Large Scale Fake Invoice Scam Launched

Posted by Emmanuel Marshall on 05 December 2017 16:00:00 AEDT

This morning MailGuard detected a very large batch of scam emails with fake invoice links.

The scam emails we picked up today are linking to fake invoices with a variety of branding including ‘Russian Accent,’ ‘Capital Kitchen,’ ‘Allband Antennas,’ and many others.

Today’s incident follows a similar one yesterday which used fake ‘Bakerdays’ branding.

The screenshots below show the appearance of some of the fake invoice emails:

Invoice INV-0601 from Russian Accent - Mozilla Thunderbird_318.png

Invoice INV-0601 from Capital Kitchen - Mozilla Thunderbird_314.png

Invoice INV-0601 from Allband Antennas - Mozilla Thunderbird_317.png

There are a very wide variety of brand-names being exploited by this scam. MailGuard has detected messages pretending to be from:

  • The Hopkins Group
  • Tijac Pty Ltd
  • Lms Lawyers Services
  • Catering Now
  • Allcraft Cabinet Works
  • Resolution Propety Group Pty Ltd
  • Becton Property Group Limited
  • Pearce-Higgins Simon
  • OneLeap Finance
  • Fence Factory
  • Rocdon Development Pty Ltd
  • Posh Opp Shoppe
  • Red Earth Developments Australia Pty Ltd
  • Mutual Property Consultant
  • Brilliance Developments
  • J N Mousellis Civil Contractors
  • McInnes Management
  • McKinnon Cabinetmakers
  • Oxfam Shop
  • FKP Property Group
  • Jimmy Choo
  • Silk Homes
  • CT Corporate Living
  • Native Design Workshop
  • Dexus Property Group
  • Burger Martine Dr.
  • Mitchell Brandtman
  • BO Group
  • Burger Martine Dr.
  • Asian Wok

Although there are a wide variety of brands included in these emails and the amounts of the fake invoices changes, all the messages seem to include the text ‘INV-0601’ in the subject line.

These messages appear to originate from newly registered domains, created through a Chinese registry company: intaras[dot]com; intaset[dot]com; intelts[dot]com; and intetel[dot]com.

As was the case in yesterday’s email attack, these messages contain a ‘View Invoice’ link which directs the victim to a .zip file on a compromised SharePoint account. If they download and open the .zip file, it activates JavaScript code which downloads malware to their computer.

Opening Invoice INV-0601.zip_315.png

Invoice _316.png

Although MailGuard successfully intercepted these malicious email messages this morning, no other security vendors had blocked them, so there may be a lot of these scam emails landing in unprotected inboxes today.
Exercise caution if you see any messages from unfamiliar senders especially if they include the text ‘INV-0601’ in the subject line.
Similarly, beware of messages from senders with domain details; intaras[dot]com; intaset[dot]com; intelts[dot]com; or intetel[dot]com.

Criminal-intent email of this type can be extremely damaging. JavaScript payloads like the one these messages link to can do many things from installing malware or spyware on computers to encrypting files and locking hard drives.


Protect Your Inbox

All criminals need to break into your business is a cleverly worded email; if they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's cloud-based email and web filtering security.
Talk to an expert at MailGuard today about making your company's network secure: click here.

Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates


Topics: cybercrime QuickBooks attack Threat Update

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all