Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

ASIC, MailChimp, Xero, MYOB and Sage impersonated in Aussie email scams

Samira Sarraf | Sept. 22, 2017
Learn more about the phishing scams targeting Australian inboxes this week.

Fraud alert

Scammers have hidden behind the Australian Securities and Investments Commission (ASIC), MailChimp, Xero, MYOB and Sage following a week of heightened email activity across Australia.

On Monday, ASIC warned Registry customers, once again, that an ongoing scam was acting behind its brand asking customers to pay fees and give personal information to renew their business or company name.

"These emails often have a link that provides an invoice with fake payment details or infects your computer with malware if you click the link," ASIC warned customers.

Email filtering company, MailGuard, said it began blocking the very large run of emails at 08:16AM on Monday.

According to MailGuard, the display name ASIC Messaging Service and sending email @ may resemble legitimate credentials; however the domain was only registered yesterday in China.

The fake ASIC emails tell recipients their business names are due for renewal directing them to download the renewal notice.

The link in the email prompts users to download a .ZIP file which contains a malicious JavaScript file - the downloaded file seeks to steal the users' private credentials from local internet browsers, and installs itself for auto run at Windows start-up.

Similar scams purporting to be from ASIC have taken place in AugustJuly and April.

On Tuesday, emails scams claiming to be from accounting software providers MYOB and Xero were blocked by MailGuard.

The MYOB scam claimed to be sending recipients a supply order for signature, with a DocuSign link to a malicious .ZIP download. The email was sent from randomised names 'via DocuSign'.

In June, MYOB had its brand hijacked in what was reported to be "the biggest scam email influxes" MailGuard detected in the past 12 months.

Meanwhile, the Xero scam was picked up at the same time and, according to MailGuard, pretended to be sending an invoice for the Xero subscription sent from Xero Billing Notifications with the link to 'View your bill' leading to a malicious .ZIP payload.  

On the same day, cyber criminals used Sage's brand on a new attack that lasted until Wednesday morning.

The Sage scam imitated a subscription invoice with a link to a compromised SharePoint site hosting a .Zip archive with a malicious JavaScript file.

According to MailGuard the display name for the attack was Sage, with a sending and display address of noreply@sageim(dot)com. The sending domain sageim(dot)com was registered on the 18th of September with a registrar in China.

On Wednesday, a MailChimp account was hijacked to deliver malicious code. An email from "DVDs Manager" was sent through the email marketing company services with a fake order confirmation.

The emails contain a view your order link that goes to a benign .docx file hosted on MailChimp. The .docx file contains CDF (computable document format) documents that can be opened in Microsoft Word or Excel.


1  2  Next Page 

Sign up for Computerworld eNewsletters.