The list of well-known brands used as camouflage by malware distributors continues to grow.
Now there's somewhat belated news of a campaign taking advantage of Xero's substantial customer base.
Trustwave spotted the campaign in mid August, and disclosed it last week. The security company said the email looked “like a professionally crafted billing message”.
But warning signs included the use of an address using the xeronet.org domain instead of xero.com, a generic “Dear Client” salutation, and billing links to URLs at the fake xeronet.org or at what could be compromised Sharepoint.com accounts.
When followed, those links trigger a cascade of events on Windows PCs, culminating in the installation of a variant of the Dridex Trojan that steals online banking credentials and other information typed into web forms.
Trustwave said it subsequently saw similar campaigns piggybacking on the strength of cloud accounting providers MYOB and QuickBooks, and also Dropbox.
It's important to realise that these campaigns are not sent specifically to customers of the brands concerned, rather they take the usual scattergun approach. So don't let curiosity get the better of you – you're not getting a chance to peek at someone else's bill.
If you are expecting a bill from a supplier, keep your wits about you. In addition to following Trustwave's advice, ask yourself whether the covering email looks right, showing the correct name for the account holder along with the account number.
And if you hover over the billing link, does it point to the site you'd expect (such as xero.com rather than xeronet.org)?