Content, Breach, Channel partners, Malware, MSSP

Xero Phishing Campaign Targets Online Accounting Software Customers

Cyberattackers have launched a new phishing campaign to target Xero online accounting software customers, according to Chicago-based MSSP Trustwave.

The Xero phishing campaign was discovered in August and sends spoofed phishing email messages that appear to come from Xero, Trustwave pointed out.

"Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims," Trustwave said in a prepared statement.

How Does the Xero Phishing Campaign Work?

Each Xero phishing campaign message contains malicious links, Trustwave indicated. If a user clicks on any of the links, a JavaScript file downloads and launches banking malware on to the victim's computer. Then, the malware steals the victim's personal and private information and leaves him or her vulnerable to cyberattacks.

In addition, the Xero phishing campaign leverages a variant of the Dridex malware, which is designed to steal banking and personal information by injecting itself into web browsers such as Chrome, Firefox and Internet Explorer, according to Trustwave.

Dridex monitors a user's browsing activity and steals sensitive information to target online banks listed in its configuration file, Trustwave stated. It also communicates with several hosts over different ports using SSL, Trustwave said, and leverages encrypted channels for communication over non-standard ports.

Xero Phishing Campaign Highlights New Cyberattack Trend

The Xero phishing campaign represents one of several recent malware attacks that used fake SharePoint URLs to target customers of online financial software services companies, Trustwave said.

Recent malware attacks similar to the Xero phishing campaign included:

  • Fake MYOB Campaign: This attack was discovered August 24 and contained within 24 hours.
  • Fake QuickBooks Campaign: This attack was found August 23 and concluded after a 24-hour period.
  • Fake Dropbox Campaign: This attack began August 21 and was stopped within 24 hours.

To combat phishing attacks, Trustwave recommended online accounting software customers avoid opening any email messages that appear suspicious, zip archives that come from unknown sources and unknown file formats.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.