Telstra Bigpond users targeted in post-data-breach phishing campaign

A phishing campaign targeting customers of Telstra Bigpond, Australia’s largest ISP, is urging users to confirm their billing information or risk the suspension of their account.

From: Telstra Billing <>

To: <>

Subject: ADSL Service Cancellation Notice.

Dear BigPond User,

Telstra BigPond is sending you this e-mail to inform you that our service to you could be suspended...

All pretty run-of-the-mill – an access your account now by clicking on a link in this email or else spam – but neatly timed given that Telstra suffered a data breach last Friday.

Personal information about an unknown number of customers was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend.

Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information.

In the spam sample I examined, the phishing email linked to a WordPress blog hosted on a domain. Since domain names cannot be registered at will – that part of Australia’s domain name hierarchy is fairly carefully regulated – such names do tend to imbue a sense of reliability and trust.

In this case, however, an unpatched version of WordPress allowed the phishers to “borrow” services from an Aussie blogger. (I spoke to the guys who run the blog site referenced in my sample: the dodgy link has been taken down.)

Nevertheless, this email was obviously a phish:

  • Bigpond doesn’t send out access your account now by clicking on a link emails.
  • The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
  • The link you are asked to click on has no obvious connection with Telstra or Bigpond.
  • Official Bigpond emails to you aren’t addressed to someone called “Duchess” with a competitor’s webmail account (unless your name is Duchess, of course).

Oh, and if you run a WordPress blog, make sure you’ve applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks.