By Ahsen Meraj, Cofense Phishing Defense Center
The tax return season is around the corner in Australia and scammers are targeting as many people as they can, nationwide, with new tactics. The Australian Taxation Office (ATO) claims that, “Since 1 January 2021, the ATO has received 638 reports of this scam, with 7 victims paying out nearly $118,000.” This is referencing a specific scam-call campaign that is taking place. The Cofense Phishing Defense Center (PDC) has observed a similar scam in the form of a phishing email campaign that aims to harvest information leveraging the official government website my[.]gov[.]au. The attackers’ focus is on citizens expecting a tax refund.
Figure 1: Email body
The first step of many phishing campaigns is some form of social engineering. With the government sending out tax communications, stimulus checks and more in the wake of COVID-19, an email from the ATO would not necessarily seem out of place. Such an attack can be seen in Figure 1 where the threat actor attempts to impersonate the ATO in an email. More specifically, they are impersonating the ATO informing the target that they are eligible for a $106.95 AUD. That seems like a random amount which could add to the email’s seeming legitimacy. It can also be seen in Figure 1 that there is a URL at the bottom of the email with the my[.]gov[.]au domain mentioned earlier. As with other phishing emails, a user can hover their cursor over the link to see that it doesn’t go to the URL displayed, but to hXXps://pushkarmantraresort[.]com/01[.]php.
Figure 2: Login page
After clicking the link, the target is redirected to a login page shown in Figure 2. It is extremely close in appearance to a legitimate government website. The only indicator of its true nature at this point is the URL inside the address bar that’s visible before logging in. A couple of the easiest ways to know if the website is real is to always check the URL to verify legitimacy and to always search for the official website on a browser; log in from there.
Figure 3: Payment page
Once an email address and password are submitted, the target is then led to a second page as seen in Figure 3 above. In this second phase of the attack, the plan of the threat actor is to get the credit card details of the target. Though slightly different in detail than the login page in Figure 2, this page may have an even more convincing appearance than the previous page. For instance, tabs are included at the top of the page and there is a button towards the bottom labeled “Ask Alex for help.” This might be some added detail to fool the target into believing they can live chat with an assistant.