A security provider has warned of a second "realistic" malware campaign masquerading as electricity bills.
We’re guessing that last month’s malware campaign posing as Origin Energy bills (see below) was successful, because security provider MailGuard has detected a fresh wave.
Tens of thousands of copies of the email arrived this morning, according to the company.
MailGuard CEO Craig McDonald said “the fraud Origin email is highly realistic and installs malware at the click of a button. It perfectly mimics the branding and billing format of the popular energy provider.”
Clues that the email is not what it appears are that the ‘From’ address is email@example.com, and the salutation is a generic “Dear customer”.
“These types of attacks tend to spike at traditionally busy times of year, such as Christmas, Easter and end of financial year as people are more likely to be time-poor and less likely to apply their usual scrutiny,” said McDonald.
“Email is the new frontier for criminals capable of making money without leaving their house. They can fleece a person they’ve never met - from the other side of the globe,” he explained.
“In fact, more than 90 percent of all cyber attacks begin with a single email. Usually it takes the form of phishing, where a scam-artist tricks their victim into handing over private information such as their log-in and password for online banking, as evidenced in this new iteration of the Origin scam.”
There's no reason to assume scammers won’t hide behind other well-known brands, so treat with suspicion all invitations to click on an email to view statements, bills and so on. You might consider any such messages as reminders to visit the company's website directly (that is, not following any of the links in the email) in order to download the genuine document. If the email was legitimate, the bill or whatever will be waiting there for you; if it wasn't, no harm has been done.
The first wave
Earlier (on 5 May 2017), MailGuard detected a new malware campaign aimed at Australians in which a “well-crafted email uses Origin Energy branding, and uses the subject line 'Your Origin electricity bill', with a due date of May 16.”
MailGuard implies that the crooks behind this campaign have taken more care over the covering email than usual. It renders correctly on computers and mobile devices, the amount due varies in an attempt to evade security software, and the message includes a link to Origin Energy's real privacy page.
The main clue is that the email was sent from servers in France using the domain originenergysolar.net which was registered in China just days ago.
Origin Energy has offered some advice about identifying scams, though it is not clear how those measures would protect anyone who was expecting to receive bill notifications via email.
This is likely to become a growing problem as organisations encourage, pressure or even force customers into receiving bills via email.
Apart from using a spam filter that detects malware campaigns very quickly (we're sure MailGuard would like your consideration), you could be on the lookout for purported bills that arrive at the wrong time – but be aware that the odds of a fake bill arriving by chance a few days before the real one are about one in ten, so that's probably not a bet you should take.
A safer approach is probably to treat a billing email just as a reminder to visit the company's website directly (that is, not following any of the links in the email) in order to download the genuine bill.
An Origin Energy spokesperson commented: “We’re finding these scams are becoming more sophisticated, and we're now one of many companies that have been subject to a phishing campaign.
“We’re doing what we can to inform our customers and communities about how to spot fake bills, and what to do if they’ve received one.
“We’re asking customers to consider when they last paid their account and to look closely at the sender, contact details and any links contained in the email.
“If these don’t seem right, customers should not click any links, and instead delete the email and report it to the ACCCs Scamwatch service.
“Origin customers can always ring us or login to their account to verify their billing status.”