business, finance, internet earning and technology concept - close up of computer mouse and euro cash money on table

Australians beware: myGov phishing on the prowl

In Australia, myGov is a “simple and secure way to access government services online”.

  • Secure access to a range of government services using one username and password
  • A single inbox for your messages from Centrelink, Medicare, Child Support and the Australian Taxation Office
  • A quick and easy way to advise selected member services about changes to some of your personal details

Unfortunately, phishing campaigns happily target such services given the plentiful data a successful scam can harvest with relative ease. Here’s a nasty one which was doing the rounds a week or so ago via email:

Australian government and myGov must verify your identity!

This is a notification email only. Please do not reply to this email as this mailbox is not monitored.

This is a message from the myGov team.

Australian government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF rules).

Click “Go to myGov” and start the verification process.

Thank you

The URL – which we’ve reported and has been taken offline – seems to have been a compromised website, located at

peletycmc(dot)sk

The landing page is a carbon copy of the real myGov login screen and asks for a myGov username and password.

mygov phish landing page

For a more typical phish, that might be as far as the scammers go; here, the data grab is rather spectacular as we progress to the next page:

mygov phish document uploads

The text reads as follows:

Australian Government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF Rules). To upload your identity documents please use the ‘Browse’ button.

Important Tips Ensure that you upload a high quality copy of the front and back of your licence and that it is straight and not on an angle. We only accept valid Australian Drivers Licenses. Ensure that you upload a high quality copy of your passport and that it is straight and not on an angle. We only accept valid Australian Passports.

Front of Australian Drivers License Unlinked Back of Australian Drivers License Unlinked Australian Passport Unlinked

Yes, that is the phishing page asking the victim to browse their PC and upload copies of their passport and front/back of their driver’s license. They’re not done yet, however, presenting them with a dropdown urging the victim to “Link their banking account”. This is where things become very interesting – note the design change. It still says “Australian Government – myGov” at the top, but we’re suddenly presented with narrow rectangles, almost like we’re looking at a totally different style of site:

linking a bank account

There’s multiple banks listed, but only two are able to be selected – Citibank and Commonwealth Bank. Regardless of which one is picked, the scammers then ask for:

Client number and password

Mother’s maiden name Phone number Telephone banking passcode

Note the first reference to something called “Poli ID”. At this point, it simply appears to be “some bank stuff” related to the overall process and probably wouldn’t attract too much attention. It’ll become important later.

For now, the scammers stick with the theme of mobile banking:

A one time PIN has been sent via SMS to your registered mobile. Please enter the 6 digit OTP below and select continue.

The scammers send the bank info via: [form id=”stpForm” action=”safe2(dot)php” method=”post” name=”date”], and then we see what claims to be an attempted payment failure message, via some code in the page’s HTML:

 

merchant code 1

Polipay is an Australian payment system which allows you to “use your internet banking to securely pay for goods and services”. If you’re a website owner, you can potentially become a merchant and integrate payment facilities into your site.

As it happens, both Citibank and Commonwealth Bank can be used with Poli – which are the only two banks the phish page lets you choose from. The scammer is – for reasons known only to them – popping a hardcoded “payment failed” message to the tune of $1,000 (Australian dollars?). The supposed attempted payment appears as though it’s being sent to a Bitcoin wallet via Coinspot(dot)com, listed in the code under the “merchant” tag.

Coinspot

Here is the failed payment attempt message that pops no matter what you do:

payment denied

What the phishers have done here is start off with a myGov phish to set the scene, then divert the victim into a payment flow entirely unrelated to anything myGov, and modeled the “link your bank account to myGov” section on Polipay (check out the demo).

It’s not possible for the $1,000 payment to go out, as the stolen information is being collected and sent to scammers via a .php page, and not using Polipay. We notified Polipay on Twitter (Feb 14th) and by email on Feb 15th, and their reply is as follows:

It seems the culprit has screen grabbed screens from a transaction and manipulated them to gain the information they require. This series of screens was hosted on the culprits URL.

The screens grabbed where [sic] from an incomplete transaction with a POLi merchant.

User awareness on the internet is an important factor – specifically, knowing how to ensure the identity of a website owner. POLi employs Extended Validation SSL for its payment systems which makes it clear to users that they are making a payment through a POLi Payments service website. Sites claiming to be POLi which don’t bear this level of company validation are imposters/scammers/phishers etc.

It’s a bit of an odd thing to do with a live phish, as up until the end part of the scam the victim wouldn’t have any idea about the Polipay / Coinspot side of things. If you wanted to keep the victim unaware that something funny is going on, I couldn’t think of a worse way to do it than randomly telling them “HEY THIS PAYMENT HAS FAILED” because the natural reaction would be “…what payment?”

This is a pretty interesting con job, then, and regardless of what the scammers were up to they’d still have the victim’s other information such as the uploaded documentation.

Always be wary if asked for the kind of information requested up above, and if in doubt, contact the relevant official body directly, whether bank or Government portal. It’ll potentially save you time, effort, money, and a couple of forms of identification to boot.

Chris Boyd (Thanks to Steven and Nathan for additional information)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.