Telstra helps phishers PWN its customers

Telstra helps phishers PWN its customers

Summary: Following a rash of Telstra customers reporting phishing attacks, the telco has issued advice on how to discern the real Telstra from fake ones -- but the advice it gives is more likely to help phishers than its customers.

SHARE:

Following a rash of Telstra customers reporting phishing attacks, the telco has issued advice on how to discern the real Telstra from fake ones -- but the advice it gives is more likely to help phishers than its customers.

Telstra customers will continue receiving marketing e-mails, despite being targeted by phishing e-mails and fake Telstra doorknockers.

"We do communicate with clients by e-mail. That always includes the full company name and ABN (Australian Business Number). We also ask customers to log in to the Mybigpond secure Web page. We never ask customers to send confidential e-mails, we don't include links to download and only include attachments if there is a strong reason to explain why," a Telstra spokesperson said.

Well, this is pretty handy information. If you're a phisher, simply type "Telstra ABN" into Google and you're half way there to gaining a user's trust.

It's already common practice for phishers to include not just a real ABN on a phishing e-mail and spoofed Web site, but many more details designed to dupe targets. Just ask the ATO's CIO about some of the difficulties it faces in this regard.

Although Telstra says it doesn't embed links in its e-mails, it admits it sometimes sends attachments. In the event it does, Telstra says it will always explain why.

Sounds fair enough, polite even. So if the e-mail explains why an attachment is included, by Telstra's logic, the attachment will be safe.

So what happens if I -- your hypothetical bad guy -- sent you an e-mail with an attachment containing, say a worm called Win32/PWNTelstra? Here is the explanation you should expect from me:

"Dear Customer,

Is your broadband fast enough?

We have recently upgraded our broadband network in your area but to take advantage of higher speeds (for no additional charge), all you have to do is download and install the file attached to this e-mail.

Yours faithfully,

Sol"

Telstra Corporation Limited ABN 33 051 775 556

So Telstra customers, savvy little IT users that you are, go to your inbox and open the e-mail I just sent you. Ever since I landed a wife and mortgage, my finances have been stretched and your contributions would be more than welcome.

Topics: Security, Collaboration, Malware, Telcos, Telstra

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Easy solution

    There is a simple and easy way around this problem - don't e-mail customers for any reason. Send them a letter instead. Okay, e-mail may well be a cheaper option but most Telstra customers receive bills through the mail anyway so that is the best time to tell customers about how wonderful and generous Telstra is.

    If Telstra is sending out e-mail that contains material that requires a customer response on-line then they are throwing out the welcome mat for their punters to be attacked or conned. And this applies to any company that sends out similar material.
    anonymous
  • Even easier

    Don't embed URL's

    Simply write dear customer please open your browser and enter www.bigpuddle.com etc.
    anonymous
  • A bit dumb

    It is pretty dumb. The "normal" way is that they also include in the email message something that only they would know (e.g. your full name). Then they can just say "all official email from Telstra will include your full name, as it appears on your bill."
    anonymous
  • Only half smart, Dean

    And what happens when some dumb customer uses his or her full name on some web form or site that is linked to spammers? Some people are stupid, using the 'full name' trick is no guarantee.
    anonymous