A stolen ID may have been used to set up an "elaborate" Australian Securities and Investments Commission (ASIC) email scam designed to infect victims’ systems with malware.
Sent out to Australian businesses on April 19, the email contained malicious software of the JavaScript dropper variety, designed to instantly install malware on computer systems.
Two separate reports have indicated that the dropper is then likely to download a trojan or ransomware, with the zero-day email appearing to come from ASIC, while claiming to contain a company name renewal letter.
But instead of coming from the legitimate ASIC site, asic.gov.au, it was sent from a newly-created austgov.com domain, which was registered in China.
“Chinese authorities are strict about domain registration requirements, and anyone who wants to register a new domain requires an ID scan,” MailGuard CEO, Craig McDonald, said.
“This creates a high likelihood that a stolen ID was used by cyber criminals to set up the scam.”
McDonald said the domain is backed by a legitimate email infrastructure in order to trick email servers into accepting the fraudulent emails.
“But those who follow the instructions and click the ‘Renewal letter’ link – likely persuaded by the government branding and professional-looking formatting – and are instantly at risk of malware,” he cautioned.
According to McDonald, the email contains the signature of Alexander Ward, purportedly a senior executive leader at ASIC - but nobody matching that description appears to work at the corporate watchdog.
Fraud emails targeting Australians have been circulating in high volume over the past week, with separate well-designed scams impersonating MYOB and myGov most recently.
“MailGuard’s cyber security experts have also seen a proliferation of malware hosted on unsuspecting corporate entities’ SharePoint accounts recently,” McDonald added.
To help Australian users avoid scams in the future , ASIC’s website recently warned that scammers have been contacting registry customers asking them to pay fees and give personal information to renew their business or company name.
“These emails often have a link that provides an invoice with fake payment details or infects your computer with malware if you click the link,” the ASIC website stated.
In following ASIC guidance, users are advised to keep anti-virus software up to date, be wary of emails that aren’t addressed by name or have unknown attachments, alongside not clicking any links on a suspicious email.
“Check who it was sent by,” McDonald advised. “Examine the sender or reply-to address and check that it hasn’t been sent from a similar, but recently-registered domain such as mailguard.com instead of mailguard.com.au.”
In addition, McDonald advised users to be vigilant when clicking on links in emails, while remaining aware that a reputable company or organisation will never use an email to request personal information.
“If you think there is a possibility it may be legitimate, type the real URL into your browser or contact the company directly,” he added.
“Also, be alert for strange sentence structure, or phrasing uncommon to the apparent sender.”
