Ransomware email scam targeting AGL Energy customers

dungfungus said :

Ian said :

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?

That’s the funniest thing I’ve read so far today.

gazket said :

If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.

If you’re interested in ‘net-crusading, have a read of this:
http://www.419eater.com/

Also, these guys have had a long history of sticking it to the spammers and scammers.
https://www.spamhaus.org/organization/
Their operation was at one point based in a canal barge moored near Teddington.
Their website has masses of information, especially in the “ROKSO” section, eg,
http://tinyurl.com/z6rkn23

It wasn’t meant to be funny but looking again, you are right.
ActewAGL can’t even notify their customers about intended power cuts so there is no hope they would advise us about a scam.

Ian said :

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?

That’s the funniest thing I’ve read so far today.

gazket said :

If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.

If you’re interested in ‘net-crusading, have a read of this:
http://www.419eater.com/

Also, these guys have had a long history of sticking it to the spammers and scammers.
https://www.spamhaus.org/organization/
Their operation was at one point based in a canal barge moored near Teddington.
Their website has masses of information, especially in the “ROKSO” section, eg,
http://tinyurl.com/z6rkn23

gooterz said :

gooterz said :

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

Most interesting. Thanks. We should all be suspicious of attached .exe and .zip files, but as even emailed Word or Excel attachments could contain an embedded macro that attempts to download the actual ransomware I thought it best to recheck that my macro settings are disabled from within each Word/Excel Trust Centre. They are.
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12

It was reading the sophos report again just after posting that reminded me most of the original attacks used office macros as their malware wrapper to get the exploit code onto the machine and run in a way that can allow code execution outside the original program. Macros are a really old piece of tech, and I think we need to come up with a better way of implementing that functionality without allowing Macros so much power on a machine to run whatever code it wants essentially. Sad thing is that even users who have never before used an office macro and don’t even really know what they are, will still open one and try to run it if they think its from someone they know (like someone pretending to be their HR department etc.. using email address spoofing) and a lot of office setups are configured to run macros by default then boom their goes the entire network that user is connected to, all encrypted before IT even know what has hit them.

Just the latest in the general fallout from ransomware here: https://arstechnica.co.uk/security/2016/06/university-calgary-ransomware-details/

gooterz said :

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

Most interesting. Thanks. We should all be suspicious of attached .exe and .zip files, but as even emailed Word or Excel attachments could contain an embedded macro that attempts to download the actual ransomware I thought it best to recheck that my macro settings are disabled from within each Word/Excel Trust Centre. They are.
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

To answer some questions, add some more detail:

* If you want a more detailed overview of ransomware itself, this is an excellent read: https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en

* MalwareBytes/AVG/Others will stop a KNOWN infection if clicked on or opened. The key word here is KNOWN. This relies on it having been detected first by the software operator, a definition created, then it requires you the user to be regularly updating your definitions so that threats can be accurately detected. This doesn’t mean that you may not receive a brand new variant, not yet flagged, and still get infected, that is possible. But using software like this is better than doing nothing. It will protect you 95-99% of the time, common sense still goes a long way though in making sure you never get infected.

* MalwareBytes/AVG/Others will not interfere with Windows Defender, Microsoft Security Essentials, or other Windows defense mechanisms, they will play perfectly well alongside each other and together provide a more robust layer of protection than just using one or the other by themself. If you haven’t updated from Win 7 / 8 to Windows 10 yet, then you are exposing yourself to old attack vectors that no longer exist under Win 10, the best way to harden your defences is to upgrade to Win 10, it is a lot more secure than previous Windows versions to date.

* Some ransomware variants are badly programmed, and in some cases people have been able to create decryption programs without people having to pay. Those are the lucky ones. Many others have been infected with well designed ransomware and have been forced to pay up in the hundreds or thousands of dollars to recover vital systems. Many hospital networks in the USA have been hit over the past few months and been forced to pay ransoms in the $20K-$50K ranges to recover vital medical records and systems.

* Most ransomware attacks focus on corporate networks, not home users. So while this is a growing threat, at this stage most ordinary users are not at a great deal of risk. However there is a recent trend of some of these scams starting to target end users, wether this will increase or is just an aberration in the overall trend is yet to be determined. Kaspersky, Sophos, and hundreds of other security based labs around the world are looking into the threat of ransomware and have been for months, expect to see more on ransomware in the news in coming months.

* The operators behind the TeslaCrypt ransomware variant recently shut down operations, and posted the master key to their website that can be used to decrypt any machine infected with TeslaCrypt, with a note saying “we are sorry”. So anyone infected by this variant can use one of the updated decryption programs to use the master key to recover their files. Obviously since the key was released the criminal groups distributing these ransomware variants have stopped using TeslaCrypt and are instead using other variants such as Locky.

* Don’t open .zip or .exe attachments by email, unless you can absolutely verify where they came from. Same goes for downloading a file with this extension from a website. Make absolutely sure you can trust the source you are downloading from. Even then this may not save you, some people have been infected after popular websites were hacked to serve up ransomware to visitors, this is where software on your machine helps protect you, but common sense goes a long way to keep you safe. Also those Mac users, there are ransomware variants that work on your machine as well, so unless you are only running Linux, you need to take precautions.

Any more questions I will be happy to answer.

Ohh these phishing email are just annoying. My friend got hit with this scam last week.They had to face lot of issues.

Glad , their IT was taken care by professionals , so it did not do that bad to them.

Ransomware doesn’t work unless it is activated. I had the fake letter from the “Australian Federal Police” come up on my screen so I immediately closed down the computer, booted up again and a message came up from Malwarebytes saying that a virus had been detected and was removed. If you don’t have an antivirus/malware program on your computer you are crazy.

Thank you for an informative post.
If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.
I twice received the AGL scam email and both times the origin was a “.com.tr” address. So I have added “.com.tr” to my permanently delete blocked email filter setting. Too bad if any legitimate company in Turkey wants to email me.
Another regularly received phishing email is supposedly from Paypal, always with different addresses. And there are also the fake emails from Apple, ACT Policing and Australia Post with convincing logos, appearance and language.
I’m not sure how these scammers get our email addresses – maybe from unscrupulous internet sellers (eg on eBay). Any ideas?
There is plenty of advice on how to avoid these scams but little on what to do if your computer is infected.
http://www.actewagl.com.au/Help-and-advice/Legal/Theft-and-fraud/Online-safety.aspx
https://www.communications.gov.au/what-we-do/internet/stay-smart-online/your-identity/recognise-scam-or-hoax-emails-and-websites
I regularly save files and photos onto a portable hard drive, but inevitably oneday, somehow, something will get through.
Will Malware Bytes/AVG stop an infection if a link or attachment is opened?
Will Malware Bytes/AVG interfere with Windows Defender or normal internet usage (as I found with Norton before removing it)?

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?
I recently got something similar replicating a non-delivery notice from Australia Post and when I brought it to their attention they advised (over the phone) that these happen all the time.
I reminded them that while we constantly get emails from them trying to flog us their “services” they never alert their customers to these scams.
Best advice is to back up every day as sooner or later everyone will get caught.