PDA

View Full Version : New scam emails out of Australia?



Billy T
14-12-2012, 06:19 PM
.
.
I've received two in the last two days, arriving via a dormant Xtra address once used by my daughter, but remaining aliased on my main Xtra email address.

The first was for Queensland Transport and was in another class altogether when compared to the usual stuff. The English was impeccable and they had lifted complete sections from the QT website. The overall design was very convincing too, all but for one critical detail, our daughter is in Victoria, not Queensland. The attached file was a [filename].pdf.zip and I assume that opening the file will trigger the nasties.

The next one was for Virgin Blue and was identical in quality, very convincing, and again carrying a [filename].pdf.zip file.

I'm pretty sure these are scams, but there was nothing in the text to indicate what they were after, in fact if you had dealings with either organisation I reckon you would accept them as kosher.

My question is, what sort of payload would they be likely to carry, and am I right to assume that opening the zip file would start the infection or other nasties? My guess is that they were after bank account details and passwords.

Cheers

Billy 8-{) :badpc:

inphinity
14-12-2012, 06:33 PM
I've seen the Virgin Blue one, it does look genuine, and in fact all the links to it go to genuine VB pages - but the attachment is not exactly full of friendlyness ;)

Billy T
14-12-2012, 08:08 PM
I've seen the Virgin Blue one, it does look genuine, and in fact all the links to it go to genuine VB pages - but the attachment is not exactly full of friendlyness ;)

Smart Bastards :annoyed:

What sort of payload would it be likely to carry?

Cheers

Billy 8-{)

GameJunkie
14-12-2012, 10:33 PM
open it in a virtual machine and find out??

Robin S_
14-12-2012, 10:57 PM
... - but the attachment is not exactly full of friendlyness ;)

Please expand - what did it contain?

Billy T
16-12-2012, 11:16 PM
Received another this morning, Virgin Blue again.


This message has been processed by Symantec's AntiVirus Technology.

Virgin-Itinerary.pdf.XM3840.exe was infected with the malicious virus Backdoor.Trojan and has been deleted because the file cannot be cleaned.

note that nNo zip file was used in this instance.

For more information on antivirus tips and technology, visit http://ses.symantec.com/

In the header, this one contained one of my two business addresses and was From: "my name" <my logon@xtra.co.nz>
To: <my logon@xtra.co.nz>
Subject: FW: Your Virgin Blue Itinerary
Date: Fri, 14 Dec 2012 17:43:05 +1300

It seems to indicate that I sent it to myself, but curiously, it was followed in the header by this:

From: virginblue.com.au [mailto:itineraries@virginblue.com.au]=20
Sent: Thursday, December 13, 2012 12:38 PM
To: [my daughter's alias name on my account]@xtra.co.nz
Subject: Your Virgin Blue Itinerary

Another quite convincing effort!

Looks like there is a campaign running............

Cheers

Billy 8-{)

Slankydudl
17-12-2012, 10:07 AM
Well atleast someone has taken the effort to make it look convincing.

B.M.
17-12-2012, 01:41 PM
Just had the neighbour rush over with this one, supposedly from Westpac Australia. (She has an account with them)

She has rung the local branch who are treating the matter very seriously and have even contacted Australia.

However, they have put a hold on all her accounts here and Aus until she calls into the local branch with a copy of the E-Mail. What a pain.

So she is off down there now trying to sort things out.

Anyway, this is what it looks like with her ID blacked out.

Billy T
17-12-2012, 05:53 PM
Here is yet another.

These are no longer an oddity, they are the makings of a campaign:

----------------------------------------------------------------------------------

Transaction Receipt

Jackgreen EnergySydney, NSW, Australiawww.jackgreen.com.au1300 46 5225 [note the missing spaces in this line].
Client Reference/Invoice Number:6377876529
Please refer to attacehd file for full Transaction Receipt Details
Please keep these details on record for reconciliation purposes.


Content-Type: application/zip; name="Jackgreen-Energy-Transaction-Receipt.zip"
Content-Transfer-Encoding: base64
Content-ID: <003701cddc33$e199d390$c110a8c0@H715M8>

----------------------------------------------------------------------------------

That was extracted from the header in mailwasher.

You may not see the zip file in your browser, it might just show as a link.
Smarter members than I might be able to expand on that comment.

Cheers

Billy 8-{)

ManUFan
18-12-2012, 02:03 PM
Have also had one from Vodafone thanking me for a non-existent payment I made! Also another pxt from a number I don't even know (an Aussie 061.....). Just gotta be careful I guess.

Oh yes - both with attached ZIP files! Open these please (LOL)

Billy T
19-12-2012, 08:14 PM
Have also had one from Vodafone thanking me for a non-existent payment I made! Also another pxt from a number I don't even know (an Aussie 061.....). Just gotta be careful I guess.

Oh yes - both with attached ZIP files! Open these please (LOL)

I just received that one as well.

It seems to be an organised campaign building up its operation so let your friends know what is happening

It is the apparent genuineness of the emails that will catch them, that and the links to 'real' pages from the spoofed site.

Cheers

Billy *<8-{)=

Billy T
19-12-2012, 11:50 PM
These guys are really getting down to it.

Now the Tax Office wants me, and Vodafone


Content-Type: application/zip; name="TaxAgentReport.xls.zip"

Account Number: 90104875
Payment Method: DirectDebit - Bank Account

And Vodafone is on my tail as well:

Bill Reference: P1-58869888
If you paid by Direct Debit, please allow up to four working days for this transaction to clear.
To find out more about this payment alert click herehttp://www.vodafone.com=3D.au/billingalerts
To view or update your account details easily online, login to My Vodafone at myvodafone.com.au,
available 24/7.

Kind Regards
Jobie Lebler
General Manager - Customer Care

This email was sent to you byVodafone from a notification only address.
Please don't reply to this email.
Copyright 2011 Vodafone Pty Limited ABN 76 062 954554


Content-Type: application/zip; name="P-68209077.5792.pdf.zip"


I won't bore you with the rest.

Cheers

Billy *<8-{)=

Billy T
20-12-2012, 08:51 AM
Another Vodafone and another Tax Office this morning, both different to the previous messages, and again, very convincing, just the odd spelling error and words run together to suggest that all is not kosher.

I'm not sure why anybody in Oz would targeting Kiwis at NZ email addresses, it is a dead giveaway that they are scams.

No doubt they will continue to flow in, but I'll not post any more, that's enough to alert anybody here.

Cheers

Billy *<8-{)=