Fake Telstra and EnergyAustralia email bills spread banking trojans

Don't click "View my bill"

Cybercrooks are once again sending spam with fake Telstra and EnergyAustralia email bills to infect Australian PCs with nasty trojans that steal online banking credentials.

Researchers at security firm Trustwave detected an uptick in mid-September of fake Energy Australia with links that install a variant of the infamous banking trojan Gozi. Clicking on the "View my Bill" button in the email leads victims to a page that downloads a ZIP-archived file labeled “EnergyAustralia Electricity bill.zip” that supposedly contains a real bill.

If the ZIP file is extracted it downloads a JavaScript file, which downloads an executable file that installs the Gozi credential stealer and a real looking bill in PDF format, which is designed to distract the victim while the malware installs in the background.

The malware monitors browser activity, and can download other components for keylogging, taking screen shots, stealing email, and download other malware.

Fake bills have plagued well-known brands for some time and likely won't disappear any time soon. EnergyAustralia in June warned customers to be alert for fake bills with the subject header “Bill Payment Status: UNPAID”. The attackers set up page that mimicked the firm’s MyAccount portal to capture user passwords.

Scammers were also using bogus Origin Energy bills to trick recipients into installing the Gozi trojan, according to CommBank’s Q3 2017 security report. It notes that fake EnergyAustralia bills carrying links to Gozi were being spread between June and September. Other brands abused for spreading malware included Telstra and AGL.

The batch of fake EnergyAustralia bills that Trustwave detected was sent from the domain “energybrandlab[dot]com”, which was registered on 17 September. The name makes the From field in the email seem more legit. The scammers use Microsoft SharePoint links embedded in the “View Bill” button in the emails to lead victims to the malware.

One day after the look-a-like EnergyAustralia domain was registered TrustWave saw a rise in phishing messages with spoofed bills.

TrustWave also caught a fake Telstra bill on 27 September that used similar techniques as the fake EnergyAustralia bills, but from the domain “businessdirs.com" with "telstra" tacked on to the front.

If recipients click on the “View Bill” button in the fake Telstra, the JavaScript downloader downloads another banking trojan known as Emotet and an actual PDF of the fake Telstra bill. Emotet is capable of stealing credentials as well as sending out spam and phishing email from infected machines.

Different fake Telstra bill scams were being used to spread the TrickBot credential stealing trojan and Gozi, according toCommBank, which notes that fake bills also cost the abused brands since it negatively impacts email marketing.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)