Telstra Bigpond users targeted in post-data-breach phishing campaign

Filed Under: Data loss, Featured, Spam

A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account.

From: Telstra Billing <>

To: <>

Subject: ADSL Service Cancellation Notice.

Dear BigPond User,

Telstra BigPond is sending you this e-mail to inform you that our service to you could be suspended...

All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday.

Personal information about an unknown number of customers was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend.

Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information.

In the spam sample I examined, the phishing email linked to a WordPress blog hosted on a domain. Since domain names cannot be registered at will - that part of Australia's domain name hierarchy is fairly carefully regulated - such names do tend to imbue a sense of reliability and trust.

In this case, however, an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger. (I spoke to the guys who run the blog site referenced in my sample: the dodgy link has been taken down.)

Nevertheless, this email was obviously a phish:

  • Bigpond doesn't send out access your account now by clicking on a link emails.
  • The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
  • The link you are asked to click on has no obvious connection with Telstra or Bigpond.
  • Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).

Oh, and if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks.


, , , , , , , ,

You might like

2 Responses to Telstra Bigpond users targeted in post-data-breach phishing campaign

  1. Larry M · 1396 days ago

    You wrote:
    "Official Bigpond emails don't come from someone called "Duchess" with a competitor's webmail account."

    Umm, that was the "To:" field content. The "From:" field content was
    "Telstra Billing <>" which is a little more plausible.

    • Paul Ducklin · 1395 days ago

      Thanks - I've corrected the mistake.

      For what it's worth, the sample I looked at was addressed to someone who is not, and to the best of my knowledge never has been, known as Duchess, even behind closed doors, and who has never, as far as I know, had a address :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog