Fake Xero, MYOB, QuickBooks emails distributing malware

By on
Fake Xero, MYOB, QuickBooks emails distributing malware

The list of well-known brands used as camouflage by malware distributors continues to grow.

During the last few months we've seen malware distributed under the guise of bills from EnergyAustralia, ASIC, Origin Energy, and Transurban's GO Via operation .

Now there's somewhat belated news of a campaign taking advantage of Xero's substantial customer base.

Trustwave spotted the campaign in mid August, and disclosed it last week. The security company said the email looked “like a professionally crafted billing message”.

But warning signs included the use of an address using the xeronet.org domain instead of xero.com, a generic “Dear Client” salutation, and billing links to URLs at the fake xeronet.org or at what could be compromised Sharepoint.com accounts.

When followed, those links trigger a cascade of events on Windows PCs, culminating in the installation of a variant of the Dridex Trojan that steals online banking credentials and other information typed into web forms.

A fake Xero email (source: Trustwave).

Trustwave said it subsequently saw similar campaigns piggybacking on the strength of cloud accounting providers MYOB and QuickBooks, and also Dropbox.

“As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unknown downloaded files. Customers should also refrain from opening zip archives that come from unknown sources and avoid executing unknown file format like JavaScript, as a lot of malware has been seen recently being distributed by such scripts,” Trustwave advised.

It's important to realise that these campaigns are not sent specifically to customers of the brands concerned, rather they take the usual scattergun approach. So don't let curiosity get the better of you – you're not getting a chance to peek at someone else's bill.

If you are expecting a bill from a supplier, keep your wits about you. In addition to following Trustwave's advice, ask yourself whether the covering email looks right, showing the correct name for the account holder along with the account number.

And if you hover over the billing link, does it point to the site you'd expect (such as xero.com rather than xeronet.org)?

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?