Another Taxation phishing email scam
It’s heading towards the end of financial year in Australia. This is the starting gun for an unending stream of phishing emails promising a tax rate reduction, a tax refund or a payment. The wonders of technology. The rest of the email is ho-hum. In fact, there is no rest of the email: it is two sentences in length. The single payload is an attached zip file. The payload on the zip file varies, but in observed cases it installs a version of CryptoLocker. This phishing campaign started today.
We expect the intensity of phishing campaigns using tax refunds as bait to continue through June and into July. Credit must go to the creators of the campaign: they know when the Australian financial year begins and ends.
The malicious email and attachment is displayed as Figure A. The email is simple. Two sentences explain that the tax rate will decrease from July 2015. The email says that the attached zip file has the amount that you will be compensated. The attachment is called “Levy_information.zip”. Downloading and installing the software will show what the amount is. The email uses the subject line “Tax refund” or “Taxes this year”.
Unfortunately, the email often originates from hacked email accounts. The criminals are using the hacked email accounts to spread the malware. If you do receive this email, it may be from someone you know, be wary.
The payload in some cases has included CryptoLocker, or a variant of it. CryptoLocker is a form of ransomware, often spread via email attachments. Once installed, it searches local and network drives for office documents and picture files. It encrypts those files. When the user attempts to open a file, a ransom message is displayed. The ransom amount varies.
We cannot emphasize enough the dangers of downloading email attachments. If you have not verified the source, do not download the attachment. This email is dangerous; delete it immediately. Check the Australian Taxation Office online security page for further reading.