Fake ATO “Online Activity Statement” Email Links to Malware

Outline:
Email purporting to be from the Australian Taxation Office (ATO) claims that you can click a link to download your next online activity statement.

Brief Analysis:
The email is not from the ATO and it is not a legitimate activity statement notification. Clicking the link downloads a .zip file that harbours a malicious JavaScript file. If you open this JavaScript file, malware can be downloaded and installed on your computer.



Example:
ATO Online Activity Statement Malware Email
Fake ATO Online Activity Statement Notification





Detailed Analysis:
According to this email, which claims to be an activity statement notification from the Australian Taxation Office, your next online activity statement is now available. It invites you to click a link to download your statement. The rest of the email contains generic information about lodging your BAS, lodgement due dates, and where to get further information.

However, the email is not from the ATO and it is not a genuine activity statement notification. Clicking the download link does not retrieve an activity statement as you might expect.  Instead, it downloads a .zip file that contains a JavaScript (.js) file. If you click this file, a malicious JavaScript may then download and install malware on your computer.

The exact nature of the malware payload may vary. The JavaScript technique  is often used to infect computers with ransomware, which, once installed, can encrypt all of the files on your computer and then demand that you pay  a fee to online criminals to get a decryption key. Or, the JavaScript may download and install malware that can steal information such as online banking usernames and passwords.

Criminals have used similar ruses in the past to try to trick people into installing malware.

If you receive one of these emails, do not click any links or open any attachments that it contains.




Last updated: November 8, 2016
First published: November 8, 2016
By Brett M. Christensen
About Hoax-Slayer

References
ATO ‘ Tax Agent Report’ Malware Email
ATO “Right To Obtain A Refund” Malware Emails
ATO – Think before you click