{"id":6839,"date":"2017-03-02T09:10:01","date_gmt":"2017-03-02T17:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-630\/"},"modified":"2017-03-02T09:10:01","modified_gmt":"2017-03-02T17:10:01","slug":"news-630","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-630\/","title":{"rendered":"Australians beware: myGov phishing on the prowl"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 02 Mar 2017 16:00:57 +0000<\/strong><\/p>\n<p>In Australia, <a href=\"https:\/\/www.humanservices.gov.au\/customer\/subjects\/about-mygov\" target=\"_blank\">myGov<\/a> is a &#8220;simple and secure way to access government services online&#8221;.<\/p>\n<ul>\n<li>Secure access to a range of government services using one username and password<\/li>\n<li><em>A\u00a0single inbox for your messages from Centrelink, Medicare, Child Support and the Australian Taxation Office<\/em><\/li>\n<li><em>A\u00a0quick and easy way to advise selected member services about changes to some of your personal details<\/em><\/li>\n<\/ul>\n<p>Unfortunately, phishing campaigns happily target such services given the plentiful data a successful scam can harvest with relative ease. Here&#8217;s a nasty one which was doing the rounds a week or so ago via email:<\/p>\n<blockquote>\n<p><em>Australian government and myGov must verify your identity!<\/em><\/p>\n<p><em>This is a notification email only. Please do not reply to this email as this mailbox is not monitored.<\/em><\/p>\n<p><em>This is a message from the myGov team.<\/em><\/p>\n<p><em>Australian government and myGov must verify your identity &#8211; (Part 4.2, paragraph 4.2.13 of the AML\/CTF rules).<\/em><\/p>\n<p><em>Click &#8220;Go to myGov&#8221; and start the verification process.<\/em><\/p>\n<p><em>Thank you<\/em><\/p>\n<\/blockquote>\n<p>The URL &#8211; which we&#8217;ve reported and has been taken offline &#8211; seems to have been\u00a0a compromised website, located at<\/p>\n<p>peletycmc(dot)sk<\/p>\n<p>The landing page is a carbon copy of the real myGov login screen\u00a0and asks for a myGov username and password.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-landing-page.jpg\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16321\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-landing-page-300x264.jpg\" alt=\"mygov phish landing page\" width=\"300\" height=\"264\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-landing-page-300x264.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-landing-page-600x528.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-landing-page.jpg 839w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>For a more typical phish, that might be as far as the scammers go; here, the data grab is rather spectacular as we progress to the next page:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-document-uploads.jpg\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16322\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-document-uploads-300x234.jpg\" alt=\"mygov phish document uploads\" width=\"300\" height=\"234\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-document-uploads-300x234.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-document-uploads-600x468.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/mygov-phish-document-uploads.jpg 857w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The text reads as follows:<\/p>\n<blockquote>\n<p><em>Australian Government and myGov must verify your identity &#8211; (Part 4.2, paragraph 4.2.13 of the AML\/CTF Rules).<\/em><br \/> <em> To upload your identity documents please use the &#8216;Browse&#8217; button.<\/em><\/p>\n<p><em>Important Tips<\/em><br \/> <em> Ensure that you upload a high quality copy of the front and back of your licence and that it is straight and not on an angle. We only accept valid Australian Drivers Licenses.<\/em><br \/> <em> Ensure that you upload a high quality copy of your passport and that it is straight and not on an angle. We only accept valid Australian Passports.<\/em><\/p>\n<p><em>Front of Australian Drivers License Unlinked<\/em><br \/> <em> Back of Australian Drivers License Unlinked<\/em><br \/> <em> Australian Passport Unlinked<\/em><\/p>\n<\/blockquote>\n<p>Yes, that is the phishing page asking the victim to browse their PC and upload copies of their passport and front\/back of their driver&#8217;s license. They&#8217;re not done yet, however, presenting them with a dropdown urging the victim to &#8220;Link their banking account&#8221;. This is where things become very interesting &#8211; note the design change. It still says &#8220;Australian Government &#8211; myGov&#8221; at the top, but we&#8217;re suddenly presented with narrow rectangles, almost like we&#8217;re looking at a totally different style of site:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/linking-a-bank-account.jpg\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16323\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/linking-a-bank-account-248x300.jpg\" alt=\"linking a bank account\" width=\"248\" height=\"300\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/linking-a-bank-account-248x300.jpg 