February 16, 2018: Another bogus Quickbooks email links to malware

Emmanuel Marshall from mailguard writes:

This is the second email scam mimicking a Quickbooks notification. As you can see in the screenshot, the message is meant to look like an invoice notification message.

Although this scams looks superficially similar to the one from earlier today, the sender addresses and underlying mechanisms of this attack are actually quite different.

The fact that this scam is so superficially similar to the one intercepted earlier could indicate that the two attacks have been released by the same criminals, but because there are significant differences in the way the scams work, that is not necessarily the case.

Malware as a service (MaaS) is a fast-growing phenomenon in the cybercrime world so it’s quite likely that these two emails are actually the work of different scammers using the same off-the-shelf malware package, bought from an underground vendor and then adapted for their own specific purposes.

This scam is designed to look like an invoice notification created through the Quickbooks system but of course, it is really just a ruse to get the victim to click on the ‘view invoice link’ in the message. This link takes the victim to a compromised WordPress domain, which then redirects them to an archived file which contains malicious JavaScript code.

Malware created in JavaScript can perform a wide variety of functions; it is commonly used to install spyware and botnet worms on computer systems and to deliver ransomware.

This message displays a wide variety of different ‘subject’ field variants, including:

Subject: Invoice 07766 from Mathers Shoes
Subject: Invoice 06108 from Master Shopfitters
Subject: Invoice 05247 from Skilled Design Consultants
Subject: Invoice 07729 from Cafe Bellissimo
Subject: Invoice 09510 from Hillyer Riches
Subject: Invoice 09549 from Circa Property Pty Ltd
Subject: Invoice 04977 from Fresh Outlook
Subject: Invoice 05454 from Charles Lloyd Property Group
Subject: Invoice 08418 from Pacific Shopping Centres Australia Pty Ltd
Subject: Invoice 01552 from Stokegreen Group Pty Ltd
Subject: Invoice 08240 from ATF Services
Subject: Invoice 00743 from Allcraft Cabinet Works
Subject: Invoice 04754 from Ross Engineering Pty Ltd
Subject: Invoice 04977 from Spruce Property Presentation
Subject: Invoice 00118 from Vision Real Estate Pty Ltd
Subject: Invoice 00322 from Cunningham Property Consultant Pty Ltd
Subject: Invoice 08605 from Thurley
Subject: Invoice 09352 from G T Builders Pty Ltd
Subject: Invoice 06516 from Total Construction Pty Ltd

The message is also designed to display a range of different sender names and email addresses, including:

From: “Pearce-Higgins Simon”
From: “Empower Wealth”
From: “Newquay Display Suites”
From: “Hidden Beauty”
From: “Stoneleighton Developments Pty Ltd”
From: “Golf Club Properties Pty Ltd”
From: “Silk Homes”
From: “MAB Corporation Pty Ltd”
From: “DCG”
From: “Heng Sheng Asian Grocery”
From: “Video Essentials”
From: “MacLaw 651 Pty Ltd”
From: “Kennedy Plumbing”
From: “Millar Accounting Group”
From: “Property Dynamics”

If you see this message delete it immediately to avoid harm to your computer system.