Trustwave and SpiderLabs investigators have discovered a new trend in attacking your business accounting software. These companies are using email assaults that target small and midsize businesses that use cloud-based accounting software. The email messages look absolutely authentic, but actually contain links to malware.
The article outlines the defining characteristics to look for so you are not infected with malware.
Here is a list of what is covered –
Analysis of the Email Header
“We first analyzed the email header for the wealth of information provided there. The name part of the “From” header field suggests that this message was sent from “Xero Billing Notifications”, while the email address is pointing to the domain “xeronet.org” instead of the legit business “xero.com”
Analyzing the domain “xeronet.org”, we learn that it was registered in China on the same day the campaign was launched (August 16, 2017, using a free yahoo email address. The domain points to an IP 94.23.4.201 in France.”
Analysis of the Email Body
“Analyzing the email body, it looks like a professionally crafted billing message that recommends that users view their bill invoice online by clicking on the invoice link
The invoice link in the email body points to a URL hosted on the fake Xero domain, while the other URLs point to the legitimate Xero.com site.”
Analysis of the Downloaded File
In the article they do an analysis of the malicious JavaScript: Xero Invoice and Malware Payload.
Other Reports of Similar Phishing Campaigns
Learn how to protect your business from these assaults and more from Trustwave here.
Copy credit – Trustwave and Spiderlabs
