February Malicious Emails To Watch Out For
Malicious Emails Being Sent In Alarming Volumes
Here is our February 2017 wrap-up of malicious emails making the rounds for Australian businesses.
Cyber risk awareness is slowly growing but still has a long way to go before email phishing scams start to lose the incredible financial incentive. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox.
To verify, report or learn more about a scam contact the ATO Scam Report or ScamWatch.
Citibank
Australian Citibank customers have been the victims of the most elaborate scam email of the past few months involving replica websites and fake SMS security codes. The inclusion of SMS is extremely unusual and indicates the elaborate lengths criminals are taking. The scam itself notifies Citibank customers their account has been ‘temporarily limited’ as a result of invalid online log-in attempts. Customers are directed to follow a link to sign in and restore their online access.
Customers are then redirected to a very realistic replica of the authentic Citibank website which prompts the user input their User ID and password.
Unfortunate victims who put their details into the replica website are then prompted to verify extra personal information such as their mobile phone number and date of birth.
The next officially branded Citibank page will advise that a “one-time PIN Authentication” has been sent via SMS and advises to wait at least 5 minutes for the code to arrive. This ingenious method replicates the real two-factor authentication security procedure used by Citibank legitimately. In this time, the scammers have a short window to log in to the real Citibank website disguised as the customer. At this stage the scammer has obtained the User ID and password, allowing them to make any transaction they want which triggers the correct security code to be sent to their victim’s phone. The victim then inputs their security code which goes straight to the scammer and in turn allows them to finalise and transaction they like.
These emails can be exceedingly hard to spot as scammers are putting unseen levels of effort into duping the average recipient. This sophisticated scam tricks visitors into thinking they are dealing with the legitimate Citibank site but in reality the domain begins with rctproduction.cz which is a Children’s party business in Czech Republic.
Citibank has requested all suspicious emails be sent to spoof@citicorp.com.
Strange Parking Fines
A recent wave of peculiar emails has been reported which has raised a few eyebrows regarding the unpaid bill the recipient apparently failed to settle earlier. Fake parking infringement notices have been circulating for years but this surprisingly low dollar amount is causing curiosity to get the best of some recipients. Sums as low as $1.04 and upward of $100 are showing up with a 50% discount if paid within 14 days. Simply view the attached “ticket” for details and quickly settle the previously unknown fine.
At the time of detection by MailGuard, zero of 64 well-known antivirus vendors had flagged the link as suspicious. as can be seen at virustotal.com
The unbranded email link triggers a malicious software downloader hidden in a seemingly innocuous .zip file. Once enabled, the people behind the email are capable of downloading further malware like ransomware or key-logging software. This scam is very similar to the previous driver infringement notice email we discussed last month.
Australian Taxation Office
Perhaps the most commonly used government department for malicious email scams would have to be the Australian Taxation Office or the ATO. The email in this attempt was sent from ‘basnotification@ato.gov.au’ which appears legitimate but was traced to a compromised SendGrid account which provides bulk email delivery services. Recipients are greeted with legitimate looking email addresses, formatting, wording and the official government coat of arms.
If clicked, the suspicious link triggers an automatic download of malicious files hosted on another compromised SharePoint site. Once on your machine, the malicious .zip file executes a JavaScript file which is used to download further malicious software such as ransomware, key-logging software and spyware. The extra layers of legitimacy don’t just fool recipients but are also used to trick antivirus software. Again, at the time of discovery none of the 64 well-known antivirus providers were detecting the link as a potential danger, only MailGuard had reported the suspicious email.
The ATO featured last month with another email, this is yet another perfect example of employee education being key to identifying these emails.
Help protect your business from malicious emails with cyber insurance.
Fake Apple Account Email
An Apple email phishing scam has been discovered which is attempting to trick users into giving away their log-in information with a simple tactic. The malicious email has gone undetected by switching a lot of common letters with Greek alphabet characters ρ, υ and ω in place of p, u and w as can be seen in the screenshot below. Altering characters in this manner can help obfuscate common phrases which would normally be picked up from content filters in your antivirus.
The differing letters can clearly be seen in the above screenshot after someone points out the difference but would pass by many recipients unless paying attention. The email states that Apple is updating their user accounts but was not able to update your account and requests the user to do so by clicking the embedded link.
Users are presented with a mirror replica of the apple sign-in page and prompted to enter their account information. The fake sign-in page will also resize and adapt to different device screen sizes such as mobile phones and tablets. This tactic has been around for many years but clearly the method has not died out yet as it still nets results and warrants effort for cyber criminals.
Help protect your business from malicious emails with cyber insurance.
That is our February list of malicious emails to keep a look out for. Each month we will be updating and reporting new malicious emails making the rounds for Australia Businesses.
Thanks to MailGuard, subscribe to the security blog for regular updates here.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.