Accounting Blog

Fake Accounting Invoices Used to Steal Credentials

Posted on Mon, Sep 11, 2017

Fraud_Alert.pngA recently resurfaced banking Trojan is now being used in a malware/phishing campaign targeting users of accounting services provider Xero. Similar attacks have also been used against users of Intuit and QuickBooks. The goal of these attacks is to gather login details for banking and financial accounts. Here's how it works, what it looks like, and what do if you get this message:

How it works: 

The attack sends a spoofed email message that appears to come from Xero/Intuit/QuickBooks regarding an invoice and attempts to get the recipient to click a link to download the invoice. This link will download a ZIP file which contains another file that appears to be the invoice itself but is actually a malicious JavaScript (.js) file which installs the malware.

What it looks like:

Accounting Scam.jpg

What to do:

  • Before clicking any link in an email, hover your mouse over that link and observe where it will take you. Either a pop-up will appear next to the link, or look at the bottom of your email program to see the actual link address. If you don’t recognize the link or it’s slightly altered(for example, intuito.biz instead of intuit.com) from the official site: Don’t click on it!
  • Be cautious around ZIP files, often they are used by malware to disguise contents.
  • If you have already clicked on or opened something suspicious that doesn’t show or do what you expect: run extra malware scans - in addition to your regular anti-virus software, contact your trusted IT advisors to see if further checks are necessary, and take precautions to change your account passwords especially for financial institutions – from another computer!

Tags: Accounting, Scam Alert, fraud alert, fraud prevention