248w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/linking-a-bank-account-495x600.jpg 495w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/linking-a-bank-account.jpg 604w\" sizes=\"auto, (max-width: 248px) 100vw, 248px\" \/><\/a><\/p>\n<p>There&#8217;s multiple banks listed, but only two are able to be selected\u00a0&#8211; Citibank and Commonwealth Bank. Regardless of which one is picked, the scammers then ask for:<\/p>\n<blockquote>\n<p><em>Client number and password<\/em><\/p>\n<p><em>Mother&#8217;s maiden name<\/em><br \/> <em> Phone number<\/em><br \/> <em> Telephone banking passcode<\/em><\/p>\n<\/blockquote>\n<p>  <a href='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins.jpg' data-rel=\"lightbox-gallery-1\"><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"phishing for logins\" data-attachment-id=\"16325\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins.jpg\" data-orig-size=\"630,676\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"phishing for logins\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-280x300.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-559x600.jpg\" \/><\/a> <a href='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-2.jpg' data-rel=\"lightbox-gallery-1\"><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-2-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail\" alt=\"phishing for logins 2\" data-attachment-id=\"16326\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-2.jpg\" data-orig-size=\"545,649\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"phishing for logins 2\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-2-252x300.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/phishing-for-logins-2-504x600.jpg\" \/><\/a>  <\/p>\n<p>Note the first reference to something called &#8220;Poli ID&#8221;. At this point, it simply appears to be &#8220;some bank stuff&#8221; related to the overall process and probably wouldn&#8217;t attract too much attention. It&#8217;ll become important later.<\/p>\n<p>For now, the\u00a0scammers stick with the theme of mobile banking:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/OTP.jpg\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16327\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/OTP-266x300.jpg\" alt=\"OTP\" width=\"266\" height=\"300\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/OTP-266x300.jpg 266w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/OTP.jpg 531w\" sizes=\"auto, (max-width: 266px) 100vw, 266px\" \/><\/a><\/p>\n<blockquote>\n<p><em>A one time PIN has been sent via SMS to your registered mobile. Please enter the 6 digit OTP below and select continue.<\/em><\/p>\n<\/blockquote>\n<p>The scammers send the bank info via: [form id=&#8221;stpForm&#8221; action=&#8221;safe2(dot)php&#8221; method=&#8221;post&#8221; name=&#8221;date&#8221;], and then we see what claims to be an attempted payment failure message, via some code in the page\u2019s HTML:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli1.jpg\" data-rel=\"lightbox-4\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16452\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli1-300x67.jpg\" alt=\"merchant code 1\" width=\"300\" height=\"67\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli1-300x67.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli1-600x134.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli1.jpg 862w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Polipay is an Australian payment system which allows you to \u201cuse your internet banking to securely pay for goods and services\u201d. If you&#8217;re a website owner, you can potentially become a <a href=\"https:\/\/www.polipay.co.nz\/Merchants\/Benefits+for+Merchants.html\" target=\"_blank\">merchant<\/a> and <a href=\"https:\/\/www.polipayments.com\/faqs#merchantDo_you_have_plug-ins_that_I_can_use_to_integrate_POLi?\" target=\"_blank\">integrate payment facilities into your site<\/a>.<\/p>\n<p>As it happens, both Citibank and Commonwealth Bank can be used with Poli \u2013 which are the only two banks the phish page lets you choose from. The scammer is &#8211; for reasons known only to them &#8211; popping a hardcoded &#8220;payment failed&#8221; message to the tune of $1,000 (Australian dollars?).\u00a0The supposed attempted payment appears as though\u00a0it&#8217;s being sent to a Bitcoin wallet via Coinspot(dot)com, listed in the code under the &#8220;merchant&#8221; tag.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli2.jpg\" data-rel=\"lightbox-5\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-16453 size-medium\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli2-300x26.jpg\" alt=\"Coinspot\" width=\"300\" height=\"26\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli2-300x26.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli2-600x52.