copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


MyGov Phish

Date: 08 February 2017

Click here for printable version

MyGov Phish 8th February 2017

Executive Summary

A MyGov phish targeting a large number of individuals has been sighted today.

The phish attempts to obtain a significant amount of Personally Identifiable Information (PII) from its victims.

This information in turn be used in subsequent frauds targeting the ATO or any other MyGov linked services.


Intended victims initially receive spam mails with a subject line similar to:

   Australian Government and myGov must verify your identity!

The message body looks like this:

   This is a notification email only. Please do not reply to this email as this mailbox is not monitored. 
This is a message from the myGov Team.
Australian Government and myGov must verify your identity - (Part 4.2, paragraph 4.2.13 of the AML/CTF Rules).
Click go to myGov and start the verification process.
Thank you
Message reference: WP571

Victims who click on the "go to mygov" link are directed to:

   hXXp://toonkile [.] ee/ok/index.htm 

The initial phishing page appears like this:

When victims complete and submit the form, the captured data is POSTed to:

  hXXp://peletycmc [.] sk/my/login/safe.php 

The victims are then redirected to:

where identification documents uploads are requested!

The uploaded documents are POSTed to:

  hXXp://peletycmc [.] sk/my/upload/upload.php  

The victim is then redirected to:

Upon submission of this form, the victim sees this:

Followed by:

The data captured in these forms is POSTed to:

  hXXp://peletycmc [.] sk/my/upload2/2/safe.php   

and finally...

The captured data is POSTed to:

   hXXp://peletycmc [.] sk/my/upload2/2/safe3.php 

The victim is then redirected to the legitimate page.


1. Create user awareness of this phishing campaign.

2. Block outbound traffic on the URLs used for POSTing captured data and the primary phishing URL