Brought to you by

 


Dec 6th, 2016 – Xero customer lists scam

We’re seeing some more instances of emails offering Xero customer lists for sale.  There’s an example of these emails below, and we’re also seeing them with the subject “Xero reseller contacts”.  The sending email address and signature also vary.

xero-updated-directory

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Dec 2nd, 2016 – Xero Invoice phishing email

We’ve had reports from customers who have received the phishing email below, or one similar.  These emails are sent from messaging-service@post-xero.org, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @post-xero.org domain taken down.

Clicking on the invoice link in these emails will take you to a malicious web site, possibly containing ransom-ware.

post-xero_org-phishing-email

 

All of the examples we’ve seen so far have ‘Invoice INV-01823 (Amended)‘ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the sending email domain, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Nov 2nd, 2016 – Fake Xero Customer Service Phone Number

We’ve been advised of web pages claiming to offer Xero support and providing a phone number for Xero customers to call.  The number given is not in any way associated with Xero.  The same phone number is also listed on pages on these sites supposedly offering support for other accounting software.  We’re told that if you call this number you’ll be asked for your credit card details.

The urls for these web pages are:

 xero-customer-care_url

xero-get-customer-service_url

This is what the web pages look like:

xero-customer-care

 

xero-get-customer-service

 

Please do not go to these pages and do not phone the number provided.  If you have called the number on these sites and provided your credit card details, please contact your bank and take action to prevent fraudulent transactions.

 


Sept 21st, 2016 – Update on Xero Invoice phishing emails

We’re now seeing phishing emails being sent from the @post-xero.com domain.  The full From address is messaging-service@post-xero.com, rather than Xero’s legitimate messaging-service@post.xero.com address.  We’ve started the process to get the @post-xero.com domain taken down.

Here’s an example of one of these latest phishing emails:post-xero_example

All of the examples we’ve seen so far from this latest phishing campaign have ‘Invoice INV00249’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t have this invoice number.  They’re also using a variety of company names.

Check any Xero invoice email you receive to ensure it came from our messaging-service@post.xero.com email address.  Also check the destination URL for the online invoice before you click on the link.  You can do this by hovering your mouse over the link in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 12th, 2016 – Fake Xero Invoice email

We’ve had several reports from people who have received the phishing email below, or one similar.  These emails are sent from messaging-service@postxero.com, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @postxero.com domain taken down.

Clicking on the invoice link in these emails will download a ransom-ware dropper on to your computer.

postxero-invoice-phishing

All of the examples we’ve seen so far have ‘Invoice INV-0860’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 5th, 2016 – Xero customer lists “for sale”

We’ve been advised of another email going around that’s offering a Xero customer list for sale.

Here’s an example of the email:

Xero customer list sales_phishing

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Aug 30th, 2016 – Fake Invoice Reminder emails

We’ve had several reports from people who have received the phishing email below.  This email is not sent from Xero servers and spoofs the invoicereminders@post.xero.com email address.

All of the examples we’ve seen so far have been for the same dollar amount of $137.50, and the subject lines all contain an organisation name ending in “AG”.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

The ‘Download PDF’ link in this email takes you to a compromised Microsoft Sharepoint site.  The destination file appears to have been removed so we are unable to confirm what was being hosted, but we assume it was malicious.

Invoice Reminder Phishing Email example

 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Jun 22nd, 2016 – More fake Xero emails

We’ve had a few reports from customers who have received the spam email below.  This email is not sent from Xero servers and spoofs the no-reply@xero.com email address.

All of the links contained in the email sample we received directed to the ‘evil.com’ web site, which currently contains no malicious content.  But future variants of the email may contain more malicious content or links.

 

Evil_com-phishing email

If one of these emails makes it as far as your inbox, you should delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


May 20th, 2016 – Invoice Fraud using hacked email accounts

A few of our customers have reported having their email account credentials compromised and their email accounts being used for invoice fraud.  The attackers have found recently sent Xero invoices in their mail boxes and have copied these, updating the payment bank account numbers.  Then they send another email to those same customers with the modified invoice attached, advising them that the supplier has changed their bank account number for some reason and asking the customer to make payment to the new, fraudulent account number.

