The Xero phishing campaign was discovered in August and sends spoofed phishing email messages that appear to come from Xero, Trustwave pointed out.
"Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims," Trustwave said in a prepared statement.
How Does the Xero Phishing Campaign Work?
In addition, the Xero phishing campaign leverages a variant of the Dridex malware, which is designed to steal banking and personal information by injecting itself into web browsers such as Chrome, Firefox and Internet Explorer, according to Trustwave.
Dridex monitors a user's browsing activity and steals sensitive information to target online banks listed in its configuration file, Trustwave stated. It also communicates with several hosts over different ports using SSL, Trustwave said, and leverages encrypted channels for communication over non-standard ports.
Xero Phishing Campaign Highlights New Cyberattack Trend
The Xero phishing campaign represents one of several recent malware attacks that used fake SharePoint URLs to target customers of online financial software services companies, Trustwave said.
Recent malware attacks similar to the Xero phishing campaign included:
- Fake MYOB Campaign: This attack was discovered August 24 and contained within 24 hours.
- Fake QuickBooks Campaign: This attack was found August 23 and concluded after a 24-hour period.
- Fake Dropbox Campaign: This attack began August 21 and was stopped within 24 hours.
To combat phishing attacks, Trustwave recommended online accounting software customers avoid opening any email messages that appear suspicious, zip archives that come from unknown sources and unknown file formats.