Customers of web-based accounting software provider Xero were hit by a phishing attack that attempts to plant malware on their computers last month, researchers have revealed.
Security vendor Trustwave said it discovered what it called a sophisticated phishing email campaign in August that purported to be from Xero.
The messages were similar to Xero monthly billing notifications, and asked users to review their invoices by clicking on a link in the email.
If the targeted users clicked on the link, a ZIP archive containing obfuscated Javascript was downloaded to their computers, Trustwave's analysis showed.
The payload is a variant of the Dridex inforrmation stealing malware that was used as recently as April to attack Australian bank customers.
Dridex is able to intercept information that users enter into web browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox, and send it to control and command servers with transport layer security (TLS) encryption.
Xero has more than half a milllion customers in Australia.
Trustwave noted that the Xero campaign might be part of a larger operation targeting accounting software customers.
The security vendor said it had found a similar attack against MYOB in late August, which attempted to download the Ursnif Trojan.
Accounting software provider Quickbooks also appears to be a target, along with cloud storage provider Dropbox, Trustwave said.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
