Those awfully nice people at Sage (a producer of popular accounting software) have been in touch, to let me know that I need to make a bank transfer… and the deadline is today!
From: [email protected]
Subject: RE: Invoice #3902876
Please remit BACs before 12/06/2014.
Please view complete invoice please click here
Well, I hate to be in debt and like to pay my bills on time – so lets see what happens if I click on the link.
Perhaps surprisingly, those awfully nice people at Sage have decided to use the cloud storage site Cubby (a Dropbox competitor) to host the invoice, which they have provided as a ZIP file.
Hang on a minute – wasn’t it Invoice #3902876 earlier?
Inside the ZIP archive is another file, Invoice_00739287.scr.
If your alarm bells weren’t already triggering earlier in the process then they really should be by now. .SCR in a filename stands for screensaver, and it’s just a repackaged Windows executable file.
Hopefully you all know that running executable files of suspicious origin on your PC puts you at risk.
Is it be possible that those awfully nice Sage people who contacted me are actually a terribly nasty bunch of online fraudsters attempting to infect my PC with malware?
I uploaded the file to VirusTotal, which showed me just under 50% of the products in their list identifying the file as a Trojan horse, most likely designed to grant hackers remote access to your computer and allow them to steal your banking information.
Spamming out bogus invoices is a typical social engineering trick used by cybercriminals in an attempt to infect your computer and gain access to your online bank account. Often the attackers will forge an email’s header information to pretend to come from a well-known company, and hide their true identity.
With hundreds of thousands of new malicious files are discovered every day – more than one every second – it’s essential to keep your wits about you, and your security software updated.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Fake Sage accounting invoice email spreads malware”
Sorry to hear you've had an email that looks like it's from us; you're right though it is a spoof or phishing email and isn't actually from us.
We've heard of a few of these lately and if any of your readers are concerned that they've also received one then they should visit our blog post for some advice on how to identify spoof or phishing emails and what they can do with them.
Looks like this is back again. Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware. The Kovter malware is briefly written to disk at download but deletes itself after execution, establishes a persistence method using the registry, injects itself into the registry, and then deletes itself from disk.
Looks like another variation on this delivered via emai, with Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware.