Check Point Issues Advisory regarding Fake AGL Energy Utility Bills


Check_point_logoCurrent wave of Ransomware
Currently the Check Point Incident Response Team (CPIRT) has received numerous reports of ransomware being spread via fake utility bills. This campaign uses realistic looking e-mails coming from compromised e-mail accounts. This ransomware also appears to install key loggers and appears to try and steal e-mail account details to spread further.

Users receive the e-mail, then have to click on a link, this then directs them to a compromised website which will then re-direct them to a fake site from utility providers, currently the attackers are pretending to be AGL.

Fig 1-The chain of redirects

“Fig 1-The chain of redirects”

The fake page looks realistic and contains a captcha that users need to complete. If a user tries to visit this page via a mobile device or Apple Mac it will give them an error message saying they need to access it from a Microsoft Windows computer. This results in a number of users forwarding it to their corporate e-mail.

Fig 2-Example of the fake website users are directed to

“Fig 2-Example of the fake website users are directed to”

Check Point Anti-virus currently detects and prevents the current ransomware, and Check Point’s Incident Response and ThreatCloud Intelligence Teams are actively monitoring this campaign and protecting Check Point’s customers.

Preventing Ransomware
The Check Point Incident Response Team recommends organisations deploy HTTPS Inspection, Sandboxing in hold and prevent, and application white listing and perform scrubbing on incoming documents. It is important that organisations review and test their backup strategies as ransomware will frequently deleted previous versions and encrypt data on file shares.


It is important that organisations make their users aware of the widespread prevalence of ransomware and the damage it can
cause. It is also important that organisations deploy controls that keep up with the changing landscape especially:

  1. HTTPS Inspection
  2. Sandboxing that can hold and prevent the initial file
  3. Keep IPS to update to detect and prevent exploit kits and suspicious JavaScript (Check Point IPS has numerous
    protections for this).
  4. Have a well-rehearsed and tested incident response plan.

Check Point is a security industry leader of threat prevention solutions and incident response. Our team is here to help you plan for and respond to attacks. For further questions please contact your local Check Point team or contact the Check Point Incident Response team at For critical incidents call Check Point Incident Response customers can call +1(866) 923-0907.