'Scam-In-A-Box': Billions Stolen As Cybercriminals Target MyGov Accounts in Australia Using Kits Bought From Dark Web

The federal government of Australia recently warned the public of a scam targeting Centrelink, Medicare, and Australian Tax Office accounts. The government services minister, Bill Shorten, said that scammers were targeting people using the "scam-in-a-box" kits bought from the dark web. The technology is reportedly used to create a fake website and provide the know-how for scammers to launch a cyberattack. Every month, thousands of MyGov accounts are being suspended by the government out of concern that they have been breached via “scam-in-a-box” kits, The Guardian reported.

What is a Scam-In-A-Box Kit?

“Scam-in-a-box” kits are being bought by criminals on the dark web which are used to create fake websites and provide the specialist knowledge to launch phishing attacks on Centrelink, Australian Tax Office, and Medicare accounts.

Some kits are even equipped with security controls and allow criminals to run multiple scams at the same time and then quickly shut the operation before detection. Scammers create similar-looking or identical websites of the government portals using these kits. They then extract login information including passwords and IDs.

“These fake sites and criminal gimmicks like ‘scams in a box’ trick our citizens into giving criminals their user ID and passwords,” Shorten was quoted as saying in The Guardian report.

One ad on the dark web apparently tells buyers that most Australians have a MyGov and all they have to do is ask for login details from the victims and make sure their Australian Tax Office is linked to their account.

In 2019, Guardian Australia reported that criminals on the dark web were offering Medicare details for $21 ($33), and up to $340 for fake Medicare cards and other fake forms of identification.

The Modus Operandi

Scammers send a text to victims claiming to be sent by the government agency myGov and tell the recipient that they are eligible to apply for an “economic support payment” or a “Tax Refund”. It then instructs the victims to provide their personal banking details before the support expires and share a link for a form. This form then takes the victims to a fake website that extracts sensitive login or crucial ID information from them.

The Australian Competition and Consumer Commission’s Scamwatch shared a copy of the text message that is being shared in the scam. The most preferred contact method for scammers was a text message, followed by a phone call or an email.

Scamwatch warned the users of myGov that the official website will never ask them to click on links to sign in to their accounts and enter their bank details or submit any ID docs. It advises users to use the secure myGov app to check their accounts.

These scams are particularly attractive to cybercriminals as it is estimated that most Australians use one password for several accounts. Thus, the attacks require minimum effort for a valuable reward. “Statistics show that people reuse passwords at least 50% of the time, making it possible for scammers and hackers to use the stolen password to access other online services,” Shorten said, in the Guardian report.

How much have people lost?

According to Shorten, Australians had already lost $3.1 billion to scams this year. As per Yahoo Finance, this is an 80 percent increase on the previous year. Further, investment scams were the highest-loss category reporting a loss of $1.5 billion. They are followed by remote-access scams ($229 million) and payment-redirection scams ($224 million).

What Steps Are Being Taken Now? 

Bill Shorten has assured that Services Australia is working around the clock to counter scammers and hacker attacks. However, the scam-in-a-box frauds are expected to continue targeting MyGov until the government completes the overhauls of its ID verification, which is reported to be in the final stages of completion.

“I am also working closely with my ministerial colleague, Senator Katy Gallagher, to establish a digital ID that will be a key line of defense against cybercrime when established,” Shorten said in the report. Last year, the government said it was considering to centralize the digital identity authentication for myGov or its myGovID system in the wake of the Optus breach.