RBA “Hacker Rush Against Customers” Macro Malware Email

Email purporting to be from the Reserve Bank of Australia (RBA) warns that there has been a “hacker rush against customers of different banks”. It recommends that you click a link to read a set of security standards for online banking prepared by RBA analysts.

Brief Analysis:
The email is not from the RBA and the link does not open a set of security standards as claimed. Instead, the link opens a fake RBA website that tries to trick you into downloading a Microsoft Word document that contains a malicious macro. If you download the document and enable macros when prompted, the macro can then install malware on your computer.

From: RBA Information Technology Department
Subject: News: new advises for online banking securityDear Australian online-banking client,At the moment we have revealed hacker rush against customers of different banks. For your own security, our analysts have made a set of standards tied to the operation of online banking. To guarantee security of your funds, please learn the rules on our official website:

[Link removed]
[Phone Number Removed]

Reserve Bank of Australia GPO Box 3947 SYDNEY NSW 2001 AUSTRALIA
© Reserve Bank of Australia, 2001-2016. All rights reserved.

RBA macro malware email

Detailed Analysis:
According to this “online banking security” email, which purports to be from the Reserve Bank of Australia (RBA), there is currently a “hacker rush against customers of different banks”. It claims that the RBA’s analysts have made a set of standards tied to the operation of online banking. It advises that, to guarantee the security of your funds, you should click a link to  read this set of security rules on the official RBA website. The email includes the RBA logo and was supposedly sent by the “RBA Information Technology Department”.

However, the email is not from the RBA and it is not a legitimate security advisory. And, clicking the link does not open a set of online banking security rules as claimed.  Instead, the email is a criminal ruse designed to trick you into infecting your computer with malware.

If you do click the link, you will be taken to a fraudulent website that has been designed to look like the real RBA website. The page you arrive on claims that you can click to download “Recommendations for Online-Banking Operations” prepared by “a famous international cyber-safety specialist”.  In an apparent attempt to make their claims seem more plausible, the criminals have included the name and image of a high-profile cyber-security expert. Of course, the expert has no connection to this malware attack and his name and image have been stolen from other websites:

RBA malware website

If you click the “Download” button, a seemingly innocuous  Microsoft Word document will be downloaded to your computer. But, when you attempt to open the document, you will be prompted to enable macros, ostensibly to allow the contents to be loaded securely. If you comply and enable macros, a malicious macro will then download and install malware on your computer.

The exact kind of malware may vary. Macros are often used to install ransomware, which can lock up the files on your computer and then demand that you pay a fee to online criminals to receive a decryption key. Malicious macros are also used to install malware that can harvest data such as your banking login credentials from the infected computer.

Using macros can increase efficiency in some workflows. But, unless you have a specific need to use them and you understand the potential dangers that they pose, you are best to leave macros disabled by default. If you are unfamiliar with macros, you can read more about them in this earlier Hoax-Slayer report.

Keep in mind that the RBA will never send out unsolicited security advisory messages to banking customers.  If you receive this email, do not click any links or open any attachments that it contains.

Last updated: October 19, 2016
First published: October 19, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Malware Threat Articles