Xero Phishing Campaign Targets Online Accounting Software Customers

Cyberattackers have launched a new phishing campaign to target Xero online accounting software customers, according to Chicago-based MSSP Trustwave.

The Xero phishing campaign was discovered in August and sends spoofed phishing email messages that appear to come from Xero, Trustwave pointed out.

"Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims," Trustwave said in a prepared statement.

How Does the Xero Phishing Campaign Work?

Each Xero phishing campaign message contains malicious links, Trustwave indicated. If a user clicks on any of the links, a JavaScript file downloads and launches banking malware on to the victim's computer. Then, the malware steals the victim's personal and private information and leaves him or her vulnerable to cyberattacks.

In addition, the Xero phishing campaign leverages a variant of the Dridex malware, which is designed to steal banking and personal information by injecting itself into web browsers such as Chrome, Firefox and Internet Explorer, according to Trustwave.

Dridex monitors a user's browsing activity and steals sensitive information to target online banks listed in its configuration file, Trustwave stated. It also communicates with several hosts over different ports using SSL, Trustwave said, and leverages encrypted channels for communication over non-standard ports.

Xero Phishing Campaign Highlights New Cyberattack Trend

The Xero phishing campaign represents one of several recent malware attacks that used fake SharePoint URLs to target customers of online financial software services companies, Trustwave said.

Recent malware attacks similar to the Xero phishing campaign included:

To combat phishing attacks, Trustwave recommended online accounting software customers avoid opening any email messages that appear suspicious, zip archives that come from unknown sources and unknown file formats.