Brought to you by

May 25th, 2017 – Spam campaign spoofing Xero email address

Xero have been advised of emails being received that spoof (impersonate) Xero’s ‘support@xero.com’ email address. While ‘support@xero.com’ is a legitimate Xero email address, please be assured that these emails have not been sent by Xero. This email campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them.  But if your email provider has not blocked them you may receive a spam email that looks like this:

The link in this email takes you to a site where you’ll be asked a series of questions before you can “claim” your gift card prize. We recommend deleting the email if you have received it, and please do not click on any of the links.

You can find more information about how to protect yourself from phishing and malicious emails here.

__________________________________________________________________________________________________________________________________________________________

May 23rd, 2017 – Xero user details scam

We’ve had reports of Xero accounting partners receiving emails offering Xero users’ contact details for sale.  This is an example of the emails being received:

This is another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  We recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

__________________________________________________________________________________________________________________________________________________________

May 19th, 2017 – Xero Phishing Site

 

We’ve had reports of a Xero branded phishing email currently in circulation, this is an example of one of these phishing emails:

The link in this phishing email directs you to a fraudulent replica of the Xero login page, where the offenders are hoping to trick Xero customers into disclosing their login credentials.   

This is an example of the fraudulent website (note the fraudulent web address highlighted in red):

Xero’s legitimate web address is https://www.xero.com and our login page is https://login.xero.com.  We recommend always checking that you are logging into the genuine Xero site before entering your login credentials.

If you were to enter login credentials on the phishing page above, you’d be taken to this page and asked to enter your phone number:

If you have entered your Xero login credentials to the phishing page, please change your password immediately and advise our support team at support@xero.com.

We also strongly recommend having Two-Step Authentication (2SA) enabled for your Xero account. 2SA provides an additional layer of security for your Xero account that significantly reduces the risk of it being compromised if your password is stolen by phishing or malware.  To find out more about two-step authentication, please review our Help Center.

 

You can find more information about how to protect yourself from phishing and malicious emails here.

__________________________________________________________________________________________________________________________________________________________

May 18th, 2017 – Fake Xero Invoice emails

We’ve had reports of fake Xero invoice emails being received with a sender address of message-service@xeroaccounting.org.  This is an example of one of those emails:

The online bill link in these phishing emails will take you to a Sharepoint site and ask you to download a zip file.  The zip file contains a javascript malware dropper that we assume will download ransomware to your device.  

Xero’s real invoice sending address is messaging-service@post.xero.com.   If you receive an email from message-service@xeroaccounting.org, you should report it as phishing and delete it without clicking on any links or attachments.
You can find more information about how to protect yourself from email phishing attacks here.

_______________________________________________________________________________________

May 15th, 2017 – WannaCry Ransomware Campaign

You’ve probably already seen the news about the massive international ransomware campaign hitting the computer systems of private companies and public organisations around the world.  This incident is being reported as the largest ransomware campaign to date. The ransomware in question has been identified as a variant of WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’), because the encrypted files extension is .wcry. Like other ransomware, WannaCry blocks access to your data by encrypting it and demands money to decrypt it.

It’s understood that the initial attack is via a phishing email with either a malicious attachment or link. The attack exploits computers running unpatched versions of Windows (XP through 2008 R2) through a vulnerability in Microsoft Windows SMB Server. Once a single computer in a network is infected with WannaCry, the program looks for other vulnerable computers on the network and infects them as well.

Microsoft released a patch for the vulnerability in March (MS17-010 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).  Make sure you have patched your systems. If you’ve not patched, consider disabling SMBv1 until you’ve applied the patch (this will stop some file sharing).

Microsoft have also released protection for out-of-support products Windows XP, Windows 8 and Windows Server 2003.  Additional information can be found on their blog here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral   

It’s a timely reminder to be vigilant with email, and not to click on suspicious links or attachments in emails from people you don’t know or with strange/unexpected subject lines. You should also make sure you have recent backups of your system and data stored securely, off-network.

We’ve posted this advisory to support our online community.  Xero has not been impacted by WannaCry ransomware.

