Emmanuel Marshall 13 February 2018 13:07:04 AEDT 5 MIN READ

Another bogus Quickbooks email links to malware 

This is the
second email scam mimicking a Quickbooks notification that MailGuard has detected today. As you can see in the screenshot above, the message is meant to look like an invoice notification message.

Although this scams looks superficially similar to the one from earlier today, the sender addresses and underlying mechanisms of this attack are actually quite different.

The fact that this scam is so superficially similar to the one MailGuard intercepted earlier could indicate that the two attacks have been released by the same criminals, but because there are significant differences in the way the scams work, that is not necessarily the case. 

Malware as a service (MaaS) is a fast-growing phenomenon in the cybercrime world so it’s quite likely that these two emails are actually the work of different scammers using the same off-the-shelf malware package, bought from an underground vendor and then adapted for their own specific purposes.

You can read more about MaaS, and the way it is used by scammers in our blog post, here.

This scam is designed to look like an invoice notification created through the Quickbooks system but of course, it is really just a ruse to get the victim to click on the ‘view invoice link’ in the message. This link takes the victim to a compromised Wordpress domain, which then redirects them to an archived file which contains malicious JavaScript code.

Malware created in JavaScript can perform a wide variety of functions; it is commonly used to install spyware and botnet worms on computer systems and to deliver ransomware.

This message displays a wide variety of different ‘subject’ field variants, including:

  • Subject: Invoice 07766 from Mathers Shoes
  • Subject: Invoice 06108 from Master Shopfitters
  • Subject: Invoice 05247 from Skilled Design Consultants
  • Subject: Invoice 07729 from Cafe Bellissimo
  • Subject: Invoice 09510 from Hillyer Riches
  • Subject: Invoice 09549 from Circa Property Pty Ltd
  • Subject: Invoice 04977 from Fresh Outlook
  • Subject: Invoice 05454 from Charles Lloyd Property Group
  • Subject: Invoice 08418 from Pacific Shopping Centres Australia Pty Ltd
  • Subject: Invoice 01552 from Stokegreen Group Pty Ltd
  • Subject: Invoice 08240 from ATF Services
  • Subject: Invoice 00743 from Allcraft Cabinet Works
  • Subject: Invoice 04754 from Ross Engineering Pty Ltd
  • Subject: Invoice 04977 from Spruce Property Presentation
  • Subject: Invoice 00118 from Vision Real Estate Pty Ltd
  • Subject: Invoice 00322 from Cunningham Property Consultant Pty Ltd
  • Subject: Invoice 08605 from Thurley
  • Subject: Invoice 09352 from G T Builders Pty Ltd
  • Subject: Invoice 06516 from Total Construction Pty Ltd

The message is also designed to display a range of different sender names and email addresses, including:

  • From: "Pearce-Higgins Simon" <sale@eliancomplianceservices.com>
  • From: "Empower Wealth" <admin@jwmitchell.com>
  • From: "Newquay Display Suites" <support@eliancomplianceservices.com>
  • From: "Hidden Beauty" <sale@plookie.com>
  • From: "Stoneleighton Developments Pty Ltd" <sale@kelseykmartin.com>
  • From: "Golf Club Properties Pty Ltd" <info@capitalgoldscam.com>
  • From: "Silk Homes" <admin@eliancomplianceservices.com>
  • From: "MAB Corporation Pty Ltd" <billing@manhoodgrooming.com>
  • From: "DCG" <admin@cadenaexportadora.com>
  • From: "Heng Sheng Asian Grocery" <no-reply@webcereals.com>
  • From: "Video Essentials" <admin@dolumcu.com>
  • From: "MacLaw 651 Pty Ltd" <mail@mckinleylosee.com>
  • From: "Kennedy Plumbing" <admin@aconferenceline.net>
  • From: "Millar Accounting Group" <admin@plookie.com>
  • From: "Property Dynamics" <sale@lowriderhaven.com>

MailGuard has prevented this scam email from reaching our clients, but it may still turn up in your inbox if you do not have MailGuard protection.

If you see this message delete it immediately to avoid harm to your computer system.


Take Action to Defend Your Business

Malware attacks can be enormously costly and destructive and new scams are appearing every day. Don’t wait until it happens to your business; take action to protect your company from financial and reputational damage, now.

Effective cybersecurity requires a multi-layered strategy. For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering protection. You’ll significantly reduce the risk of malicious email entering your network. Talk to an expert at MailGuard today about your company's cybersecurity needs: 1300 30 44 30

Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates