12 July 2016

Ransomware email scam targeting AGL Energy customers

| Chris Mordd Richards
Join the conversation
10
billscam

An email has been going around recently, purporting to be from energy company AGL, that represents a fake bill, then sends you to a fake webpage to download a copy. What you get instead is a .zip file that when opened, encrypts your entire machine and prevent you from using it until a ransom is paid, this is known as Ransomware. Your options are to pay up, or wipe the machine and start over. Some ransomware variants will also attempt to infect other devices on your network, including other PC’s and NAS backup devices and encrypt them as well.

This particular variant of ransomware requires a bit over 1.2 bitcoin to be paid, or $640 USD to be exact (around $880 AUD) to be unlocked. Worse still, even if you pay to unlock it, the malware remains on the PC and will continue to record keystrokes and mouse movements until removed. Fairfax reports that so far over 10,000 people in Australia have fallen victim to the scam, which targets users of large corporations hoping to get them to infect those networks with the aim being to gain access to “legitimate corporate emails which can be used to send the scam on”.

Fake Website

An analysis by Check Point (a malware monitoring website) found that at least 10,000 people had downloaded the ransomware module and were “very likely to have been infected” while many more “could have been affected”. The fake website used in the scam uses domains such as “checkyourbills.com” and “electricitybill.com” to look legitimate. However there are several signs that this email is not legitimate.

The first is the .zip file it wants you to download. Companies do not normally send out a .zip file, they will send a .pdf or something similar for a textual document like a bill. You should never open a .zip or .exe file from a source that you do not trust, and even then verify the source is legitimate not pretending to be something you trust. Also attempting to open the .zip file on a Mac or Smartphone gives an error message prompting you to use a Windows PC, another sign that something is not right.

Ransomware

Any users that have received the email should delete it, run antivirus and anti-malware software, and add the sender to their junk email list. ACTEW AGL had this to say on the matter:

The scam email presents as an e-Account and asks readers to click on a link, AGL advises it will never send an email asking for personal banking or financial details.

Anyone receiving a suspicious email should delete it immediately or, if opened, not click on any links within the email. Anyone with concerns relating to this scam email should call AGL on 131 245 or contact Scamwatch on 1300 795 995.

For free detection software, Malware Bytes and AVG Internet Security are both excellent options and what I personally use at the moment.

If you have been infected, and are planning on paying the ransom, please consult with an IT Professional. You will need to make sure the malware is properly removed after recovering the system and it wouldn’t hurt to involve the IT Pro in the payment phase as well so you can avoid common Bitcoin mistakes.

Join the conversation

10
All Comments
  • All Comments
  • Website Comments
LatestOldest

dungfungus said :

Ian said :

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?

That’s the funniest thing I’ve read so far today.

gazket said :

If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.

If you’re interested in ‘net-crusading, have a read of this:
http://www.419eater.com/

Also, these guys have had a long history of sticking it to the spammers and scammers.
https://www.spamhaus.org/organization/
Their operation was at one point based in a canal barge moored near Teddington.
Their website has masses of information, especially in the “ROKSO” section, eg,
http://tinyurl.com/z6rkn23

It wasn’t meant to be funny but looking again, you are right.
ActewAGL can’t even notify their customers about intended power cuts so there is no hope they would advise us about a scam.

Ian said :

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?

That’s the funniest thing I’ve read so far today.

gazket said :

If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.

If you’re interested in ‘net-crusading, have a read of this:
http://www.419eater.com/

Also, these guys have had a long history of sticking it to the spammers and scammers.
https://www.spamhaus.org/organization/
Their operation was at one point based in a canal barge moored near Teddington.
Their website has masses of information, especially in the “ROKSO” section, eg,
http://tinyurl.com/z6rkn23

gooterz said :

gooterz said :

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

Most interesting. Thanks. We should all be suspicious of attached .exe and .zip files, but as even emailed Word or Excel attachments could contain an embedded macro that attempts to download the actual ransomware I thought it best to recheck that my macro settings are disabled from within each Word/Excel Trust Centre. They are.
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12

It was reading the sophos report again just after posting that reminded me most of the original attacks used office macros as their malware wrapper to get the exploit code onto the machine and run in a way that can allow code execution outside the original program. Macros are a really old piece of tech, and I think we need to come up with a better way of implementing that functionality without allowing Macros so much power on a machine to run whatever code it wants essentially. Sad thing is that even users who have never before used an office macro and don’t even really know what they are, will still open one and try to run it if they think its from someone they know (like someone pretending to be their HR department etc.. using email address spoofing) and a lot of office setups are configured to run macros by default then boom their goes the entire network that user is connected to, all encrypted before IT even know what has hit them.

Just the latest in the general fallout from ransomware here: https://arstechnica.co.uk/security/2016/06/university-calgary-ransomware-details/

gooterz said :

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

Most interesting. Thanks. We should all be suspicious of attached .exe and .zip files, but as even emailed Word or Excel attachments could contain an embedded macro that attempts to download the actual ransomware I thought it best to recheck that my macro settings are disabled from within each Word/Excel Trust Centre. They are.
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12

Forgot 1 thing – the other common method this is spread is Office/Word/Excel Macros. Although not widely used these days by a lot of users, Macros is still an excellent way to allow unauthorised code execution to occur on your machine. Never open a macro from a source you do not implicitly trust and can verify that someone is not pretending to be that legitimate source. Many corporations who’s networks were infected were from a staff member opening a suspicious macro on their machine.

