Katherine Chong 27 June 2018 14:08:31 AEST 2 MIN READ

Large scale Xero invoice scam exploits EOFY accounting activity

A Xero malicious email campaign was detected and blocked by MailGuard today. The invoice, designed to look like it was sent through the Xero accounting platform, encourages the recipient to click through to view the invoice.

The link, however, directs the user to a compromised Sharepoint site whereby malicious JavaScript content is downloaded and executed. The bogus destination URL is xerostate(dot)com (WARNING: Do not open), and was only registered in the past 24 hours in China.



The subject line is “Bill 18322 from [random company] is due soon.” The sender display name, email address and invoice amount vary considerably. The purported senders are actual registered Australian businesses, ostensibly the result of previous credential scraping activity.

No other security vendors are listed as detecting the link on Virus Total at the time of publication. The MailGuard team is monitoring for variants.

Capitalising on EOFY activity

Xero, being the market leader for SMB accounting software, with a customer base of about half a million businesses in Australia, is often the victim of brand impersonation. Xero-branded scams occur regularly, however, the fiscal year end, and associated spike in accounting activity, is opportune for cyber perpetrators.

Why JavaScript is a weapon of choice for cyber criminals

JavaScript files do not require user interaction for malware to execute – the code is run whenever a user browses a website. Given 93.6% of all websites use JavaScript, the opportunity is huge for data thieves. Malicious JS code is typically designed to track on-page activity (scrolling, mouse movements, keystrokes) and browsing habits through reading browser cookies. This often precedes actual data theft and social engineering attempts.

Read more about how JS code attacks websites.

Don’t become the next victim

According to the FBI, email fraud is still the number one cyber crime.

Protect your employees by:

  • Ensuring all software is updated (for web browsers, apps, operating systems)
  • Driving a strong culture of cyber literacy to affect user behaviour (educate your employees about the tell-tale characteristics of a suspicious, criminal intent email)
  • Having robust content (email and web) filtering solutions in place.

For a few dollars per staff member per month, you can have the peace of mind of MailGuard's comprehensive cloud-based email and web filtering. You’ll significantly reduce the risk of zero-day (previously unknown) threats and stop new variants of malicious email from entering your network.

Keep up to date on the latest scams by subscribing to MailGuard updates or follow us on social media.

If you’re experiencing problems with email scams you can speak to one of MailGuard's cloud security specialists right now on 1300 30 44 30.