Australian businesses have been specifically targeted by hackers in a new phishing scam which impersonates the government’s AusTender website, luring in unsuspecting SME owners who believe they are applying for lucrative government contracts.
Uncovered by security researchers at threat detection platform Anomali, the scam appears as an email sent to Australian companies, claiming they have been selected by the Department of Infrastructure and Regional Development to submit a tender for a commercial project.
The letter attached to the email includes seemingly legitimate tender numbers, tells recipients they must be registered in the tender ‘portal’ before applying and tells them to make sure they sign in with their email provider.
The letter also purports to come from Secretary of Infrastructure and Regional Development, Dr Steven Kennedy, a legitimate employee of the Department of Infrastructure.
Upon clicking on the bright red ‘Tender’ button, users are taken to a replica site of the AusTender registration page that invites users to enter their details. Those details are then harvested by the attackers for fraudulent use on other sites, and presumably to gain access to business owners’ email accounts.
“To invoke a sense of urgency, the site claims that the deadline for tender submissions is no later than January 28th, 2019,” Anomali stated.
The threat detection company has already alerted the government, who has issued its own warning about the scam, advising businesses to “not attempt to open the attachment, delete the email and consider reporting it” to organisations such as ScamWatch.
Though there have been no known victims of the scam as yet, Anomali advises SMEs to always be cautious of suspicious emails and educate staff about “normal ways of working” when it comes to interacting with other organisations.
“It would be advisable for individuals and companies interested in pursuing government contracts be wary of unsolicited emails claiming to be from the Australian Government Department of Infrastructure and Regional Development,” researchers said in a blog post.
“It would also be prudent for all government entities to ensure adequate messaging is presented to make prospective bidders aware of the correct procedures when applying for tenders or bids and provide relevant security warnings of such illegitimate phishing scam campaigns.”
However, this may not be the first and only example of tender-related phishing scams, as Anomali says it expects further examples throughout 2019.