Brandjacked! Major ongoing email attack impersonates MYOB with fake DocuSign supply order

Posted by Daniel McShanag on 25 October 2017 20:44:35 AEDT

In a very large scale and ongoing email scam, cybercriminals are yet again impersonating accounting firm MYOB, delivering a fraudulent DocuSign supply order to inboxes. This is the second ‘brandjacking’ in the space of the last week for MYOB, with a similar invoice scam impersonating the leading accounting software last Tuesday.

Your MYOB Supply Order - Mozilla Thunderbird_243.png

This time around, the sophisticated scam features two email variants. The first is plain text and is meaningless spam, with no malicious links or payloads, while the second email variant is very well formatted HTML that could easily fool users who may unwittingly click to see what’s inside.

The link in this second email variant points to a compromised SharePoint site hosting a ZIP file containing a malicious JavaScript file. A common technique that we are seeing with increasing regularity. The file appears to be a dropper that downloads a further executable file from yet another (different) compromised SharePoint account.

Opening Supply Order.zip_246.png

In this sophisticated attack, the display address and the sending address are variable, changing every time, with the display address in the body appearing as from various individuals purporting to be from @myob. A quick internet search of these names reveals that none of the individuals are actual MYOB employees.

The ‘From’ address is also comprised of random names, and quickly followed by ‘via DocuSign.’ Here are just a few of examples of the ‘From’ variations we are seeing.

From: "Olivia Toalson via DocuSign" <ana.s(at)sankenwin.com>

From: "Christina Chinick via DocuSign" <busra.cangul(at)epkom.com>

From: "Nicholas Zugg via DocuSign" <chris.nowaczyk(at)pcgmailer.com>

From: "Jesse Lints via DocuSign" <admin(at)thenewpinetree.co.uk>

From: "Kane Goffe via DocuSign" <binil.george(at)ospyn.com>

Trusted financial services brands are a popular mask for cybercrime networks who particularly like to ‘brandjack’ those with a large number of users, increasing the likelihood that users will unwittingly click on a malicious link, or open a suspect file.

These are sophisticated cybercrime networks who hone their approach, and continually optimize their campaigns like the most skillful of marketing professionals. MYOB was impersonated in scams reported by MailGuard in June, September and October, along with other accounting software brands like Xero and Sage

MailGuard urges email users to hesitate before clicking any type of attachment or link in an email if they’re uncertain of its legitimacy.

For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Keep Informed with Weekly Updates

 

^ Back to Top

Topics: Malware email scam Cybersecurity cybercrime Survivingcybercrime myob cybercrime statistics hoax email brandjacking Australian brands DocuSign

Back to Blog

Comments:


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all