Cyber Threat Actor: Phishing Scammers

The threat actor knownpublicly as Phishing Group X, also referred to as Phishing Scammers, has been observed operating out of Australia. The alias set reflects their reliance on deceptive messaging to gain initial access to target networks. Open source reporting ties the group to a series of phishing‑enabled incidents affecting Australian organisations. No further details about their internal structure or sponsorship are available in the public domain.

Their observed targeting includes the transportation sector, exemplified by the 2023 incident against Black and White Cabs, and the real‑estate rental sector, shown by the 2021 compromise of Domain Group. Both victims are Australian entities, indicating the actor’s activity has been observed within Australia. In the Black and White Cabs case the attackers deployed ransomware that disrupted dispatch, administration and booking systems, forcing a temporary shutdown of customer‑facing services. The Domain Group intrusion sought to divert prospective tenants to fraudulent websites where they could be tricked into paying illegitimate deposits, a clear financially motivated objective.

Across these campaigns the actor’s initial access vector consistently involves phishing emails that deliver malicious payloads or lure recipients to counterfeit sites. In the Black and White Cabs attack the phishing message led to the execution of the CryptoLocker ransomware family, which encrypted network contents and caused prolonged operational outages. The Domain Group operation used phishing to gain administrative credentials, after which the actors created look‑alike rental pages to harvest payments. No other malware families or toolsets have been publicly linked to the group in the reported incidents.

Public attribution does not extend beyond the actor’s Australian location; no state sponsor or criminal consortium has been identified in the available sources. The two described events serve as representative examples of the group’s activity, illustrating a pattern of phishing‑driven ransomware and fraud schemes. These incidents highlight the actor’s capacity to cause both service disruption and direct financial theft through socially engineered emails. Continued monitoring of phishing trends in Australia remains relevant for detecting future operations by this threat actor.