Fake reassessment notice installs CryptoLocker

Fake reassessment notice installs CryptoLocker

This morning a slew of phishing emails supposedly from the NSW Office of State Revenue starting hitting our email filters. These emails are similar to the fake speeding fines that appeared over the course of 2014. They also end up delivering a similar payload; a variant of the CryptoLocker virus ends up being installed on the victim’s PC. This type of malware is particularly nasty, as it can lock up your files. The only realistic remedy is to restore from a backup.

The NSW Office of State Revenue (OSR for short) is a NSW government department that looks after collection of revenue and taxes for the NSW government in Australia. Figure A shows a typical example of one such email that is masquerading as being from the OSR. It features an authentic looking NSW government logo. The subject line of the email reads “Reassessment notice – 6178715853/4665”. Note however that the numbers in each email subject line are likely to vary. The sender of the email is listed as “OSR | Interest and penalty information”.

The main sign that this email is a fake is the link. Mousing over the link shows that it does not go to a NSW government domain; instead it leads to a malicious site that looks like the real OSR site, but is designed to serve malware to the victim’s PC. The malware in this case is CryptoLocker. CryptoLocker will lock Office documents on local and network drives, and display a ransom message when the user attempts to open the files. It is recommended that you do not pay the ransom.

The Office of State Revenue is aware of this scam, and has published a notice on their website regarding this and other known scams.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service