Phishing attempts continue to evolve, with attackers impersonating legitimate entities to deceive victims. This article analyzes a recent phishing email masquerading as communication from Australia’s Centrelink service, using visual deception, urgency tactics, and legitimate-sounding domains to trick users. Effective detection and reporting of such attacks are vital in enhancing cybersecurity measures. Affected: Centrelink, Australian Cyber Security Centre, legitimate businesses
Keypoints :
- The phishing email falsely pretends to be from Centrelink, Australia’s welfare service.
- It uses visual deception by replacing the letter “O” with zeroes in the sender’s name.
- Urgency is created by stating a deadline for responding.
- The email includes a generic greeting, lacking personalization.
- An attached PDF is disguised as a legitimate communication.
- The true sender is identified as a Chevy dealership in Texas.
- Email headers reveal the email passed SPF, DKIM, and DMARC checks, despite being malicious.
- The phishing site was designed to gather system information beyond just credential theft.
- Finally, the phishing site has been reported for further investigation.
MITRE Techniques :
- Initial Access — T1566.001 — Phishing via Attachment: The bait arrived as a PDF file attached to the email, tricking the user into opening it.
- Initial Access — T1566.002 — Phishing via Link: The email included a disguised hyperlink (qrco.de) redirecting to a fake Centrelink login page.
- Execution — T1204.001 — Malicious Link Execution: Clicking the phishing link launched a browser session, executing background profiling actions.
- Credential Access — T1556.001 — Credential Phishing: The fake page was designed to steal usernames and passwords.
- Discovery — T1082 — System Information Discovery: The page attempted to gather details about the victim’s operating system and browser environment.
- Discovery — T1012 — Query Registry: Registry key enumeration was used to check system type or sandbox detection.
- Defense Evasion — T1027 — Obfuscated Files or Information: Visual trickery was used in the sender name to evade suspicion.
- Persistence (Potential) — T1112 — Modify Registry: Signs of writing to registry keys were observed, hinting at potential persistence mechanisms.
- Defense Evasion (Potential) — T1055 — Process Injection: Observed behavior suggested attempts to interact with or inject into running processes.
Indicator of Compromise :
- [Email Address] [email protected]
- [IP Address] 173.203.187.126
- [URL] https://sup121preparedupdate.com/refrence2025
- [URL] qrco.de/bfp1pk
- [URL] buckalewchevrolet.com
Full Story: https://itsshotgun.medium.com/phishing-attempt-at0-0nline-services-970230f0c033?source=rss——cybersecurity-5