Fake Good Samaritan Email Delivers Well-Disguised Malware

A new technique is being used to infect Australian computers with malware. The fraudster behind the scam poses as a Good Samaritan, and pretends to do the victim a favour by forwarding a document intended for them, supposedly from the Australian Taxation Office.

The sender claims to have wrongfully received the victim’s tax information, and asks what they should do to rectify the problem. Here’s one example:

Good Samaritan email scam MailGuard example1.jpg

But the ‘erroneously received’ document instead carries a nasty surprise: malware.

The messages, delivered this morning, aim to dupe recipients into letting down their guard by creating a false problem.

While the email itself is plain-text, it employs various tactics to help fool recipients.

  • Appeals to victims’ curiosity in an attempt to get them to click the link and invite malware onto their system
  • Uses a different sender name in each iteration, most likely to evade old-school antivirus filters
  • Correctly identifies the domain belonging to each recipient
  • Uses an original tact – “I am contacting you to solve this problem because I have never worked in your company” in a rarely-seen attempt to deceive.

More examples of the scam email:

Good Samaritan email scam MailGuard example3.jpg

The scammers have also made efforts to ensure only Microsoft Windows users can download the Word document. Those using Macs or running Linux cannot download the file.The malware payload takes the form of a Macro embedded in a document.

The ATO name is regularly used in scams targeting Australians. In February a large-scale distribution of fake Business Activity Statements included a link that triggered a malicious JavaScript file.

Advice from the ATO on reporting a scam

ATO’s website gives this guidance: “If you receive a suspicious email claiming to be from the ATO, do not click on any links, open attachments or respond to the sender. Forward the entire email to ReportEmailFraud@ato.gov.au without changing or adding any additional information and delete from your inbox and sent folder.”

How to identify a scam email

  • Only click links from trusted senders. Take a closer look at any link by hovering your mouse over and checking the destination in your browser. If it doesn’t match, it is not legitimate.
  • Never open an attachment (especially a .zip file or .exe file) unless you are expecting it. Files from unknown senders often contain malware or virus.
  • Check who is sending you email communication. Be aware that malware, phishing scams or spam may come from unrecognisable or odd email addresses, however legitimate email addresses can be forged easily.

This post was originally published by our vendor, MailGuard. MailGuard is the world’s foremost cloud web and email security provider. For a few dollars per staff member per month, you can add their cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Related Posts