fbpx
Cyber security

Scammers have moved in on Australia Post’s delivery problems with SMS ‘flubots’

- September 3, 2021 3 MIN READ
smishing
Photo: AdobeStock
Australians must be extra cautious about what messages they click on in coming weeks, after Australia Post’s three-day hiatus on package pickups created a new window for cybercriminals tweaking the Flubot ‘smishing’ attack to tap uncertainty around COVID test results, vaccines, and deliveries.

More than 5,500 Australians have told the ACCC Scamwatch service that they have received text messages created by the malware, which purports to be a notification about a new voicemail or package delivery and requests the recipient tap on a link for more details.

The messages typically include an ID number comprised of random letters and digits, as well as a link to an application that will install malware to steal sensitive data from the device.

They also typically include a number of obvious spelling mistakes, which are always a tell-tale sign that something fishy is going on.

Flubot is designed to compromise Android phones, and will attempt to download and install an application called ‘Voicemail71.apk’.

Once this application is installed, cybercriminals can read your text messages, send text messages from your phone, make phone calls from your number, and access your contacts. They may also be able to steal passwords and banking details.

With awareness about the fake-voicemail tactic increasing, in recent weeks Flubot’s creators have adapted its payload with a different approach that now pretends to be a delivery notification for an incoming package.

Messages provide a link promising updates about a “package outstanding in your name”, “your parcel with DHL”, promising to track an imminent delivery, or similar.

Australian mobile users have been flooded with the messages in recent weeks, after the malware was updated to use Australia’s +61 country code.

Telstra, for its part, is monitoring customers’ SMS usage for unusual surges in message volumes, and warned that it may suspend the SMS capabilities of customers that fail to remove smishing malware like Flubot from their phones.

 

Seizing the opportunity

The new approach coincides with Australia Post’s extraordinary decision to suspend parcel pickups from ecommerce companies between Saturday and Tuesday due to “record parcel volumes in parts of our network impacted by COVID-19”.

With nearly 500 Australia Post employees isolating on any given day and “parcel volumes as high as Christmas peak period”, the company said in a recent message to its business customers, the pandemic “is putting pressure on our network like nothing we have experienced before.”

The pause in parcel pickups will, the company said, help it “responsibly clear record volumes… to a safe and manageable level”.

With millions of Australians likely impacted by the delays that the pause will create, Australia Post’s move may well prime the market for a redoubled Flubot campaign promising updates on delayed parcels.

Australia Post is a perennial favourite target of cybercriminals, with so many scams leveraging its logo that the company maintains an index of new scams categorised by month.

Cybercriminals count on dovetailing with Australia Post’s already heavy reliance on SMS messages, with the company reporting in its latest annual report that it sent 230 million SMS messages to its customers – and 118 million packages – during the June 2020 quarter alone.

Australia post delivered 400 million packages during its last financial year, and is investing to increase its capacity to 700 million packages annually by 2025.

Flubot exploded in Australia during August following the malware’s overseas success this year.

The UK’s National Cyber Security Centre warned about an explosion in Flubot that saw millions of messages sent across Vodafone’s network alone.

The low cost and ease of access to SMS messages have made text messages a favoured channel for cybercriminal campaigns, with Australians this year losing $5.19 million in over 25,800 reported incidents, according to Scamwatch.

That made SMS the second most-used method for scammers this year, after phone calls (83,980 reports) and ahead of email (22,374) and internet (7,004).

 

Previous article
Next article
David Braue

David is an award-winning technology journalist who has covered Australia’s technology industry since 1995. A lifelong technophile, he has written and edited content for a broad range of audiences across myriad topics, with a particular focus on the intersection of technological innovation and business transformation.

Latest News

Business Unicorn dehorned: Nasdaq-listed Brisbane EV charging venture Tritium collapses into receivership
- April 19, 2024
Uber, crash Opinion The lessons from Uber, Ola and rideshare’s disruption is that in the end, the consumer still pays
- April 19, 2024
Samantha Wong People Phoebe Harrop steps up to Blackbird’s Kiwi boss as Samantha Wong returns to Aus
- April 19, 2024
Accelerator Build Club is launching an accelerator for AI founders to take on the US
- April 19, 2024
Events 3 panel sessions to vote for at SXSW Sydney
- April 18, 2024
Prep, Sean Miller and Mathieu Jamet Funding B2B food distribution marketplace Prep serves up $200,000 pre-Seed round
- April 18, 2024
Adelaide Accelerator _SOUTHSTART teamed up with the Adelaide Economic Development Agency to launch an accelerator for the SA capital’s startups
- April 18, 2024
Fiona Triaca and Kate O’Keeffe   Business Heatseeker is the startup you need to be a better founder and build faster
- April 18, 2024