Cybercriminals deliver multiple malicious emails from compromised Optus accounts
Don’t be too quick to believe everything you read in an email, especially if it’s been sent by someone you weren’t expecting to hear from.
Multiple inboxes are being hit by malicious emails, all purporting to be from Optus and using the domain ‘optusnet.com.au’. MailGuard detected the first of these email scams last Friday, 8th Feb 2019, although it has been verified that these emails originally started hitting inboxes at a previous date. This email scam is currently ongoing.
These emails appear in multiple variations, ranging from remittance advice to car insurance document scams. MailGuard understands they originate from a large number of compromised email addresses using the same domain.
The format of these emails is similar, with most appearing in plain-text form. They advise the recipient of a document that is available for them, with a link to access the said document. In most cases, the links lead unsuspecting recipients to a malicious file download.
Below are the descriptions and screenshots of some of the more recent emails that have been hitting inboxes:
This email appears as a generic remittance advice email. The message body asks the recipient to "please find attached a remittance advice requiring your review". There is no attachment provided, rather a link to a Google Docs hosted Word document containing macros.
Example 2: Insurance email scam
The second example is for an "Insurance Certificate of Currency":
In this variation, the message body advises the recipient, that as requested, they can find attached a “Certificate of Currency" for car insurance. Once again, there is no attachment, rather a link to a Google Docs hosted Word document containing macros.
MailGuard understands that on this day, victims of this email scam received several variants of different subjects. However, they were all scams related to Insurance Cover documents. The example here has a very short body, stating "Please get assigned accident Documents as requested", along with a reference number. The included link in this case was to a .zip file containing a malicious Javascript file.
Tuesday, 12/02/2019:
Cybercriminals responsible for this email scam sent out another simple email with a link to a malicious file download on Tuesday. This time, the links were an FTP link to a .zip file, containing a malicious Javascript file. The body of the email thanks the recipient for their recent “Online purchase”, with a link to "download a PDF copy" of their invoice. The .zip file is password protected, with the password provided within the body of the email. This tactic works both as an attempt to legitimise the file and to prevent automatic scanning of the contents of the .zip archive.
Wednesday, 13/02/2019:
Another very simple email, with a subject of "Tax Invoice" body. This email includes a link to "detach or download your invoice" which is a .zip file, containing Javascript, hosted on Google Docs.
This email scam is a good reminder of how innocent-looking, plain emails can, in fact, be malicious, despite where they purport to be from. As simple as they may seem, these attacks are happening all too regularly, and with devastating effect. Unsuspecting employees who click on any of the links above or download any content can inflict significant financial and reputational damage on an organisation.
MailGuard urges all cyber users to be vigilant when accessing their emails, and look out for tell-tale signs of malicious emails:
Tell-tale signs of email scams
- Do not address recipients directly (e.g. “Dear customer”)
- Bad grammar or misuse of punctuation and poor-quality or distorted graphics
- An instruction to click a link to perform an action (hover over them to see where you’re really being directed)
- Obscure sending addresses (for example, Hotmail, gmail, Yahoo addresses should set alarms bells ringing)