Archives for : June2016

Thousands targeted by ‘ransomware’ email scam which copies AGL Energy Bills

A destructive scam email that infects computers and holds them hostage has successfully targeted at least 10,000 Australians since it was detected this week, a cybersecurity analyst says.

The email, purporting to be from energy company AGL, sends a fake bill and prompts the recipient to click on a link to download a copy.

agl energy fake web page image

The fake AGL webpage that prompts users to download malware. 

It then saves a .zip file on the computer which, when extracted, locks the machine down using malware known as “ransomware”. The recipient is prompted to pay $US640 ($A880) to unlock it.

Raymond Schippers ​, a senior analyst at global cybersecurity firm Check Point, said once the file has downloaded ransomware such as Torrentlocker or Cryptolocker – sometimes spelled with 0 in place of o – the only way to get rid of it is to restore from a backup or to wipe the computer and start over again.

fake AGL invoice, containing a link to a virus image

A fake AGL invoice, containing a link to a virus, which is being sent to Australians. 

The fake AGL email has successfully infiltrated companies across Australia. It aims to get users to install the file at their work, where it could then cause widespread damage by gaining access to legitimate corporate emails which could be used to send the scam on.

“It’s across pretty much all kinds of sectors, from other utilities to education to finance, mining and resources, so it’s widespread throughout Australia,” said Mr Schippers, who has worked in online security for 10 years.

He said an analysis of the malware website by Check Point found at least 10,000 people had actually gone to the end of the download process, and were “very likely to have been infected”, while “many more” could have been affected.

The website used URLs such as “” or “” and would look legitimate to “most users”, he said.

ransom screen seen by those who download the infected .zip file image

However, there were several things that could tip off AGL customers that the email is fake.

When a recipient attempts to open it on their phone or on a Mac computer, it gives an error message and says to use a Windows computer, and the .zip file type is also suspicious.

“Realistically, if you open it on your iPhone and it says ‘this doesn’t work on an iPhone’, it probably isn’t a real website,” Mr Schippers said. “All the websites from all Australian utilities work on phones these days.

“The .zip file is another indication that it’s not usually a bill either. They usually don’t send bills as .zip files, they’ll send them as .pdf or something similar.”

Energy company AGL has acknowledged the scam, which it says “contains malicious malware that has potential to access personal information”.

In a statement, AGL said it had reported the scam to the Australian Federal Police, the government’s Scamwatch website, and to the Australian Competition and Consumer Commission.

The company said any customers who think they have received the email should delete it immediately, run antivirus software and add the sender to their junk email list.

“The scam email presents as an e-Account and asks readers to click on a link,” the statement said. “AGL advises it will never send an email asking for personal banking or financial details.

“Anyone receiving a suspicious email should delete it immediately or, if opened, not click on any links within the email. Anyone with concerns relating to this scam email should call AGL on 131 245 or contact Scamwatch on 1300 795 995.”

Even if the ransom is paid the malware will continue to monitor the computer, Mr Schippers said, recording keystrokes and mouse movements.

He said Australians accounted for 25 per cent of victims of malicious email attacks around the world, because “quite a number” of people continue to click on them and may have the cash to pay up.

“Australia seems to be very vulnerable to these kind of attacks,” Mr Schippers said. “It just relies on peoples’ nature to want to click on things and open things, so I would really just implore people to take a second to think about it before clicking on it.”


What to do if you’re infected:

  • check if your computer has any back-ups
  • consult with an IT professional and seek advice on what can be recovered
  • restore computer from back-ups or wipe it back to factory settings


Henry Sapiecha