Date: 08 February 2017
Click here for printable version
MyGov Phish 8th February 2017
A MyGov phish targeting a large number of individuals has been sighted today.
The phish attempts to obtain a significant amount of Personally Identifiable Information (PII) from its victims.
This information in turn be used in subsequent frauds targeting the ATO or any other MyGov linked services.
Intended victims initially receive spam mails with a subject line similar to:
Australian Government and myGov must verify your identity!
The message body looks like this:
This is a notification email only. Please do not reply to this email as this mailbox is not monitored.
This is a message from the myGov Team.
Australian Government and myGov must verify your identity - (Part 4.2, paragraph 4.2.13 of the AML/CTF Rules).
Click go to myGov and start the verification process.
Message reference: WP571
Victims who click on the "go to mygov" link are directed to:
hXXp://toonkile [.] ee/ok/index.htm
The initial phishing page appears like this:
When victims complete and submit the form, the captured data is POSTed to:
hXXp://peletycmc [.] sk/my/login/safe.php
The victims are then redirected to:
where identification documents uploads are requested!
The uploaded documents are POSTed to:
hXXp://peletycmc [.] sk/my/upload/upload.php
The victim is then redirected to:
Upon submission of this form, the victim sees this:
The data captured in these forms is POSTed to:
hXXp://peletycmc [.] sk/my/upload2/2/safe.php
The captured data is POSTed to:
hXXp://peletycmc [.] sk/my/upload2/2/safe3.php
The victim is then redirected to the legitimate gov.au page.
1. Create user awareness of this phishing campaign.
2. Block outbound traffic on the URLs used for POSTing captured data and the primary phishing URL