MYOB brand hijacked again in malware scam

Posted by Jaclyn McRae on 21 June 2017 13:11:45 AEST

 Australians have been urged to take a second look before viewing an online invoice purportedly issued by MYOB.

The well-known accounting software company is being mimicked in a malware scam currently circulating.

Distribution began this afternoon and quickly escalated to become one of the biggest scam email influxes detected by MailGuard in the past 12 months.

The malicious invoices purport to come from various companies, and include ‘Powered by MYOB’ branding at the bottom of the message in an effort to convey legitimacy.

Invoice INV-P0655 from PAYLESS LOANS PTY LTD - Mozilla Thunderbird_007.png

Invoice INV-P0259 from WINCHESTER O'ROURKE PTY LTD - Mozilla Thunderbird_006.png

The email trades on the trusted reputation of the Australian software company – and the innocent suppliers whose names are used in an attempt to dupe people into clicking the link. It’s a common tactic used by cybercriminals.

Why are brand-impersonation scam emails so popular?

There are many factors. But in short, cybercriminals prefer to rely on the hard work of others.

By targeting popular brands, recipients are more likely to have a relationship with the company being impersonated. That’s an instant foot in the door. 

Here’s some more information on why online criminals hide behind trusted brands.

Why the risk extends beyond professionals who use MYOB for invoicing

MYOB – and the companies that use this software – are innocent parties in this invoice scam.

But it’s not just direct customers at risk. Because the fraud email has been distributed so widely, and many innocent companies have had their name included as the invoice issuer, it widens the net with regard to the number of people susceptible to clicking the malicious link.

This presents a real risk – particularly for businesses that enable employees to check their personal email on work computers.

Details about the scam email

The ‘view invoice’ button links to a hosted .ZIP file containing malware. The domain was registered yesterday with a China-based registrar.

The sender display name varies but the displayed (and actual) sending address is noreply @ financialaccountant .info

The ‘View invoice’ button links to a .ZIP archive file which contains a malicious JavaScript file.

This type of malware:

  • Steals private information from local Internet browsers
  • Installs itself for autorun at Windows startup
  • It also implements a process that significantly delays the analysis task.

MailGuard detected a similar scam in April:

For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network. Talk to an expert at MailGuard today about your company's cybersecurity needs:

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update, or follow us on Twitter @MailGuard.

Keep Informed with Weekly Updates


^ Back to Top

Topics: Malware email scam Cybersecurity cybercrime Survivingcybercrime myob

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all