Following a rash of Telstra customers reporting phishing attacks, the telco has issued advice on how to discern the real Telstra from fake ones -- but the advice it gives is more likely to help phishers than its customers.
Telstra customers will continue receiving marketing e-mails, despite being targeted by phishing e-mails and fake Telstra doorknockers.
"We do communicate with clients by e-mail. That always includes the full company name and ABN (Australian Business Number). We also ask customers to log in to the Mybigpond secure Web page. We never ask customers to send confidential e-mails, we don't include links to download and only include attachments if there is a strong reason to explain why," a Telstra spokesperson said.
Well, this is pretty handy information. If you're a phisher, simply type "Telstra ABN" into Google and you're half way there to gaining a user's trust.
It's already common practice for phishers to include not just a real ABN on a phishing e-mail and spoofed Web site, but many more details designed to dupe targets. Just ask the ATO's CIO about some of the difficulties it faces in this regard.
Although Telstra says it doesn't embed links in its e-mails, it admits it sometimes sends attachments. In the event it does, Telstra says it will always explain why.
Sounds fair enough, polite even. So if the e-mail explains why an attachment is included, by Telstra's logic, the attachment will be safe.
So what happens if I -- your hypothetical bad guy -- sent you an e-mail with an attachment containing, say a worm called Win32/PWNTelstra? Here is the explanation you should expect from me:
"Dear Customer,So Telstra customers, savvy little IT users that you are, go to your inbox and open the e-mail I just sent you. Ever since I landed a wife and mortgage, my finances have been stretched and your contributions would be more than welcome.
Is your broadband fast enough?
We have recently upgraded our broadband network in your area but to take advantage of higher speeds (for no additional charge), all you have to do is download and install the file attached to this e-mail.
Telstra Corporation Limited ABN 33 051 775 556