Don’t click “View my bill” Cybercrooks are once again sending spam with fake Telstra and EnergyAustralia email bills to infect Australian PCs with nasty trojans that steal online banking credentials.Researchers at security firm Trustwave detected an uptick in mid-September of fake Energy Australia with links that install a variant of the infamous banking trojan Gozi. Clicking on the “View my Bill” button in the email leads victims to a page that downloads a ZIP-archived file labeled “EnergyAustralia Electricity bill.zip” that supposedly contains a real bill. If the ZIP file is extracted it downloads a JavaScript file, which downloads an executable file that installs the Gozi credential stealer and a real looking bill in PDF format, which is designed to distract the victim while the malware installs in the background. The malware monitors browser activity, and can download other components for keylogging, taking screen shots, stealing email, and download other malware. Fake bills have plagued well-known brands for some time and likely won’t disappear any time soon. EnergyAustralia in June warned customers to be alert for fake bills with the subject header “Bill Payment Status: UNPAID”. The attackers set up page that mimicked the firm’s MyAccount portal to capture user passwords.Scammers were also using bogus Origin Energy bills to trick recipients into installing the Gozi trojan, according to CommBank’s Q3 2017 security report. It notes that fake EnergyAustralia bills carrying links to Gozi were being spread between June and September. Other brands abused for spreading malware included Telstra and AGL. The batch of fake EnergyAustralia bills that Trustwave detected was sent from the domain “energybrandlab[dot]com”, which was registered on 17 September. The name makes the From field in the email seem more legit. The scammers use Microsoft SharePoint links embedded in the “View Bill” button in the emails to lead victims to the malware. One day after the look-a-like EnergyAustralia domain was registered TrustWave saw a rise in phishing messages with spoofed bills.TrustWave also caught a fake Telstra bill on 27 September that used similar techniques as the fake EnergyAustralia bills, but from the domain “businessdirs.com” with “telstra” tacked on to the front.If recipients click on the “View Bill” button in the fake Telstra, the JavaScript downloader downloads another banking trojan known as Emotet and an actual PDF of the fake Telstra bill. Emotet is capable of stealing credentials as well as sending out spam and phishing email from infected machines. Different fake Telstra bill scams were being used to spread the TrickBot credential stealing trojan and Gozi, according toCommBank, which notes that fake bills also cost the abused brands since it negatively impacts email marketing. Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe