ARN provides a weekly wrap of the phishing scams, malware attacks and security breaches impacting organisations across Australia.
This week, Amazon, Bakerdays and several other local businesses have had their brand names hijacked in malicious email attacks.
It didn’t take long for cyber criminals to start targeting Amazon’s customers. Following the launch of the online retail giant’s Australian store on 5 December, scammers started using the company's brand on 7 December.
Email filtering company, MailGuard, caught a scam of fake payment receipts containing malicious JavaScript code.
The email subject was “Thank you for shopping with Amazon”, which many did according to the company who said the first day orders were higher than any other launch day in the company’s history.
The message contained an “order confirmation receipt” with a link that opened a .zip file containing the malicious JavaScript file inside.
Fake Bakerdays’ Quickbooks invoices were observed on 4 December. The fake invoice contained a link that, if clicked on, would take recipients to JavaScript file hosted on a compromised SharePoint account.
That is what MailGuard revealed after it intercepted the “large batch” of emails having detected “thousands”.
The sender email address (andrea[at]bakerdays[dot]com) was described as convincing by MailGuard.
“Our team believe that the JavaScript downloads and executes malware stored on yet another compromised SharePoint account,” the company wrote in a blog post.
What the company thought it made the emails suspicious was the invoice file in a .zip format, which is usually used to disguise an .exe (executable) file. In this case however, the file was a .js (JavaScript) one.
The day after followed with the exact same type of email scam targeting several different brand names including Russian Accent, Capital Kitchen, Allband Antennas and others, according to MailGuard.
The email filtering company alerted to the fact that, even though the invoices had different values and were sent from different brands all had the text ‘INV-0601’ in the subject line.
The messages originated from newly registered domains in a Chinese registry.
“As was the case in yesterday’s email attack, these messages contain a ‘View Invoice’ link which directs the victim to a .zip file on a compromised SharePoint account. If they download and open the .zip file, it activates JavaScript code which downloads malware to their computer,” MailGuard wrote.
“JavaScript payloads like the one these messages link to can do many things from installing malware or spyware on computers to encrypting files and locking hard drives.”
Other brand names used in this attack, identified by MailGuard were:
- The Hopkins Group
- Tijac Pty Ltd
- Lms Lawyers Services
- Catering Now
- Allcraft Cabinet Works
- Resolution Propety Group Pty Ltd
- Becton Property Group Limited
- Pearce-Higgins Simon
- OneLeap Finance
- Fence Factory
- Rocdon Development Pty Ltd
- Posh Opp Shoppe
- Red Earth Developments Australia Pty Ltd
- Mutual Property Consultant
- Brilliance Developments
- J N Mousellis Civil Contractors
- McInnes Management
- McKinnon Cabinetmakers
- Oxfam Shop
- FKP Property Group
- Jimmy Choo
- Silk Homes
- CT Corporate Living
- Native Design Workshop
- Dexus Property Group
- Burger Martine Dr.
- Mitchell Brandtman
- BO Group
- Burger Martine Dr.
- Asian Wok
