I saw this tweet on twitter and decided to take a quick look at it, so I don’t have an original email or any further info where it came from.
Risky Biz pal @briankrebs and the Reserve Bank of Australia are being used as phishing bait.
— Patrick Gray (@riskybusiness) October 19, 2016
A quick look up of the domain http://rba.gov.au-1.site gave me http://whois.domaintools.com/au-1.site and a bit of digging gave me ijma4.x.incapdns.net [184.108.40.206] as the supposed host for this site. However that turns out to be a cloud based protection system to help cut down DDOs, bad bots etc and has the effect of masking the actual host of this phishing /malware site. I cannot find the actual host of this site.
The original screen shot is
The actual link is rba.gov.au-1.site/index.php?page=9q67ro2vbXO4YCy7jCMmygF5wbVLoHfUXfkiWytnOFkXZ when you visit that and select the download button, http://rba.gov.au-1.site/download.php you get a word doc which contains embedded macros ( VirusTotal ) Payload Security which shows contacts to api.msowtools.com/cdHaVvEBzQ.php and feeds.vhduniverse.com/cdHaVvEBzQ.php but no actual download of any extra malware. I am guessing possibly a new Dridex banking Trojan version. The IP address 220.127.116.11 which hosts the 2 sites api.msowtools.com and feeds.vhduniverse.com has been coming up quite a bit in the last couple of months, but so far no researcher has managed to get any actual malware from them directly.
The word doc when opened safely looks like:
When you visit the home page of the phishing / malware site , you see
Which is the exact copy of the genuine Reserve Bank of Australia (Australia’s central bank ) The genuine site address is http://www.rba.gov.au/
I would have thought that the Australian Central Bank would have at least had a SSL certificate on its site and preferably an Extended Validation (EV) SSL Certificate which would turn the browser URL green and help cut the risk of this sort of phishing scam or malware delivery method. However it is not just the Australian Central Bank that is lax with website authentication. The UK central Bank http://www.bankofengland.co.uk/Pages/home.aspx also does not have a default SSL certificate and to make matters worse, when you try to use HTTPS / SSL https://www.bankofengland.co.uk/Pages/home.aspx you get a certificate error and eventually a page saying We are experiencing a high volume of traffic. Our site will be available soon. and a certificate error showing the site is hosted by Akamai and using an Akamai certificate. Some body needs to sort that out PDQ. At least the European Central Bank has a valid SSL certificate https://www.ecb.europa.eu/home/html/index.en.html although still available via a simple http://www.ecb.europa.eu/home/html/index.en.html as well. You would have thought by now that Central banks would be a prime target for phishing / spoofing / spreading malware and they would have all taken steps to improve authentication and ensure that it is as difficult as possible for the bad actors to impersonate them.
Google have been warning for a long time that non SSL sites would be marked down in search engines and very shortly alerts will be given in your Google Chrome browser that you are visiting an insecure site and potentially block access to them.
Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you.
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content.
Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365. Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros or editing under any circumstances.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. It might be a simple message saying “look at this picture of me I took last night” that appears to come from a friend. It might be a scare ware message that will make you open the attachment to see what you are accused of doing. Frequently it is more targeted at somebody ( small companies etc.) who regularly receive PDF attachments or Word .doc attachments or any other common file that you use every day, for example an invoice addressed to firstname.lastname@example.org.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. A lot of malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball”, an invoice or receipt from some company for a product or service or receive a Word doc or Excel file report that work has supposedly sent you to finish working on at the weekend, you can easily see if it is a picture or document & not a malicious program. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
With these malformed infected word, excel and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba macro-viruses in real time protection and you need to enable document or office protection in the settings. Do not rely on your Anti-Virus to immediately detect the malware or malicious content. DO NOT enable editing mode or enable macros
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode or enable macros the document will look blank or have a warning message, but will be safe.
Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version. The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.