By Ahsen Meraj, Cofense Phishing Defense Center

The tax return season is around the corner in Australia and scammers are targeting as many people as they can, nationwide, with new tactics. The Australian Taxation Office (ATO) claims that, “Since 1 January 2021, the ATO has received 638 reports of this scam, with 7 victims paying out nearly $118,000.” This is referencing a specific scam-call campaign that is taking place. The Cofense Phishing Defense Center (PDC) has observed a similar scam in the form of a phishing email campaign that aims to harvest information leveraging the official government website my[.]gov[.]au. The attackers’ focus is on citizens expecting a tax refund.

Graphical user interface, text, application, email Description automatically generated .

Figure 1: Email body

The first step of many phishing campaigns is some form of social engineering. With the government sending out tax communications, stimulus checks and more in the wake of COVID-19, an email from the ATO would not necessarily seem out of place. Such an attack can be seen in Figure 1 where the threat actor attempts to impersonate the ATO in an email. More specifically, they are impersonating the ATO informing the target that they are eligible for a $106.95 AUD. That seems like a random amount which could add to the email’s seeming legitimacy. It can also be seen in Figure 1 that there is a URL at the bottom of the email with the my[.]gov[.]au domain mentioned earlier. As with other phishing emails, a user can hover their cursor over the link to see that it doesn’t go to the URL displayed, but to hXXps://pushkarmantraresort[.]com/01[.]php.

Graphical user interface, website Description automatically generated

Figure 2: Login page

After clicking the link, the target is redirected to a login page shown in Figure 2. It is extremely close in appearance to a legitimate government website. The only indicator of its true nature at this point is the URL inside the address bar that’s visible before logging in. A couple of the easiest ways to know if the website is real is to always check the URL to verify legitimacy and to always search for the official website on a browser; log in from there.

Graphical user interface, text Description automatically generated

Figure 3: Payment page

Once an email address and password are submitted, the target is then led to a second page as seen in Figure 3 above. In this second phase of the attack, the plan of the threat actor is to get the credit card details of the target. Though slightly different in detail than the login page in Figure 2, this page may have an even more convincing appearance than the previous page. For instance, tabs are included at the top of the page and there is a button towards the bottom labeled “Ask Alex for help.” This might be some added detail to fool the target into believing they can live chat with an assistant.

Graphical user interface, text, application Description automatically generated

Figure 4: Validation code

The threat actor then leads the target to the page seen in Figure 4 after they input their payment information. At this point, the target is being prompted to present a 2FA code that they would normally receive via SMS on their mobile phone. This is an exact replica of the ATO payment submission process but, in this case, the validation code will not arrive to the target’s mobile device. At the same time, the threat actor will get the user’s personally identifiable information (PII) of the user, and will be able to pursue more malicious activities.

The purpose of ending the phishing process at the 2FA validation code page is pure social engineering. The target will be satisfied that all the steps performed were legitimate. Also, upon not receiving the validation code, the target may end up repeating the entire process, affording the threat actor another shot at even more PII. This information can be used by the threat actor for personal loans or for claiming fraudulent refunds and the like.

 Figure 5: Index page

 

As seen in Figure 5, an index page was found with different directories that could potentially lead to other phishing campaigns. The threat actor successfully hijacked the gpstoreguatemala[.]com domain which allowed them to host the phish at the location “wp-includes/Requests/Exception/Transport/ATO/.” This not only allows them to exploit another party’s resources, it may also help the phishing URL become harder to detect via standard cybersecurity measures.

As stated earlier, the ATO has already warned users against the spikes in automated scam calls impersonating the ATO, and this is a perfect example of the type of phishing emails that are trying to attain the same goal as those scam calls. It was easily able to bypass certain email gateways, and it had the potential to trick many targets through its clever design. The PDC is uniquely positioned to work with users to catch phishing emails that bypass SEGs and report on IOCs associated with them. Contact us to learn more.

Indicators of Compromise IP
hXXps://pushkarmantraresort[.]com/01[.]php 148.72.82.20
hXXps://www[.]gpstoreguatemala[.]com/wp-includes/Requests/Exception/Transport/ATO/ 107.154.157.223
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.