MailGuard Blog

Another day, another fraudulent package notification vying for your attention. DHL is the focus of the latest phishing scam being intercepted by MailGuard. With the subject reading ‘Your package is stopped in one of our stations’, the email claims that a small fee needs to be processed in order to have the package released.

DocuSign seems to be winning the popularity contest amongst cybercriminals as MailGuard intercepts a second phishing scam imitating the global electronic agreement provider in just a matter of days. The scam emails appear to come from a compromised account belonging to a U.S. immigration law firm, as recipients are presented with an email purporting to be from the Accounts Department notifying the victim of an ‘EFT confirmation’ in .pdf format. Other trusted names such as Office 365, Gmail and AOL have been impersonated in the process.  

MailGuard has intercepted an email attack that uses multiple trusted brand names to fool victims into providing their sensitive information for credential harvesting. DocuSign, with hundreds of millions of users worldwide, is a household name with businesses and organizations using the tool for electronic signatures and agreements. Purporting to be from a prominent healthcare provider a DocuSign link is sent to recipients, in an attempt to capture email and login addresses and to potentially download malware. Other trusted names such as Adobe, Microsoft and IBM have been spoofed using accurately depicted branding and logos to catch victims off guard.  

Commonwealth NetBanking Clients are the most recent targets of a phishing scam intercepted by MailGuard. Cybercriminals have targeted the NetBank customers of Australia’s largest financial services institution with almost 16 million prospective victims.  

Purporting to be from the Customer Advocacy department of CBA, the phishing attempt aims to secure important identity credentials including the victims full name, date of birth, zip code and contact phone number along with login information for criminal harvesting, which if successful, can lead to a severe negative financial impact for the unsuspecting victim.  

The scammers journey begins with a simple HTML email from customeradvocate@cba.com.au, falsely alerting the unassuming NetBank user of a security warning stemming from an unauthorised login attempt. Spiking the victim’s fear of being locked out of their banking account, the scammer advises the user that their NetBank is locked, luring them into clicking on the phishing link or “More Details” button in order to restore access. In this case, both the subject matter of the email and content has been purposefully crafted to create an urgency for the victim to enter their credentials.  

The user is then taken to the first phishing page below which is hosted by  LinkTree. Upon closer examination of the web link, a spelling error in “Australia” hints that it may be a scam. 

Imitation is certainly not an appreciated form of flattery for popular file sharing service WeTransfer when it comes to malicious activity. The cloud-based online platform is the latest name being used in a phishing scam aimed at securing credentials from its (some) 70 million users, in 190 countries worldwide. WeTransfer, known for its convenience in allowing users to transfer various files to other users on the internet, has been targeted to deliver malicious files to victims. MailGuard has intercepted this phishing attempt.  

The latest phishing alert sees scammers impersonate the IT department of the targeted organisation in an attempt to steal email credentials and install a malicious file onto the victim’s computer.  Attackers have interestingly used a fake email address from American multi-national and shipping services company FedEx as the trusted name to lure victims into providing their details.  

A notable characteristic of this attack is the scammer's ability to use the name of your company or organisation in order to facilitate the phishing attempt. By purporting to be the victims internal IT services, the email advises the receiver that they have been ‘deactivated’ from a service (actual service not specified) by not having updated their email address. The rectification for this is via downloading the attachment that will apparently assist in updating this information. The wording and instruction in this email, if not looked at closely, attempts to mislead the victim into thinking that their online capability may be deactivated if the instructions are not followed. An easy trap for those who cannot afford to not have access to their company’s internal tech systems (which is usually the whole organisation).  

NSW Roads and Maritime Services becomes another victim of brandjacking by cybercriminals. 2 variants of hoax emails supposedly sent by the government agency arrived in inboxes yesterday.

In the biggest week of football finals, and coinciding with a surge in upcoming seasonal events, comes the latest email scam that invites recipients to ‘Download and Print Your eTickets.’

MailGuard has intercepted the email shown above, which purports to be from a company in the UAE called Naffco.

MailGuard has detected a new email-based cyber-attack (shown above) telling the recipient they have been sent an invoice by an accountant.

“React promptly to download the invoice,” the deceptive message advises.

Clicking on the link takes the victim of this scam to a malicious website containing a hidden malware payload.

If you’ve seen this email in your inbox, best to delete it immediately. It’s a new scam using forged QuickBooks branding to try and trick people into clicking through to a malicious website.

MailGuard has detected multiple variants of this attack, using different company names and sender address domains.

The United States Department of Homeland Security (DHS) has just announced a new division specifically to handle cyber threats against critical infrastructure. The National Risk Management Center will manage cross-sector responses to cyber-threats against vital US assets like the recently exposed attacks against the US power grid.

Banks are well-trusted institutions, so when cybercriminals are looking for good trademarks to use in their email attacks they often rip-off bank branding.

This new scam email uses the NAB trademark to try and persuade recipients that it is a genuine notification message from their bank. The message tells the victim that they have been sent a “SWIFT message” as a “confirmation of payment” to their account.

This scam message is meant to look like a quote request and is accompanied by an attachment containing malware.

MailGuard has detected this innocuous looking message which reads “we will like to know the price and availability of the following item in attach.”

MailGuard has detected a new email scam attempting to deliver malware to victim’s computers.
The scam message - shown in the screenshot above - shows MYOB branding and purports to be a document notification email.