ARN provides a weekly wrap of the phishing scams, malware attacks and security breaches impacting organisations across Australia.
This week, a “large run” of fake Telstra notification bills with a link to a Sharepoint folder containing a JavaScript file hit Aussie inboxes.
“The scammers have made an effort to make this email look more legitimate by varying certain details, like the invoiced amount and the sender’s name,” email filtering company, MailGuard, wrote in a blog post on Wednesday.
According to MailGuard, recipients might not realise at first it was a malware attack.
One way this email could be identified as a scam was by looking at the actual email address behind the “Telstra” sender name. Instead of being real Telstra email addresses, they are from a wide variety of random looking mail domains, such as @sahara-group(dot)com, @stoneacre(dot)co(dot)uk, and @vialagro(dot)com(dot)ar.
Also on Wednesday 25 October, another “large” scale email scam impersonated MYOB brand with a fake DocuSign supply order.
This attack had two variations, according to MailGuard. The first was in plain text and contains what MailGuard called meaningless spam, with no malicious links or payloads.
The second email variant was well formatted HTML with a link pointing to a compromised SharePoint site hosting a ZIP file containing a malicious JavaScript file.
“A common technique that we are seeing with increasing regularity,” MailGuard wrote. “The file appears to be a dropper that downloads a further executable file from yet another (different) compromised SharePoint account.”
There were several different display sending addresses with the body appearing as from various individuals purporting to be from MYOB. A quick internet search would have revealed none of the individuals are MYOB employees.
Last week a scam had once again hijacking MYOB’s brand. The emails contained fake invoices in a well-formatted HTML email, which was sent from different businesses with a link to a MYOB invoice.
An attack originating from hacked MailChimp accounts was also picked up this week. Posing as a photographer, the attacker was sending fake invoices.
This is different from the usual attacks using well-known brands as it makes it look like it is coming from a small business.
“The scammer behind this one has broken into someone's MailChimp account and used it to broadcast thousands of these bogus messages,” MailGuard wrote.
Clicking on the malicious link could trigger a code that could download and install any number of exploitative malwares from keystroke loggers to trojan horses that would take over the recipients’ computers.
Two weeks ago, MailChimp accounts were impersonated in order to distribute scams through emails containing malicious JavaScript files.
The emails featured multiple variations of the same subject line, which refer to a fake infringement notice dated '10 November 2017', MailGuard wrote in a blog post. The majority of the recipients appeared to be accountants, who are presumably on a mailing list attached to the compromised account.
The Australian Government website, Stay Smart Online, was also advising people to be aware of a Locky ransomware campaign taking place on Thursday 26 October.
The emails were being sent from different fake email addresses containing an attachment entitled ‘Invoice_file_26530.doc’ or similar that could infect the recipients’ computer with Locky. The email read:
“Your Invoice is attached.
“If you feel you have received this email in error, please reply to this email to inform us of any necessary corrections.”
The biggest cyber attack this week however was “BadRabbit”, which hit Ukraine and Russia on Tuesday. I caused flight delays at Ukraine's Odessa airport and affected several media outlets in Russia, including Interfax news agency.
Interfax, one of the largest news agencies in Russia, said some of its services were hit by an "unprecedented virus attack", as reported by Reuters.
A spokeswoman for Odessa airport said a few flights were delayed because workers had to process passenger data manually. The metro system in Kiev also reported a hack on its payment system but said trains were running normally.
"According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany," said Russian cyber security firm Kaspersky Lab.
Two days later it was reported that Russia-based cyber firm Group-IB said the BadRabbit virus used in this week's attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.
