Scammers target Origin Energy customers yet again

By on
Scammers target Origin Energy customers yet again

A security provider has warned of a fourth malware campaign masquerading as electricity bills.

As in the previous campaigns, the latest scam uses a well-formatted email posing as a bill notification from Origin Energy, warned Craig McDonald, the SEO of security provider MailGuard.

Clicking on the ‘View bill’ button “triggers the download of a .zip file that contains malicious JavaScript,” McDonald explained.

The fake messages have the subject line “Your Origin electricity bill” and purport to come from OriginEnergy <noreply@energy2u .info>.

As with a previous scam using the Energy Australia brand, the fake bill notifications include varying due dates and amounts in an attempt to avoid detection by spam filters.

A fake bill example. Source: MailGuard.

The latest “huge” campaign started at 8.40am this morning (17 July), according to McDonald, and follows three previous campaigns of fake Origin Energy emails, including one on 22 June.

The second wave

On 14 June, MailGuard detected a second malware campaign with emails posing as Origin Energy bills. Tens of thousands of copies of the email arrived that morning, according to the company.

MailGuard CEO Craig McDonald said: “the fraud Origin email is highly realistic and installs malware at the click of a button. It perfectly mimics the branding and billing format of the popular energy provider.”

The “View bill” link triggers a JavaScript payload that attempts to steal private information from internet browsers.

Clues that the email is not what it appears are that the ‘From’ address is, and the salutation is a generic “Dear customer”.

Source: MailGuard.

“These types of attacks tend to spike at traditionally busy times of year, such as Christmas, Easter and end of financial year as people are more likely to be time-poor and less likely to apply their usual scrutiny,” said McDonald.

“Email is the new frontier for criminals capable of making money without leaving their house. They can fleece a person they’ve never met - from the other side of the globe,” he explained.

“In fact, more than 90 percent of all cyber attacks begin with a single email. Usually it takes the form of phishing, where a scam-artist tricks their victim into handing over private information such as their log-in and password for online banking, as evidenced in this new iteration of the Origin scam.”

There's no reason to assume scammers won’t hide behind other well-known brands, so treat with suspicion all invitations to click on an email to view statements, bills and so on. You might consider any such messages as reminders to visit the company's website directly (that is, not following any of the links in the email) in order to download the genuine document. If the email was legitimate, the bill or whatever will be waiting there for you; if it wasn't, no harm has been done.

The first wave

On 5 May 2017, MailGuard detected a malware campaign aimed at Australians in which a “well-crafted email uses Origin Energy branding, and uses the subject line 'Your Origin electricity bill', with a due date of May 16.”

The problem isn't that the 'View bill' button takes the recipient to a replica of the Origin Energy website designed to steal credentials or other personal information; rather it links to a JavaScript dropper that can install additional malware such as keyloggers that can steal passwords and other information.

MailGuard implies that the crooks behind this campaign have taken more care over the covering email than usual. It renders correctly on computers and mobile devices, the amount due varies in an attempt to evade security software, and the message includes a link to Origin Energy's real privacy page.

The main clue is that the email was sent from servers in France using the domain which was registered in China just days ago.

Source: MailGuard.

Protection tips

Origin Energy has offered some advice about identifying scams, though it is not clear how those measures would protect anyone who was expecting to receive bill notifications via email.

This is likely to become a growing problem as organisations encourage, pressure or even force customers into receiving bills via email.

Apart from using a spam filter that detects malware campaigns very quickly (we're sure MailGuard would like your consideration), you could be on the lookout for purported bills that arrive at the wrong time – but be aware that the odds of a fake bill arriving by chance a few days before the real one are about one in ten, so that's probably not a bet you should take.

A safer approach is probably to treat a billing email just as a reminder to visit the company's website directly (that is, not following any of the links in the email) in order to download the genuine bill.

An Origin Energy spokesperson commented: “We’re finding these scams are becoming more sophisticated, and we're now one of many companies that have been subject to a phishing campaign.

“We’re doing what we can to inform our customers and communities about how to spot fake bills, and what to do if they’ve received one.

“We’re asking customers to consider when they last paid their account and to look closely at the sender, contact details and any links contained in the email.

“If these don’t seem right, customers should not click any links, and instead delete the email and report it to the ACCCs Scamwatch service.

“Origin customers can always ring us or login to their account to verify their billing status.”

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?