To answer some questions, add some more detail:

* If you want a more detailed overview of ransomware itself, this is an excellent read: https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en

* MalwareBytes/AVG/Others will stop a KNOWN infection if clicked on or opened. The key word here is KNOWN. This relies on it having been detected first by the software operator, a definition created, then it requires you the user to be regularly updating your definitions so that threats can be accurately detected. This doesn’t mean that you may not receive a brand new variant, not yet flagged, and still get infected, that is possible. But using software like this is better than doing nothing. It will protect you 95-99% of the time, common sense still goes a long way though in making sure you never get infected.

* MalwareBytes/AVG/Others will not interfere with Windows Defender, Microsoft Security Essentials, or other Windows defense mechanisms, they will play perfectly well alongside each other and together provide a more robust layer of protection than just using one or the other by themself. If you haven’t updated from Win 7 / 8 to Windows 10 yet, then you are exposing yourself to old attack vectors that no longer exist under Win 10, the best way to harden your defences is to upgrade to Win 10, it is a lot more secure than previous Windows versions to date.

* Some ransomware variants are badly programmed, and in some cases people have been able to create decryption programs without people having to pay. Those are the lucky ones. Many others have been infected with well designed ransomware and have been forced to pay up in the hundreds or thousands of dollars to recover vital systems. Many hospital networks in the USA have been hit over the past few months and been forced to pay ransoms in the $20K-$50K ranges to recover vital medical records and systems.

* Most ransomware attacks focus on corporate networks, not home users. So while this is a growing threat, at this stage most ordinary users are not at a great deal of risk. However there is a recent trend of some of these scams starting to target end users, wether this will increase or is just an aberration in the overall trend is yet to be determined. Kaspersky, Sophos, and hundreds of other security based labs around the world are looking into the threat of ransomware and have been for months, expect to see more on ransomware in the news in coming months.

* The operators behind the TeslaCrypt ransomware variant recently shut down operations, and posted the master key to their website that can be used to decrypt any machine infected with TeslaCrypt, with a note saying “we are sorry”. So anyone infected by this variant can use one of the updated decryption programs to use the master key to recover their files. Obviously since the key was released the criminal groups distributing these ransomware variants have stopped using TeslaCrypt and are instead using other variants such as Locky.

* Don’t open .zip or .exe attachments by email, unless you can absolutely verify where they came from. Same goes for downloading a file with this extension from a website. Make absolutely sure you can trust the source you are downloading from. Even then this may not save you, some people have been infected after popular websites were hacked to serve up ransomware to visitors, this is where software on your machine helps protect you, but common sense goes a long way to keep you safe. Also those Mac users, there are ransomware variants that work on your machine as well, so unless you are only running Linux, you need to take precautions.

Any more questions I will be happy to answer.

Ohh these phishing email are just annoying. My friend got hit with this scam last week.They had to face lot of issues.

Glad , their IT was taken care by professionals , so it did not do that bad to them.

Ransomware doesn’t work unless it is activated. I had the fake letter from the “Australian Federal Police” come up on my screen so I immediately closed down the computer, booted up again and a message came up from Malwarebytes saying that a virus had been detected and was removed. If you don’t have an antivirus/malware program on your computer you are crazy.

Thank you for an informative post.
If Anonymous and other hacking activists are genuinely keen on protecting Internet freedoms they should be putting their undoubted talents to work by tracking down and putting these scammers out of business. That would be a socially useful function, universally applauded.
I twice received the AGL scam email and both times the origin was a “.com.tr” address. So I have added “.com.tr” to my permanently delete blocked email filter setting. Too bad if any legitimate company in Turkey wants to email me.
Another regularly received phishing email is supposedly from Paypal, always with different addresses. And there are also the fake emails from Apple, ACT Policing and Australia Post with convincing logos, appearance and language.
I’m not sure how these scammers get our email addresses – maybe from unscrupulous internet sellers (eg on eBay). Any ideas?
There is plenty of advice on how to avoid these scams but little on what to do if your computer is infected.
http://www.actewagl.com.au/Help-and-advice/Legal/Theft-and-fraud/Online-safety.aspx
https://www.communications.gov.au/what-we-do/internet/stay-smart-online/your-identity/recognise-scam-or-hoax-emails-and-websites
I regularly save files and photos onto a portable hard drive, but inevitably oneday, somehow, something will get through.
Will Malware Bytes/AVG stop an infection if a link or attachment is opened?
Will Malware Bytes/AVG interfere with Windows Defender or normal internet usage (as I found with Norton before removing it)?

Why hasn’t ActewAGL contacted everyone directly by email to alert them to this scam?
I recently got something similar replicating a non-delivery notice from Australia Post and when I brought it to their attention they advised (over the phone) that these happen all the time.
I reminded them that while we constantly get emails from them trying to flog us their “services” they never alert their customers to these scams.
Best advice is to back up every day as sooner or later everyone will get caught.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.