Fake Sage accounting invoice email spreads malware

Graham Cluley

Those awfully nice people at Sage (a producer of popular accounting software) have been in touch, to let me know that I need to make a bank transfer… and the deadline is today!

Malicious invoice email

From: no-reply@sage.co.uk
Subject: RE: Invoice #3902876

Message body:

Please remit BACs before 12/06/2014.

Please view complete invoice please click here

Well, I hate to be in debt and like to pay my bills on time – so lets see what happens if I click on the link.

Perhaps surprisingly, those awfully nice people at Sage have decided to use the cloud storage site Cubby (a Dropbox competitor) to host the invoice, which they have provided as a ZIP file.

ZIP of invoice

Invoice_00739287.zip

Hang on a minute – wasn’t it Invoice #3902876 earlier?

Inside the ZIP archive is another file, Invoice_00739287.scr.

If your alarm bells weren’t already triggering earlier in the process then they really should be by now. .SCR in a filename stands for screensaver, and it’s just a repackaged Windows executable file.

Bogus invoiceHopefully you all know that running executable files of suspicious origin on your PC puts you at risk.

Is it be possible that those awfully nice Sage people who contacted me are actually a terribly nasty bunch of online fraudsters attempting to infect my PC with malware?

I uploaded the file to VirusTotal, which showed me just under 50% of the products in their list identifying the file as a Trojan horse, most likely designed to grant hackers remote access to your computer and allow them to steal your banking information.

Spamming out bogus invoices is a typical social engineering trick used by cybercriminals in an attempt to infect your computer and gain access to your online bank account. Often the attackers will forge an email’s header information to pretend to come from a well-known company, and hide their true identity.

With hundreds of thousands of new malicious files are discovered every day – more than one every second – it’s essential to keep your wits about you, and your security software updated.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Fake Sage accounting invoice email spreads malware”

  1. Hi Graham

    Sorry to hear you've had an email that looks like it's from us; you're right though it is a spoof or phishing email and isn't actually from us.

    We've heard of a few of these lately and if any of your readers are concerned that they've also received one then they should visit our blog post for some advice on how to identify spoof or phishing emails and what they can do with them.

    http://www.sage.co.uk/blog/index.php/2013/11/identifying-spoof-or-phishing-emails/

    Thanks

    Catherine Sheldon
    Sage UKI

  2. Looks like this is back again. Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware. The Kovter malware is briefly written to disk at download but deletes itself after execution, establishes a persistence method using the registry, injects itself into the registry, and then deletes itself from disk.

  3. Looks like another variation on this delivered via emai, with Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES