Home Malware RBA “Hacker Rush Against Customers” Macro Malware Email

RBA “Hacker Rush Against Customers” Macro Malware Email

by Brett M. Christensen

Outline:
Email purporting to be from the Reserve Bank of Australia (RBA) warns that there has been a “hacker rush against customers of different banks”. It recommends that you click a link to read a set of security standards for online banking prepared by RBA analysts.

Brief Analysis:
The email is not from the RBA and the link does not open a set of security standards as claimed. Instead, the link opens a fake RBA website that tries to trick you into downloading a Microsoft Word document that contains a malicious macro. If you download the document and enable macros when prompted, the macro can then install malware on your computer.

Example:
From: RBA Information Technology Department
Subject: News: new advises for online banking securityDear Australian online-banking client,At the moment we have revealed hacker rush against customers of different banks. For your own security, our analysts have made a set of standards tied to the operation of online banking. To guarantee security of your funds, please learn the rules on our official website:

[Link removed]
[Phone Number Removed]

Reserve Bank of Australia GPO Box 3947 SYDNEY NSW 2001 AUSTRALIA
© Reserve Bank of Australia, 2001-2016. All rights reserved.

RBA macro malware email

Detailed Analysis:
According to this “online banking security” email, which purports to be from the Reserve Bank of Australia (RBA), there is currently a “hacker rush against customers of different banks”. It claims that the RBA’s analysts have made a set of standards tied to the operation of online banking. It advises that, to guarantee the security of your funds, you should click a link to  read this set of security rules on the official RBA website. The email includes the RBA logo and was supposedly sent by the “RBA Information Technology Department”.

However, the email is not from the RBA and it is not a legitimate security advisory. And, clicking the link does not open a set of online banking security rules as claimed.  Instead, the email is a criminal ruse designed to trick you into infecting your computer with malware.

If you do click the link, you will be taken to a fraudulent website that has been designed to look like the real RBA website. The page you arrive on claims that you can click to download “Recommendations for Online-Banking Operations” prepared by “a famous international cyber-safety specialist”.  In an apparent attempt to make their claims seem more plausible, the criminals have included the name and image of a high-profile cyber-security expert. Of course, the expert has no connection to this malware attack and his name and image have been stolen from other websites:

RBA malware website

If you click the “Download” button, a seemingly innocuous  Microsoft Word document will be downloaded to your computer. But, when you attempt to open the document, you will be prompted to enable macros, ostensibly to allow the contents to be loaded securely. If you comply and enable macros, a malicious macro will then download and install malware on your computer.

The exact kind of malware may vary. Macros are often used to install ransomware, which can lock up the files on your computer and then demand that you pay a fee to online criminals to receive a decryption key. Malicious macros are also used to install malware that can harvest data such as your banking login credentials from the infected computer.

Using macros can increase efficiency in some workflows. But, unless you have a specific need to use them and you understand the potential dangers that they pose, you are best to leave macros disabled by default. If you are unfamiliar with macros, you can read more about them in this earlier Hoax-Slayer report.

Keep in mind that the RBA will never send out unsolicited security advisory messages to banking customers.  If you receive this email, do not click any links or open any attachments that it contains.

Last updated: October 19, 2016
First published: October 19, 2016
By Brett M. Christensen
About Hoax-Slayer

References
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Malware Threat Articles

 

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer