Emmanuel Marshall from mailguard writes:<\/p>\n
This is the second email scam mimicking a Quickbooks notification. As you can see in the screenshot, the message is meant to look like an invoice notification message.<\/p>\n
Although this scams looks superficially similar to the one from earlier today, the sender addresses and underlying mechanisms of this attack are actually quite different.<\/p>\n
The fact that this scam is so superficially similar to the one intercepted earlier could indicate that the two attacks have been released by the same criminals, but because there are significant differences in the way the scams work, that is not necessarily the case. <\/p>\n
Malware as a service (MaaS) is a fast-growing phenomenon in the cybercrime world so it\u2019s quite likely that these two emails are actually the work of different scammers using the same off-the-shelf malware package, bought from an underground vendor and then adapted for their own specific purposes.<\/p>\n
This scam is designed to look like an invoice notification created through the Quickbooks system but of course, it is really just a ruse to get the victim to click on the \u2018view invoice link\u2019 in the message. This link takes the victim to a compromised WordPress domain, which then redirects them to an archived file which contains malicious JavaScript code.<\/p>\n
Malware created in JavaScript can perform a wide variety of functions; it is commonly used to install spyware and botnet worms on computer systems and to deliver ransomware.<\/p>\n
This message displays a wide variety of different \u2018subject\u2019 field variants, including:<\/p>\n
Subject: Invoice 07766 from Mathers Shoes
\n Subject: Invoice 06108 from Master Shopfitters
\n Subject: Invoice 05247 from Skilled Design Consultants
\n Subject: Invoice 07729 from Cafe Bellissimo
\n Subject: Invoice 09510 from Hillyer Riches
\n Subject: Invoice 09549 from Circa Property Pty Ltd
\n Subject: Invoice 04977 from Fresh Outlook
\n Subject: Invoice 05454 from Charles Lloyd Property Group
\n Subject: Invoice 08418 from Pacific Shopping Centres Australia Pty Ltd
\n Subject: Invoice 01552 from Stokegreen Group Pty Ltd
\n Subject: Invoice 08240 from ATF Services
\n Subject: Invoice 00743 from Allcraft Cabinet Works
\n Subject: Invoice 04754 from Ross Engineering Pty Ltd
\n Subject: Invoice 04977 from Spruce Property Presentation
\n Subject: Invoice 00118 from Vision Real Estate Pty Ltd
\n Subject: Invoice 00322 from Cunningham Property Consultant Pty Ltd
\n Subject: Invoice 08605 from Thurley
\n Subject: Invoice 09352 from G T Builders Pty Ltd
\n Subject: Invoice 06516 from Total Construction Pty Ltd<\/p>\n
The message is also designed to display a range of different sender names and email addresses, including:<\/p>\n
From: “Pearce-Higgins Simon” If you see this message delete it immediately to avoid harm to your computer system.<\/p>\n","protected":false},"excerpt":{"rendered":" Emmanuel Marshall from mailguard writes: This is the second email scam mimicking a Quickbooks notification. As you can see in the screenshot, the message is meant to look like an invoice notification message. Although this scams looks superficially similar to the one from earlier today, the sender addresses and underlying mechanisms of this attack are […]<\/p>\n","protected":false},"author":1,"featured_media":2530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-2529","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/posts\/2529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activateit.net.au\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2529"}],"version-history":[{"count":4,"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/posts\/2529\/revisions"}],"predecessor-version":[{"id":2541,"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/posts\/2529\/revisions\/2541"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activateit.net.au\/index.php?rest_route=\/wp\/v2\/media\/2530"}],"wp:attachment":[{"href":"https:\/\/activateit.net.au\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activateit.net.au\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activateit.net.au\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n From: “Empower Wealth”
\n From: “Newquay Display Suites”
\n From: “Hidden Beauty”
\n From: “Stoneleighton Developments Pty Ltd”
\n From: “Golf Club Properties Pty Ltd”
\n From: “Silk Homes”
\n From: “MAB Corporation Pty Ltd”
\n From: “DCG”
\n From: “Heng Sheng Asian Grocery”
\n From: “Video Essentials”
\n From: “MacLaw 651 Pty Ltd”
\n From: “Kennedy Plumbing”
\n From: “Millar Accounting Group”
\n From: “Property Dynamics”