Customers of web-based accounting software provider Xero were hit by a phishing attack that attempts to plant malware on their computers last month, researchers have revealed.
Security vendor Trustwave said it discovered what it called a sophisticated phishing email campaign in August that purported to be from Xero.
The messages were similar to Xero monthly billing notifications, and asked users to review their invoices by clicking on a link in the email.
If the targeted users clicked on the link, a ZIP archive containing obfuscated Javascript was downloaded to their computers, Trustwave's analysis showed.
The payload is a variant of the Dridex inforrmation stealing malware that was used as recently as April to attack Australian bank customers.
Dridex is able to intercept information that users enter into web browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox, and send it to control and command servers with transport layer security (TLS) encryption.
Xero has more than half a milllion customers in Australia.
Trustwave noted that the Xero campaign might be part of a larger operation targeting accounting software customers.
The security vendor said it had found a similar attack against MYOB in late August, which attempted to download the Ursnif Trojan.
Accounting software provider Quickbooks also appears to be a target, along with cloud storage provider Dropbox, Trustwave said.
.jpg&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
_(1).jpg&h=140&w=231&c=1&s=0)
