A security provider warns of widespread emails purportedly from the accounting provider that contain a malicious payload.
Email security provider MailGuard is warning of a “very large scale and ongoing” scam involving fake orders from accounting software vendor MYOB.
MailGuard describes the latest email scam as “very well formatted” but there are several clues that should raise any recipient's suspicions.
The email purports to be a supply order from MYOB. That should put you on the alert if you don't already sell goods or services to MYOB.
If you do, the fact that you've never heard of the person purportedly sending the order should make you suspicious.
Finally, the From address doesn't match the purported sender's name, and it isn't in MYOB's or DocuSign's domains. The covering message asks the recipient to “review and electronically sign” the order, which is why DocuSign's name is used. The sample provided by MailGuard showed “Dale Cravatta Dale.Cravatta@myob.com” as the sender in the body, but the From header was “Dale Cravatta via DocuSign annahome@cftf.org.uk”.
It's very easy to spoof a From header, so presumably those behind the campaign deliberately chose to use randomly-selected email addresses to avoid alerting MYOB or DocuSign to the campaign. Large-scale campaigns usually result in a significant number of bouncebacks, which should be noticed by a company's email or security administrators, who hopefully would warn the public of the scam.
If you are foolish enough to click the “Review Document” link, you get a zip file – not all zip files are evil, but you should treat them with suspicion – containing a malicious JavaScript file that downloads a further executable.
MailGuard did not describe the function of the latter file.
It seems to us that the risk here is perhaps not so much that someone really will believe that the message is genuine and intended for their organisation, but that some recipients won't be able to resist the temptation to peek into what appears to be someone else's business.
Either way, the potential damage is the same. So treat unexpected emails with suspicion, tell your staff to do the same, make sure your security software is up to date, and consider using an email filtering service such as MailGuard (which claims to be two to 48 hours ahead of the market in preventing fast-breaking attacks).
“Trusted financial services brands are a popular mask for cybercrime networks who particularly like to 'brandjack' those with a large number of users, increasing the likelihood that users will unwittingly click on a malicious link, or open a suspect file,” said MailGuard CEO Craig McDonald.
“These are sophisticated cybercrime networks who hone their approach, and continually optimise their campaigns like the most skilful of marketing professionals.”
