Australians have been warned not to click on "high-risk" Australian Taxation Office scam emails, which have hit inboxes across the country this morning.
Details of a large-scale malicious email impersonating the ATO have been revealed, with thousands of messages distributed nationwide - each with a unique link, making it hard for anti-virus software to detect the bulk email as suspicious.
Distributed in bulk just as most Australians arrived at work this morning, the malicious email has the potential to infect computer systems with anything from keylogging spyware to file-encrypting ransomware CryptoLocker.
Purporting to come from the ATO, the message tells recipients their Business Activity Statement (BAS) is available to view, with the well-formatted email including the Australian Government coat of arms image sourced from the ATO website.
“This is an effort by the scammers to add legitimacy to their scam email, in an attempt to bypass filtering software,” MailGuard CEO, Craig McDonald, told ARN.
“If clicked, the link triggers the automatic download of a malicious file housed on a compromised SharePoint site. The downloaded .zip file contains a malicious JavaScript file.
“This is used to download further malware such as CrytoLocker or CryptoWall ransomware, or spyware such as key loggers.”
While the sender address is ‘BASnotification@ato.gov.au’, McDonald said the message originates from a compromised SendGrid account - an increasingly frequent vehicle for malware attacks uncovered by MailGuard in recent months - which specialises in bulk email delivery.
“None of 64 well-known antivirus providers were detecting the link as potentially dangerous this morning, according to analysis by virus scanning aggregation tool VirusTotal,” McDonald added.
A key logger is a type of spyware that can watch and record keystrokes.
“It can see what you write in an email, what passwords you enter on a banking website, or any other information you provide online,” McDonald explained.
“Trojans sit quietly in the background, taking actions not authorised by the user, such as modifying, stealing, copying or even deleting data.”
When ransomware files are executed by the email recipient or web user, McDonald said the malware encrypts files on the local device and possibly the entire network.
“The user or business may then be held to ransom, with a Bitcoin fee usually demanded in return for a decryption key for the files,” he added.
“The only other option is for the business to stay offline until previous backups have been recovered. Many users are left with no choice but to pay the ransom, which can be upwards of tens of thousands of dollars.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.