Fourth malicious email attack impersonating ASIC

By on
Fourth malicious email attack impersonating ASIC

Beware “company renewal” emails – another large-scale malware campaign is hitting inboxes.

For the fourth time this year, security provider MailGuard has warned of a large-scale malware attack being delivered via emails impersonating the Australian Competition and Consumer Commission (ASIC).

“Beginning distribution at 9.43am today (10 July), it quickly escalated to become one of the largest-scale malware deliveries seen by MailGuard in the past 12 months,” said Craig McDonald, MailGuard’s CEO.

The emails tell recipients their business name is due for renewal, and directs them to click a link to download their renewal notice – but the attachment links to a .zip archive file, which contains a malicious JavaScript file, McDonald warned.

MailGuard said the fake ASIC emails have these characteristics:

  • The email appears to be from ‘ASIC Messaging Service’, and is sent from the domain ASIC.Transaction.No-reply @ asicdesk.com
  • The domain was registered yesterday in China
  • The subject line is ‘Renewal’
  • The well-formatted message contains ASIC branding and government coat of arms
  • It lacks personalisation, and is simply addressed “Dear customer”’ – something legitimate agencies don’t do
  • The email provides details on how to renew a business name, and tells recipients they can pay for the fake renewal by credit card or by requesting an invoice. The payment tips are just part of the scam; the cybercriminals want victims to download the malicious attachment rather than to open their wallets.
  • The email is signed off by “Myra Tango, Senior Executive Leader, Registry”. No employee by that name appears to exist at ASIC. 

Well-known organisations are often used as cover for fraudulent emails. Others include the ATO, Australia Post, the major banks, and courier companies.

Prevention tips

The above characteristics give some insights into how to spot fake emails such as this, but the main lesson is to avoid opening any attachment – or clicking on any link – unless you’re absolutely certain of the email's authenticity.

You should also be cautious opening any email from a supposed official source. Would you expect to receive an email from that organisation? Does it address you by name?

If you have the slightest suspicion that an email is not what it seems, go directly to the organisation’s genuine website or call them, ignoring any domain names shown in the email.

Keeping your anti-virus software up to date is also a good idea, but as this and similar examples show that does not provide foolproof protection. 

Third fake ASIC email threat hits Australian inboxes

On 29 May 2017, MailGuard said it had detected the third of this year’s malicious email campaigns masquerading as ASIC.

The security company said a message purporting to be from “ASIC Messaging Service” tells recipients to click a link to see a “company renewal” letter.

Anyone falling for the ruse actually receives a malicious JavaScript file in a zip file from a compromised SharePoint site.

“While the exact type of malware isn’t clear – it could be anything from a virus to ransomware – malware is generally designed to disrupt, damage or gain control of a computer system or data,” said MailGuard CEO Craig McDonald.

The current campaign uses the domain australiangovernments.com, which was recently registered through a Hong Kong based registrar. The scammers have set it up properly with SPF, DKIM and reverse DNS entries to help get past basic anti-spam measures.

An important clue is that the email doesn’t address recipients by name or contain any information about the company name involved. As a general rule, if an organisation knows you by name, it will address you by name, so a generic salutation should serve as a red flag.

Beware of fake ASIC email carrying ransomware

On 6 March 2017, MailGuard said it had detected the second of this year’s malicious email campaigns masquerading as ASIC.

It was "one of the largest-scale fraud inundations" in recent times, the security provider said. The spam emails sent to "tens of thousands of addresses" purport to be company name renewal reminders from the Australian Securities and Investments Commission (ASIC), according to MailGuard.

If recipients click the 'renewal' link, what they're actually doing is opening "a malware downloader stored within a JavaScript file, which paves the way for ransomware to be executed remotely," said MailGuard CEO Craig McDonald.

"The link was not being detected as suspicious by any of 64 well-known antivirus engines on Google-owned aggregator VirusTotal when MailGuard intercepted the email this morning."

Two characteristics of the email provided strong clues that it was fake: the text was generic rather than addressing recipients by name, and it was sent from the asic-gov-au.co domain rather than asic.gov.au.

In addition, it was supposedly sent by "Max Morgan, Senior Executive Leader" at ASIC. "No such employee appears to exist at the commission," observed McDonald.

This was the second campaign of fake ASIC emails in 2017, following a previous attack January, according to MailGuard.

An example of one of the fake emails, courtesy of MailGuard.

As well as the prevention tips explained above, mail filtering services such as that offered by MailGuard may provide an additional, timely line of defence.

Copyright © BIT (Business IT). All rights reserved.
Tags:

Most Read Articles

You must be a registered member of Business IT to post a comment.
| Register

Log In

Username / Email:
Password:
  |  Forgot your password?