detected from 9.03am AEST September 26, and are ongoing. Whilst 100% of these emails were blocked by MailGuard, we are monitoring for variants.
There has also been a medium scale outbreak of CBA-branded phishing emails, from 7.10am until 11.52pm AEST today. This ‘New Security Message’ email urges recipients to update their account details due to suspected unauthorized access.
Details of the scams:
Unlike the plain text email that was disseminated yesterday, this fake Telstra HTML-formatted email appears very close to the real thing. A side-by-side comparison with a legitimate invoice shows even the sending and display address telstraemailbill_noreply(at)telstra.businessdirs.com is almost a clone of the actual address, telstraemailbill_noreply3(at)telstra.online.com.
The Xero invoice similarly encourages recipients to view their invoice, which in this case, appears as a PDF attachment, but is actually a link to download the malware.
The CBA scam, while delivered in a simple HTML email with no images or logos, is insidious, as it claims recipient accounts have been frozen due to unsuccessful login attempts. Although the display name is CBA, the emails were sent from an array of sending addresses, which MailGuard assumes to be compromised accounts:
biur(at)emprojekt.jgora.pl cwbow(at)cwbow.info edwin.giraldo(at)grupogiraldo.info erik.giraldo(at)grupogiraldo.info forms(at)webalive.biz hookin2hockey(at)hockey.org.au info(at)citiworks.nl info(at)ds-immobilien.info firstname.lastname@example.org info(at)gezondaanzee.nl info(at)glotco.com info(at)guncorp.nl info(at)jmbgroep.nl info(at)midi-unit.nl info(at)org-vac.nl inscripciones(at)chilegbc.cl mail(at)adappt.info marja(at)mw-art.nl mick(at)mickvolendam.nl shahs(at)manasresources.com studio(at)mixtup.nl susanne(at)estezet.nl
The link to a phishing site requests users for their credit card information, presumably designed to harvest personal credentials. Below is the comparison of the fake login page with the real one. The phishing page appears to be hosted on a compromised host on WordPress.
Avoid being duped:
Remember – if the email is not customised with your name or account information, it most likely is not authentic. However, the heightened sophistication of phishing emails and landing pages, such as graphics, formatting and grammar, means that it is increasingly more difficult to distinguish between a real email from that of an imposter.
To protect your business’ data and customer / employee privacy, do not rely on staff behaviour – all businesses are susceptible to email attacks (91% of all cyber attacks arrive via email), and require robust, layered defence for this threat vector.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering to your business security. You’ll significantly reduce the risk of zero-day (previously unknown threats) and new variants of malicious email from entering your network.