Cleverly disguised “Job Application” email downloads a Malicious payload08/11/2018
Why must I find “FREE or Low Cost” Solutions for your business?09/11/2018
Cybercriminals have brandjacked ANZ and are circulating fraudulent emails purporting to be from the bank in a bid to steal users’ confidential data.
The email is sent from an anz.com.au address, with a display name of ‘ANZ Bnak’. The misspelling of the display name can be due to a mistake on the cybercriminals’ end or more likely, an attempt to bypass checks looking for the correct spelling.
MailGuard has detected that cybercriminals are forging the anz.com.au domain, which results in an SPF record soft fail. This SPF soft fail result indicates that the emails are not from a server that anz.com.au lists as a legitimate source. However, the recipients’ mail server may choose to not enforce this as the anz.com.au domain is set to soft fail rather than hard fail.
A link is provided in the email for users to confirm their identity by completing a series of ‘challenge questions.’
Recipients who click on the link are led to an ANZ branded phishing page. This page tricks users into revealing their bank account credentials. The phishing page has since been taken down.
This attack is particularly malicious because of the multiple strategies it has adopted to appear as a legitimate notification from ANZ Bank.
Aside from replicating the bank’s branding, the scam utilises challenge questions to scam users into handing over sensitive credentials. These are, ironically, renowned safety features universally adopted by many organisations to prevent data theft in the first place.
By including such safety features, this scam convinces users that it is a genuine alert from ANZ – one which is, as usual, taking all the necessary precautions that are normally expected from a large and reputable bank.
Having convinced recipients that the email is actually from ANZ, cybercriminals exploit the trusted reputation of the brand to trick customers into divulging their confidential data via the phishing page.