• United States



CSO Journalist

Fake Telstra and EnergyAustralia email bills spread banking trojans

Oct 19, 20173 mins
Access ControlBackup and RecoveryBusiness Continuity

Don’t click “View my bill”

Cybercrooks are once again sending spam with fake Telstra and EnergyAustralia email bills to infect Australian PCs with nasty trojans that steal online banking credentials.

Researchers at security firm Trustwave detected an uptick in mid-September of fake Energy Australia with links that install a variant of the infamous banking trojan Gozi. Clicking on the “View my Bill” button in the email leads victims to a page that downloads a ZIP-archived file labeled “EnergyAustralia Electricity” that supposedly contains a real bill.

If the ZIP file is extracted it downloads a JavaScript file, which downloads an executable file that installs the Gozi credential stealer and a real looking bill in PDF format, which is designed to distract the victim while the malware installs in the background.

The malware monitors browser activity, and can download other components for keylogging, taking screen shots, stealing email, and download other malware.

Fake bills have plagued well-known brands for some time and likely won’t disappear any time soon. EnergyAustralia in June warned customers to be alert for fake bills with the subject header “Bill Payment Status: UNPAID”. The attackers set up page that mimicked the firm’s MyAccount portal to capture user passwords.

Scammers were also using bogus Origin Energy bills to trick recipients into installing the Gozi trojan, according to CommBank’s Q3 2017 security report. It notes that fake EnergyAustralia bills carrying links to Gozi were being spread between June and September. Other brands abused for spreading malware included Telstra and AGL.

The batch of fake EnergyAustralia bills that Trustwave detected was sent from the domain “energybrandlab[dot]com”, which was registered on 17 September. The name makes the From field in the email seem more legit. The scammers use Microsoft SharePoint links embedded in the “View Bill” button in the emails to lead victims to the malware.

One day after the look-a-like EnergyAustralia domain was registered TrustWave saw a rise in phishing messages with spoofed bills.

TrustWave also caught a fake Telstra bill on 27 September that used similar techniques as the fake EnergyAustralia bills, but from the domain “” with “telstra” tacked on to the front.

If recipients click on the “View Bill” button in the fake Telstra, the JavaScript downloader downloads another banking trojan known as Emotet and an actual PDF of the fake Telstra bill. Emotet is capable of stealing credentials as well as sending out spam and phishing email from infected machines.

Different fake Telstra bill scams were being used to spread the TrickBot credential stealing trojan and Gozi, according toCommBank, which notes that fake bills also cost the abused brands since it negatively impacts email marketing.

CSO Journalist

Liam Tung is a seasoned tech reporter who's been covering cybersecurity, privacy, business, and legal issues that shape the tech industry in the US, Europe and Australia. Over the past decade, his work has frequently been distributed on influential tech news aggregator sites including Techmeme, Reddit, and Hacker News, the news-sharing site run by Silicon Valley accelerator, Y Combinator. Liam has worked with IDG Australia's since 2011 and today remains one of its key contributors, offering news and insights into the latest ransomware threats from cybercriminals and government surveillance, as well as new initiatives from government cybersecurity agencies and global tech giants, including Google, Microsoft, Amazon, Facebook, Oracle and the many companies and organizations that specialize in cybersecurity. He's always on the lookout for the latest information about vulnerabilities and cyberattacks that could compromise the integrity of your data.

More from this author