More than 270,000 malicious emails impersonating Services Australia and Centrelink have flooded Australian inboxes in one of the nation’s largest phishing campaigns in years, with the sophisticated attacks specifically targeting the country’s most vulnerable citizens.
The massive campaign, uncovered by human risk management platform Mimecast, has been bombarding Australians with fake government emails averaging 70,000 messages per month over the past four months, with attackers using artificial intelligence to create near-perfect clones of legitimate government communications.
The emails mimic government correspondence about Medicare, JobSeeker payments, Superannuation, and Family Tax Benefits with alarming accuracy.
The emails mimic government correspondence about Medicare, JobSeeker payments, Superannuation, and Family Tax Benefits with alarming accuracy.Credit: Mimecast.
“This particular attack is a significant cause for concern,” Mimecast senior director Garrett O’Hara told this masthead. “The targeting of the scam is broad and non-specific, so it’s impacting everyday Aussies trying to access essential government services, as well as targeting a wide range of organisations including schools, hospitals, law firms, corporations, and even government agencies themselves.”
The criminal operation, tracked by Mimecast as MCTO3001, is exploiting trusted email platforms including SendGrid, Mailgun, and Microsoft Office 365 to disguise their origins and evade spam filters.
Garrett O’Hara said the current wave of scams was more sophisticated than those of the past.
“These aren’t the clumsy scams of years past,” O’Hara said. “Attackers are using legitimate systems and leveraging detailed knowledge of Australian benefit systems including superannuation, Medicare, JobSeeker payments, and Family Tax Benefits, to make their emails look authentic. They’re exploiting the trust that Australian citizens have in the federal government to deliver their attacks.”
The scammers are using advanced evasion techniques including “reverse tunnelling” – hiding their infrastructure behind legitimate services to make blocking attempts extremely difficult. Some attackers have even compromised real email accounts or hosted fake government login pages on legitimate web services.
“Once a victim clicks a link and enters their details, attackers can gain access to personal or business accounts, leading to data theft, malware installation, or even full-blown ransomware infections,” O’Hara said.
