ARN

Malware your own business is back in time for EOFY

Accounting company MYOB impersonated by cyber crooks, again

Australian accounting software company, MYOB, has had its brand hijacked in malware scam for the second time this year.

Distribution of the malicious emails began on the afternoon of Tuesday 20 June, according to email filtering company MailGuard, and quickly escalated to become one of the biggest scam email influxes detected by by the company in the past 12 months.

The malicious invoices purport to come from various companies, and include ‘Powered by MYOB’ branding at the bottom of the message in an effort to convey legitimacy, MailGuard said.

The company added that the email trades on the trusted reputation of the Australian software company – and the innocent suppliers whose names are used in an attempt to dupe people into clicking the link. It’s a common tactic used by cybercriminals.

“By targeting popular brands, recipients are more likely to have a relationship with the company being impersonated. That’s an instant foot in the door,” MailGuard CEO Craig MacDonald said.

He added that it was not just direct customers at risk.

“Because the fraud email has been distributed so widely, and many innocent companies have had their name included as the invoice issuer, it widens the net with regard to the number of people susceptible to clicking the malicious link,” he said,

“This presents a real risk – particularly for businesses that enable employees to check their personal email on work computers.”

In keeping with the pattern of similar recent campaigns, MailGuard said the the ‘view invoice’ button in the email links to a hosted .ZIP file containing malware.

The domain for which was registered on 20 June with a China-based registrar.

MailGuard said the sender display name varies but the displayed (and actual) sending address is noreply @ financialaccountant .info [altered].

The ‘View invoice’ button links to a .ZIP archive file which contains a malicious JavaScript file.

The malware steals private information from local Internet browsers; installs itself for autorun at Windows startup; and implements a process that significantly delays the analysis task.

In response to the incident, MYOB COO, Andrew Birch, expressed frustration with these type of attacks.

“Sadly, these type of illegitimate operators do exist in the online world," he said in a statement sent to ARN. "MYOB takes this type of criminal activity very seriously and we make every effort to close down operations which seek to defraud our clients or other consumers by pretending to represent our brand.

“In this instance, we have moved quickly to have the malicious website taken down.  This means, even if someone accidentally clicks the link, the malware will no longer spread.

He added a warning for people to be vigilant to avoid falling a victim to these sort of attacks.

“We’d also like to remind people to ensure they have good anti-virus protection installed, make sure their software is up-to-date and they have firewalls in place," he added.

The article was updated at 4:06 PM on 21 July to include comment from MYOB.