Surety IT Security Alert – December 2020

Surety IT provides a monthly security alert of the scams impacting Australian businesses including phishing scams, malware attacks and security breaches/bugs.

• Recipient not being directly addressed
• Sender domains don’t belong to the sites they claim to be from
• Branding not displayed correctly
• Spelling errors
• Spacing and formatting errors
• Domains aren’t familiar or not legitimate
• Poor English used
• Omit personal details that a legitimate sender would include
• Sent from businesses that you were not expecting to hear from
• Stray PHP tag (“?>”) at the bottom of the email.

You need to be particularly aware of:

Adyen Phishing Email

• Impersonates payment processing company Adyen and claims to share an urgent settlement document with the recipient.
• The email appears as though it was generated through DocuSign and informs recipients that their document has been completed.
• The email includes a detailed footer with information relating to DocuSign documents and employs Adyen’s logo and branding elements to appear legitimate. However, this email originates from a compromised account.
• Clicking the link to view the document leads to a fake login page purporting to belong to business file sharing service, Box. This page employs the logo and branding elements belonging to the file sharing service, but the page’s URL is not hosted on a domain belonging to Box.
• This page directs the user to sign into either their office 365 email or another account.
• Once the user has signed into their chosen account, they are redirected back to the login page.

Shopify Phishing email

• This phishing email purports to be from popular e-commerce company, Shopify.
• Titled “Your Failed Pay-out”, the email uses the display name ‘Shopify’ and employs the brand’s logo. However, the sender’s email address uses a domain not belonging to Shopify.
• The email informs recipients that their ‘pay-out couldn’t be deposited’ due to their banking details being incorrect and provides the user with a link to update their details, warning users that in 24 hours the link will expire.
• Recipients who click the link to update their details are sent to a fake Shopify login page which requests they enter their shopify store address and Shopify account credentials.
• Once users have submitted their login credentials, they are led to a similar page requesting their banking details.
• After the user submits their banking details, they are redirected to the real Shopify login page.

Dropbox Phishing Email

• This email claims to be a file-sharing alert and mimics the style of a Dropbox notification.
• Titled: “Important Document is attached to your email”, a button is provided within the email for recipients to view this ‘important document’.
• Recipients who click to view the file transfer are redirected to a page employing the same Dropbox type  styling as the email, where the users are informed they have been ‘invited to view the attached share file’ and signs off from the Dropbox team.
• Upon clicking the link to view the file transfer, users are led to a fake Office 365 sign in page, the URL however doesn’t use a domain belonging to Dropbox or Office 365.
• Once the user submits their details the page redirects them to Office.com.

cPanel Phishing Email

• This email purports to be an auto-generated notification from cPanel.
• Titled: ‘Password Expired’, this email informs users to ‘kindly request a new password’ or to click a button to keep using their current password as it has now expired and warns users to ‘avoid getting locked out’.
• The email uses the logo and branding elements belonging to cPanel but originates from an email hosted on a domain not belonging to cPanel.
• Recipients who click the button to keep their current password are sent to a login page which uses cPanel’s logo and prompts them to login to their account.
• Once these details are entered, the user is redirected to their domain’s website.

Suncorp Phishing Email

• Impersonating Suncorp Bank, this phishing email is titled “Dear Suncorp Customer You Have 1 New Message & Alert”.
• This email employs Suncorp’s logo and branding and uses the display name “Suncorp Bank” but originates from a domain not belonging to Suncorp.
• It informs users of a new message in their internet banking account and provides a link for them to ‘log on and view your message’.
• Recipients who click the link are led to a fake Suncorp-branded login page. This page requests the user’s bank account number, password, and security code.
• Once the user submits these credentials, they receive a message that informs them their account has been successfully updated  and are then redirected to the real Suncorp website.

DHL Phishing Email

• Masquerading as popular shipping company DHL, this email is titled: “Your package will be sent within 48 hours”.
• Claiming to be a notification sent from DHL customer care, this email uses the company’s branding and logo but originates from a third-party server hosted on a domain not belonging to DHL.
• Users are informed they must complete payment of their shipping fee to receive their package along with a link provided to them to do so and an estimated delivery date.
• Clicking the link leads to a fake DHL-branded page containing an “important message”.
• When users click ‘next’ they receive a message informing them they must confirm payment within the next 14 days to complete the delivery as soon as possible and are requested to submit their personal contact information and credit card details.
• Once these details are submitted, the user is led to a verification page to confirm their payment with an SMS code, which they never receive.

If you’d like any further information, assistance with your cyber security or you don’t know where to start, please call Surety IT on 1300 478 738 or Email us.