The recent reports we’ve received have all been from New Zealand customers, but with different email providers in each case.  There’s been no access to their Xero account, just their email.  This could happen anywhere and using any invoice system so everyone needs to be vigilant.  If your email provider offers two-factor or multi-factor authentication we recommend you use it to reduce the risk of account compromise, just as we recommend using Xero’s 2SA to protect your Xero account.

If you ever receive an updated invoice from a supplier advising of a new payment bank account number, we strongly advise that you confirm with your supplier that the payment bank account details are really theirs before making payment.  Do not use email to do this, please make contact by phone or in person.

 


Mar 3rd, 2016 – The DROWN attack

“DROWN” is the acronym given to a security vulnerability affecting secure websites. You can find out more Information about DROWN at https://drownattack.com/

We have checked all of our services to make sure that we are not affected by this vulnerability. We did discover 3 mis-configured servers in a test environment, but these have been quickly fixed. At no time was any Xero customer or their information at risk.

 


Feb 4th, 2016 – Emails spoofing Xero’s message service address

Our monitoring shows a large number of emails being sent that are trying to spoof Xero’s message-service@post.xero.com email address.   message-service@post.xero.com is a legitimate Xero email address, but please be assured that these emails are not being sent by Xero.  This email ‘spoofing’ campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them.  But if your email provider doesn’t block them you may get a message in your Spam bin, or a notification of an email received with a virus attachment.

The email will look something like this:
Untitled presentation
The attachment contains malware (malicious software) that appears to be a generic Trojan, not specifically targeting Xero or our customers.

If you are receiving spoofed emails, we encourage you to ask your email service provider to configure SPF, DKIM and DMARC checking on your mail server so that you stop receiving them.

 


Jan 13th, 2016 – Scam operating from www.xeronline.com

A fraudulent website hosted at www.xeronline.com is pretending to be Xero. We recommend that you do not enter any personal details into this site, and report any emails received to our support team.

If you have entered any passwords into this site, we recommend changing passwords on any other systems that you use the same password on.

 

 


 

Dec 2nd, 2015 – Scam operating from xerocorp.co.uk domain

Some people have received communications purporting to be from members of Xero’s leadership team using the domain names xerocorp.co.uk and xerocorp.com.

These domain names are not owned by Xero, and the communications received are not on our behalf.

Please do not pay any money to these people or reply to their messages. Instead “Report as Spam” within your mail client and ignore the communications.

 


 

Nov 24th, 2015 – Xero user lists “for sale”

Some Xero accounting, bookkeeper or add-on partners have received unsolicited messages offering a “Xero User List” for sale.

Two examples of these messages are below:

 

UserList1

 

UserList2

These emails are examples of a common internet scam where lists of email addresses are offered for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random email addresses that have been harvested off the internet.  

Xero has not been hacked, and these scammers do not have access to any Xero user lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory, but in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail for example), we also recommend that you report any emails like this as spam.

 


 

Nov 4th, 2015 – Fake Xero emails

In the most recent Xero-branded scam on the internet, we have had reports of upwards of ten million emails spoofing the post.xero.com domain name and sending a virus-infected xlsx spreadsheet attachment.

The messages are not sent from our servers, but are designed to look like a regular invoice sent from a Xero customer to someone who owes them money:security-email-update

These fake emails are being sent from thousands of home computers that are infected with malware, so it is impractical to stop the emails being sent.

If one of these emails makes it as far as your inbox, you should delete it without opening the attachment.

Other actions you might want to take:

  • If the email has not been deleted or quarantined by your anti-malware, check that your anti-malware is up to date, and that it is set to automatically scan all incoming emails.
  • If you use Microsoft Office, configure it to block the running of Office macros within documents and spreadsheets. (If you need to use macros, make sure at least that Office prompts you every time before running them, and only run macros that you know and trust.)
  • Xero uses email security controls (SPF, DKIM and DMARC) to identify legitimate emails from us. If you have received a malicious email that appears to be from a xero.com address it means that your email provider hasn’t done the proper checks on incoming mail. You may want to contact them to ask if they are planning to implement SPF, DKIM and DMARC checking.

Finally, if you suspect that you may have opened a malicious file, you will need to carry out a thorough clean up.  This should include a complete scan of your computer for malware and removal of any malicious code, then changing any passwords that you might have typed in during the time your computer was infected.

You can find more information about how to protect yourself from email phishing attacks here.