Another day, another phishing campaign.
MailGuard, the email spam and virus filter, has identified a new fraudulent email campaign that has been targeting inboxes across Australia.
The scam email is designed to look like a notification from Telstra, with the subject: “$500 Citibank prepaid gift card reward.” Once opened, the message displays the telecommunications giant’s logo, complete with a display name ‘Telstra’ and a domain to match.
The email actually originates from a single, forged email address, and it prompts recipients to click on a ‘claim link’ to redeem their gift card reward before ‘18/10/2019’.
The full email text reads:
Thank you for becoming a Telstra Bundle customer.
You must hurry to claim your $500 Citibank prepaid girft card reward, as your claim code expires 18/10/2019
To claim your gift card reward, simply visit the Claim Link below, then enter your email address and unique claim code into the online form.
Claim Link: XXX
Promotional Code: XXX
You will be asked to enter your delivery address (work or home) and verify payment information. Please note, we require a signature for collection. If you are not able to sign when we deliver, your parcel will be taken to the nearest post office for collection.
When you have submitted your details, we will send your $500 prepaid card to you within 12 business days. Unfortunately we can not advise you the exact day or time on which your parcel will be delivered.
Thanks again
The Telstra Team
The link directs victims to spoofed URL that purports to be a Telstra login page, but is in fact a credential harvesting page, which then redirects unsuspecting recipients to a blank page, probably meant to simulate a slow connection or unreachable destination.
“This campaign is particularly well designed,” said Corin Imai, senior security advisor at DomainTools. “Less sophisticated, malicious messages are often ridden with spelling mistakes and direct victims to URLs that are clearly mismatching the one the one of the organisation they pretend to belong to. In this case, cybercriminals have gone to great lengths to make the email look authentic.”
In fact, even the wording of the message denotes a certain knowledge of social engineering principles. Not only did cybercriminals use a monetary reward to incentivise potential victims to hand over their personal information, but they also created a sense of urgency, aimed at prompting an instinctive reaction.
Interestingly, the scammers behind this phishing email used common security procedures – such as requiring a signature for collection and verifying users’ identity – to add legitimacy to their campaign.
“Large companies such as Telstra are a typical choice for cybercriminals to impersonate, as in this way they are able to cast the widest possible net of potential victims,” explained Imai. “It is not a case if the majority of phishing emails pretend to come from household names such as Office 365, Amazon and Netflix. These companies have millions and millions of subscribers, thus making it more likely for the malicious email to reach an actual subscriber, who would be more inclined to believe the authenticity of the message,” she concluded.
Javvad Malik, security awareness advocate at KnowBe4, advised companies to place user awareness at the top of their priorities. “With an effective and consistent security awareness and training programme, users will become better at spotting and reporting attempted phishing emails, regardless of the originating company and the call to action,” he said.
Telstra’s website offers this advice to their customers on how to recognise and avoid email scams:
- Never trust emails that ask for personal details
- Think twice before giving personal details online – instead, contact the sender using their publicly available contact details
- Visit trusted websited via their URL, rather than clicking a link in the email
- Only provide financial details on secure websites
- Use a spam filter to help block unsolicited and hoax emails
- Never trust emails that ask for personal details_
MailGuard urges all recipients of this email to delete it immediately without clicking on any links, and to think twice before clicking on any type of attachment or link in an email if they are uncertain of its legitimacy.