Surety IT Security Alert – May 2021

Surety IT provides a monthly security alert of the scams impacting Australian businesses including phishing scams, malware attacks and security breaches/bugs.

• Recipient not being directly addressed
• Sender domains don’t belong to the sites they claim to be from
• Branding not displayed correctly
• Spelling Errors
• Spacing and formatting errors
• Domains aren’t familiar or not legitimate
• Poor English used
• Omit personal details that a legitimate sender would include
• Sent from businesses that you were not expecting to hear from
• Stray PHP tag (“?>”) at the bottom of the email.

You need to be particularly aware of:

Microsoft & Adobe Spark Phishing Email

• With the subject of ‘Invitation to Bid’, this phishing email ‘invites your firm to submit a proposal in accordance with this RFP Package’.
• Due to the size, the file has been uploaded to SharePoint and a link is provided for recipients to view the documents.
• Originates from a compromised email account.
• Those who click on the link are led to a web page which requests another link be clicked in order to ‘view proposal’ which also includes the Adobe Spark logo and branding.
• Once the second link is clicked, users are prompted to sign in via a fake page purporting to be Microsoft which is actually a phishing page hosted on Cloudfare.
• If credentials are entered, these are then harvested by cybercriminals and prompted that the email or password is incorrect.

Australia Post Phishing Email

• Uses a Australia Post branding and a display name of ‘parcelmonitor’ and is sent using a compromised domain that doesn’t belong to parcelmonitor.
• The email reminds recipients to pay their ‘pending shipping cost’, adding that the delivery will be cancelled if not paid within 48 hours.
• Recipients who click on the provided link to ‘schedule their delivery’ are led to several phishing pages requesting user deliver preferences including time and shipping address.
• Domains used don’t belong to Australia Post.
• Once preferred delivery options are selected, users are then asked to provide personal details such as name, email, phone number and a password of their choice and also valid credit card details.

DHL Phishing Email 1

• Domain used in the senders email address has spoofed DHL and originates from a hosting provider based overseas.
• High quality DHL branding is used throughout including the logo.
• Informs recipients that ‘delivery attempt failed’ and warns that if it isn’t rescheduled or picked up within 72 hours, it will be returned to the sender.
• Those who open the HTML attachment are led to a phishing pages using Adobe PDF branding to log in.
• Once credentials are entered, recipients are redirected to a compromised external website hosted on Namecheap where information is harvested.
• Users are then redirected again to a domain associated with the users email address, for example, if Gmail is used, they are redirected to Google.

DHL Phishing Email 2

• Uses a display name of ‘DHL’ and uses the company’s branding.
• Senders email originates from a SendGrid account that is likely compromised.
• Informs users to complete payment of their shipping fee in order to receive the delivery.
• A tracking code, expected delivery date and a link is provided.
• Those who click ‘Pay’ are led to a phishing ‘DHL Tracking’ page and requested to confirm payment within 14 days by clicking the ‘next’ button.
• Users are then requested to provide credit card information, names, addresses and a verification code.
• The phishing pages used in this scam do not belong to DHL and are hosted on a third-party platform designed to harvest person details.