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/poli2.jpg 1169w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here is the failed payment attempt message that pops no matter what you do:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/payment-denied.jpg\" data-rel=\"lightbox-6\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-16340\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/payment-denied-233x300.jpg\" alt=\"payment denied\" width=\"233\" height=\"300\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/payment-denied-233x300.jpg 233w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/payment-denied-465x600.jpg 465w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/02\/payment-denied.jpg 672w\" sizes=\"auto, (max-width: 233px) 100vw, 233px\" \/><\/a><\/p>\n<p>What the phishers have done here is start off with a myGov phish to set the scene, then divert the victim into a payment flow entirely unrelated to anything myGov, and\u00a0modeled the &#8220;link your\u00a0bank account to myGov&#8221; section on Polipay (check out the <a href=\"https:\/\/www.polipayments.com\/DEMO\" target=\"_blank\">demo<\/a>).<\/p>\n<p>It&#8217;s not\u00a0possible for\u00a0the $1,000 payment to go out, as the stolen information is being collected and sent to scammers via a .php page, and not using Polipay.\u00a0We notified Polipay on Twitter (Feb 14th) and by email on Feb 15th, and their reply is as follows:<\/p>\n<blockquote>\n<p><em>It seems the culprit has screen grabbed screens from a transaction and manipulated them to gain the information they require. This series of screens was hosted on the culprits URL.<\/em><\/p>\n<p><em>The screens grabbed where [sic] from an incomplete transaction with a POLi merchant.<\/em><\/p>\n<p><em>User awareness on the internet is an important factor &#8211; specifically, knowing how to ensure the identity of a website owner. POLi employs Extended Validation SSL for its payment systems which makes it clear to users that they are making a payment through a POLi Payments service website. Sites claiming to be POLi which don\u2019t bear this level of company validation are imposters\/scammers\/phishers etc.<\/em><\/p>\n<\/blockquote>\n<p>It&#8217;s a bit of an odd thing to do with a live phish, as up until the end part of the scam the victim wouldn&#8217;t have any idea about the Polipay \/ Coinspot side of things. If you wanted to keep the victim unaware that something funny is going on, I couldn&#8217;t think of a worse way to do it than randomly telling them &#8220;HEY THIS PAYMENT HAS FAILED&#8221; because the natural reaction would be &#8220;&#8230;what payment?&#8221;<\/p>\n<p>This is a pretty interesting\u00a0con job, then, and regardless of what the scammers were up to they&#8217;d still have the victim&#8217;s other information such as the uploaded documentation.<\/p>\n<p>Always be wary if asked for the kind of information requested up above, and if in doubt, contact the relevant official body directly, whether bank or Government portal. It&#8217;ll potentially save you time, effort, money, and a couple of forms of identification to boot.<\/p>\n<p><em>Chris Boyd (Thanks to Steven and Nathan for additional information)<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/australians-beware-mygov-phishing-on-the-prowl\/\">Australians beware: myGov phishing on the prowl<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/australians-beware-mygov-phishing-on-the-prowl\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 02 Mar 2017 16:00:57 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/australians-beware-mygov-phishing-on-the-prowl\/' title='Australians beware: myGov phishing on the prowl'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/01\/photodune-12962596-close-up-of-computer-mouse-and-euro-money-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We look at a myGov phish which has been doing the rounds recently. There&#8217;s even some peculiar antics going on late into the phish &#8211; shall we take a look?<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/social-engineering-cybercrime\/\" rel=\"category tag\">Social engineering<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/bank\/\" rel=\"tag\">bank<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/banking\/\" rel=\"tag\">banking<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mygov\/\" rel=\"tag\">myGov<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phish\/\" rel=\"tag\">phish<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scam\/\" rel=\"tag\">scam<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/australians-beware-mygov-phishing-on-the-prowl\/' title='Australians beware: myGov phishing on the prowl'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/australians-beware-mygov-phishing-on-the-prowl\/\">Australians beware: myGov phishing on the prowl<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11507,11508,4503,11509,10511,3924,3985,10510],"class_list":["post-6839","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-bank","tag-banking","tag-cybercrime","tag-mygov","tag-phish","tag-phishing","tag-scam","tag-social-engineering"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6839"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6839\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}