Cybercrooks are once again sending spam with fake Telstra and EnergyAustralia email bills to infect Australian PCs with nasty trojans that steal online banking credentials.
Researchers at security firm Trustwave detected an uptick in mid-September of fake Energy Australia with links that install a variant of the infamous banking trojan Gozi. Clicking on the "View my Bill" button in the email leads victims to a page that downloads a ZIP-archived file labeled “EnergyAustralia Electricity bill.zip” that supposedly contains a real bill.
The malware monitors browser activity, and can download other components for keylogging, taking screen shots, stealing email, and download other malware.
Fake bills have plagued well-known brands for some time and likely won't disappear any time soon. EnergyAustralia in June warned customers to be alert for fake bills with the subject header “Bill Payment Status: UNPAID”. The attackers set up page that mimicked the firm’s MyAccount portal to capture user passwords.
Scammers were also using bogus Origin Energy bills to trick recipients into installing the Gozi trojan, according to CommBank’s Q3 2017 security report. It notes that fake EnergyAustralia bills carrying links to Gozi were being spread between June and September. Other brands abused for spreading malware included Telstra and AGL.
The batch of fake EnergyAustralia bills that Trustwave detected was sent from the domain “energybrandlab[dot]com”, which was registered on 17 September. The name makes the From field in the email seem more legit. The scammers use Microsoft SharePoint links embedded in the “View Bill” button in the emails to lead victims to the malware.
One day after the look-a-like EnergyAustralia domain was registered TrustWave saw a rise in phishing messages with spoofed bills.
TrustWave also caught a fake Telstra bill on 27 September that used similar techniques as the fake EnergyAustralia bills, but from the domain “businessdirs.com" with "telstra" tacked on to the front.
Different fake Telstra bill scams were being used to spread the TrickBot credential stealing trojan and Gozi, according to CommBank, which notes that fake bills also cost the abused brands since it negatively impacts email marketing.