In a very large scale and ongoing email scam, cybercriminals are yet again impersonating accounting firm MYOB, delivering a fraudulent DocuSign supply order to inboxes. This is the second ‘brandjacking’ in the space of the last week for MYOB, with a similar invoice scam impersonating the leading accounting software last Tuesday.
This time around, the sophisticated scam features two email variants. The first is plain text and is meaningless spam, with no malicious links or payloads, while the second email variant is very well formatted HTML that could easily fool users who may unwittingly click to see what’s inside.
The link in this second email variant points to a compromised SharePoint site hosting a ZIP file containing a malicious JavaScript file. A common technique that we are seeing with increasing regularity. The file appears to be a dropper that downloads a further executable file from yet another (different) compromised SharePoint account.
In this sophisticated attack, the display address and the sending address are variable, changing every time, with the display address in the body appearing as from various individuals purporting to be from @myob. A quick internet search of these names reveals that none of the individuals are actual MYOB employees.
The ‘From’ address is also comprised of random names, and quickly followed by ‘via DocuSign.’ Here are just a few of examples of the ‘From’ variations we are seeing.
From: "Olivia Toalson via DocuSign" <ana.s(at)sankenwin.com>
From: "Christina Chinick via DocuSign" <busra.cangul(at)epkom.com>
From: "Nicholas Zugg via DocuSign" <chris.nowaczyk(at)pcgmailer.com>
From: "Jesse Lints via DocuSign" <admin(at)thenewpinetree.co.uk>
From: "Kane Goffe via DocuSign" <binil.george(at)ospyn.com>
Trusted financial services brands are a popular mask for cybercrime networks who particularly like to ‘brandjack’ those with a large number of users, increasing the likelihood that users will unwittingly click on a malicious link, or open a suspect file.
These are sophisticated cybercrime networks who hone their approach, and continually optimize their campaigns like the most skillful of marketing professionals. MYOB was impersonated in scams reported by MailGuard in June, September and October, along with other accounting software brands like Xero and Sage.
MailGuard urges email users to hesitate before clicking any type of attachment or link in an email if they’re uncertain of its legitimacy.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.
