Massive Spam Attack Slips Past Spam Filters on its way to Australia

aust2What is it about Australia these days? Whether it’s their tough stance on spammers (Canada: take note), surprising reports about where the spam is coming from, or Aussies saying enough is enough, the country that’s so cool they called it a continent has been making all sorts of spam news recently, and this week, the country made the news again when a massive spam attack slipped past anti-spam filters and landed squarely in users’ inboxes.

Westpac, one of Australia’s big four banks, is the latest target as Trojan laden spam hit more than 125,000 users in a focused attack on Thursday morning, and SC Magazine reports that the amount of nasty emails has “spiked into many hundreds of thousands of emails” on Thursday, and that the number appears to be on the rise. Reports are a little fuzzy so far, but the spam messages appear to be packing W32/Kryptik.KZ!tr and BackDoor.Slym.1498, two known Trojans. Apparently phishing emails, users were instructed to launch the attachment (presumably, some sort of banking notification) using Internet Explorer. The malware has been reported as some sort of remote backdoor Trojan, in other words, nasty stuff with which to become infected, and especially dangerous considering the scope of the attack and the pace at which it’s propagating.

“At least some of the phishing emails bear the attachment and the sender address,” SC Magazine is reporting, and has reported that the message is being sent with the subject “WestPac Secure Email Notification.” Security professionals are reporting that the exact nature of the payload, while still being identified, is being delivered in variants. According to one spokesman, the spam has circumvented 42 out of 44 email antivirus software applications, not a great track record if you’re a fan of…uhm, I don’t know, things actually working the way they’re supposed to. “This is the biggest fast breaking email the tech guys can remember,” Anwar Ibrahim, a service delivery director stated. SC Magazine points out that “Almost 2000 unique IP addresses were logged sending the spam using a single filter, pointing to the United States, Peru and Australia in descending order.”

The attack also appears to be a scorched earth campaign, dispensing with targeted attacks in favor of indiscriminately blasting out as many emails as possible. points out that institutions like banks are popular targets. “Fraudsters often use the names of trusted organisations such as banks, courier companies and government departments to encourage recipients to open emails containing malware. The Australian Taxation Office (ATO) [is] another name that’s popular with spammers, for example.” The malware’s SHA256 hash is 5450eea52c6e04bcae760c6181c6c79198daa6e969fca406e0f9dd3b49212d48.

This incident is just another day in the life of the war with spam. No offense to those affected, but we’ve heard it so many times that it lacks the shock value that we might have felt ten years ago. It is a good – and timely – reminder that these things hit without warning, and that spammers will stop at nothing to line their pockets. That it hit so suddenly is not surprising. That it was so effective in slipping past detection software is. We seem to be seeing more and more attacks, which by design have managed not only to fool the anti-spam filters, they in fact are good enough to fool most users. And that’s something we need to discuss.

Spring is almost here. It’s time to do a little spring cleaning. Check your filter settings and spam folders. How effective is it? Maybe a little tweaking is required. Use this opportunity to get your users together and share information. Use some of the more effective spam campaigns – like the one reported in this article – as real-world examples of what to look for. Scare your users if you have to. Remember, they don’t know what you know. They’re also very busy making sure their pay checks keep coming, so, unlike you, looking out for malware attacks is not in the forefront of their minds. Take the time to refresh on best practices, phishing methods, link spoofing, the dangers of clicking links and opening attachments, and email preview panes – all those things that put users at risk. Anti-spam filters are invaluable tools, but like any other tool, they’re only as good as the person wielding it Awareness and vigilance are of utmost importance, because they’re out there. The spammers won’t stop until they’ve got you.

Stay safe.

Leave a Reply