A fake ATO email carrying malware which aims to steal passwords is circulating this week. Click to see what the email looks like.
More than 50,000 copies of a scam email pretending to come from the Australian Taxation Office (ATO) have been intercepted by email security company MailGuard.
The emails have the subject line "Australian Taxation Office – Refund Notification", and carry an attachment that if opened steals passwords and other confidential information from files stored on the computer.
A press release sent by MailGuard this week states: "MailGuard recommends to business and individual recipients of this email, and others like it, do not open it. Unexpected emails and their attachments, should never be opened. Financial organisations, like banks and the ATO, just don’t send this type of email."
While Mailguard reports having stopped more than 50,000 of the emails, the reality is that masny more are likely being received by Australians.
If you opened the email and opened the attachment, it's possible your computer is infected. Mailguard claimed that it was not being detected by antivirus software from 37 out of 47 vendors in the "hours after the attack" yesterday.
Here is what the message looks like (this image was sent to us by MailGuard):
What should you do?
If you're a one-person business, you'll know whether or not you've opened the offending attachment. If you have employees, talk to them about the issue, stressing its importance and taking care to avoid putting them on the defensive. You need them to be open so you can take appropriate action if they have received and opened it.
If you think you have been affected, ask your antivirus vendor if it has issued an update to address the malware that MailGuard describes here. If so, make sure the antivirus on the affected computer(s) is up to date, and run a cleanup scan.
The information provided by MailGuard about the malware's capability is sketchy, so it is difficult to know exactly what further action should be taken following an antivirus cleanup. If you want to err on the side of caution, it might be advisable to change all passwords stored on the computer, from the Windows login passwords to application passwords (for example, for your accounting software) and those stored in password-management utilities such as 1Password or KeePass.
The danger is that the malware may include some sort of remote-access capability to provide the attacker with a way into the computer. Or it may just be looking for passwords used with email accounts, Dropbox and other online services - we just don't know from MailGuard's description, and we have yet to see any information about this particular malware from the antivirus vendors at the time of writing.
Fake emails pretending to be from the ATO are nothing new - there was another spike in them reported earlier this year.
As we reported at the time, it's not just emails pretending to be from the ATO to watch out for. Banks are another favourite with these spammers.