Week in review 30 January 2015
ANZ bank customer seemed to be the targets for phishing emails this week. Perhaps it had something to do with the Australia day holiday that fell on Monday this week. The other phishing email of note purported to be from FedEx; sadly the only delivery was malware. Read on to see our week in review.
Fake FedEx agent notice installs malware
A public holiday on Monday meant that the start of the working week was Tuesday. And we started off with a FedEx email, informing the recipient that they had a shipment awaiting delivery. The email tells the recipient that they just need to download an attachment contained in the email, print off the invoice in said attachment, and present it to the nearest DHL depot. However, downloading the attachment installs malware onto the victim’s PC. The malware is usually a version of CryptoLocker, which is a form of ransomware. CryptoLocker will encrypt Office files on local and network attached drives, and displays a message when the user attempts to open a file. The message tells the user their files are encrypted, but if they pay a ransom, a private key will be supplied. The private key (supposedly) will allow the users to access their files.
ANZ phishing email uses incorrect date
The start of a flood of ANZ phishing emails was led by this particular sample. In this email, the recipient is informed that a “Suspicious Login Attempt” has failed. The email specifies an exact time, date and day of the week. The email goes on to suggest that the recipient download a form attached to the email. The form is a fairly realistic looking facsimile of the ANZ bank website. It requests numerous details, including all bank account numbers. It is of course a fake, designed to harvest personal details from the user. However, one of the interesting aspects of this email was that the date chosen by the criminals was incorrect. The email says that the suspicious login attempt took place on a Thursday. The date was given as January 24, 2014. However, January 24 in 2014 actually fell on a Friday.
Account locked begins ANZ phishing email
Finally, we received a slightly confusing phishing email, also aimed at ANZ customers. In this email the user is informed that their account is locked; however, the body of the email says the account is closed to outgoing transfers. A little bit contradictory. The email does use an authentic looking ANZ logo, and the text of the link contained in the email looks realistic, with the words “ANZ” and “security” forming part of the text. However, the actual URL linked to is a phishing site.