Fake Sage accounting invoice email spreads malware

Those awfully nice people at Sage (a producer of popular accounting software) have been in touch, to let me know that I need to make a bank transfer... and the deadline is today!

Malicious invoice email

From: no-reply@sage.co.uk
Subject: RE: Invoice #3902876

Message body:

Please remit BACs before 12/06/2014.

Please view complete invoice please click here

Well, I hate to be in debt and like to pay my bills on time - so lets see what happens if I click on the link.

Perhaps surprisingly, those awfully nice people at Sage have decided to use the cloud storage site Cubby (a Dropbox competitor) to host the invoice, which they have provided as a ZIP file.

ZIP of invoice

Invoice_00739287.zip

Hang on a minute - wasn't it Invoice #3902876 earlier?

Inside the ZIP archive is another file, Invoice_00739287.scr.

If your alarm bells weren't already triggering earlier in the process then they really should be by now. .SCR in a filename stands for screensaver, and it's just a repackaged Windows executable file.

Bogus invoiceHopefully you all know that running executable files of suspicious origin on your PC puts you at risk.

Is it be possible that those awfully nice Sage people who contacted me are actually a terribly nasty bunch of online fraudsters attempting to infect my PC with malware?

I uploaded the file to VirusTotal, which showed me just under 50% of the products in their list identifying the file as a Trojan horse, most likely designed to grant hackers remote access to your computer and allow them to steal your banking information.

Spamming out bogus invoices is a typical social engineering trick used by cybercriminals in an attempt to infect your computer and gain access to your online bank account. Often the attackers will forge an email's header information to pretend to come from a well-known company, and hide their true identity.

With hundreds of thousands of new malicious files are discovered every day - more than one every second - it's essential to keep your wits about you, and your security software updated.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. Catherine Sheldon

    June 13, 2014 at 9:21 am #

    Hi Graham

    Sorry to hear you've had an email that looks like it's from us; you're right though it is a spoof or phishing email and isn't actually from us.

    We've heard of a few of these lately and if any of your readers are concerned that they've also received one then they should visit our blog post for some advice on how to identify spoof or phishing emails and what they can do with them.

    http://www.sage.co.uk/blog/index.php/2013/11/identifying-spoof-or-phishing-emails/

    Thanks

    Catherine Sheldon
    Sage UKI

  2. SKEN

    October 21, 2016 at 9:17 am #

    Looks like this is back again. Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware. The Kovter malware is briefly written to disk at download but deletes itself after execution, establishes a persistence method using the registry, injects itself into the registry, and then deletes itself from disk.

  3. SKEN

    October 21, 2016 at 9:19 am #

    Looks like another variation on this delivered via emai, with Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware.

Leave a Reply