  


April 6th, 2017 – Spark Invoice Reminder phishing email

We’ve had reports from people who have received the phishing email below.  These emails look like an invoice reminder generated from Xero that has been sent by Spark, spoofing the sending address of sales@spark.com.  These emails are being sent out indiscriminately and are not from Spark New Zealand.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

Always check the sending email address, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.  Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

  


Mar 28th, 2017 – Xero Remittance Advice phishing email

We’ve had reports from people who have received the phishing email below.  These emails have a sending address of payments@xero-payments.co.uk.  This is not a legitimate Xero domain and we are working to have the xero-payments.co.uk domain taken down.

Clicking on the pay slip image  will take you to a OneDrive page where you’ll be asked to download a ZIP folder.  The ZIP folder contains a malicious JAR file.

 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  DO NOT click on the image.

You can find more information about how to protect yourself from email phishing attacks here.

 


Mar 17th, 2017 – Xero Billing phishing email

We’ve had reports of a phishing email that purports to come from the billing team at Xero.  You can see an example of this below.  The emails we’ve seen have all been sent from a btconnect.com address.  The senders address always starts with ‘xero’, but the remainder of the address has not been consistent.

 

The supposed attached invoice is actually an HTML document.  Clicking on the attachment takes you to a fake login page designed to steal your email account name and password.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the attachment.  If you have clicked the attachment and input your user name and password into the fake login page, please change your password immediately.  We also recommend that you use two-factor or multi-factor authentication (2FA/MFA) on your email account if this is available.

You can find more information about how to protect yourself from email phishing attacks here.

 


Mar 14th, 2017 – Xero Invoice phishing email

We’ve had reports from Xero customers and non customers alike who have received the phishing email below.  These emails are spoofing the sending address of invoice@xero.co.nz and being sent out indiscriminately.  Xero’s real invoice sending address is messaging-service@post.xero.com.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

 

 

Check the sending email address, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.  Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Dec 6th, 2016 – Xero customer lists scam

We’re seeing some more instances of emails offering Xero customer lists for sale.  There’s an example of these emails below, and we’re also seeing them with the subject “Xero reseller contacts”.  The sending email address and signature also vary.

xero-updated-directory

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Dec 2nd, 2016 – Xero Invoice phishing email

We’ve had reports from customers who have received the phishing email below, or one similar.  These emails are sent from messaging-service@post-xero.org, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @post-xero.org domain taken down.

Clicking on the invoice link in these emails will take you to a malicious web site, possibly containing ransom-ware.

post-xero_org-phishing-email

 

All of the examples we’ve seen so far have ‘Invoice INV-01823 (Amended)‘ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the sending email domain, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Nov 2nd, 2016 – Fake Xero Customer Service Phone Number

We’ve been advised of web pages claiming to offer Xero support and providing a phone number for Xero customers to call.  The number given is not in any way associated with Xero.  The same phone number is also listed on pages on these sites supposedly offering support for other accounting software.  We’re told that if you call this number you’ll be asked for your credit card details.

The urls for these web pages are:

 xero-customer-care_url

xero-get-customer-service_url

This is what the web pages look like:

xero-customer-care

 

xero-get-customer-service

 

Please do not go to these pages and do not phone the number provided.  If you have called the number on these sites and provided your credit card details, please contact your bank and take action to prevent fraudulent transactions.

 


Sept 21st, 2016 – Update on Xero Invoice phishing emails

We’re now seeing phishing emails being sent from the @post-xero.com domain.  The full From address is messaging-service@post-xero.com, rather than Xero’s legitimate messaging-service@post.xero.com address.  We’ve started the process to get the @post-xero.com domain taken down.

Here’s an example of one of these latest phishing emails:post-xero_example

All of the examples we’ve seen so far from this latest phishing campaign have ‘Invoice INV00249’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t have this invoice number.  They’re also using a variety of company names.

Check any Xero invoice email you receive to ensure it came from our messaging-service@post.xero.com email address.  Also check the destination URL for the online invoice before you click on the link.  You can do this by hovering your mouse over the link in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 12th, 2016 – Fake Xero Invoice email

We’ve had several reports from people who have received the phishing email below, or one similar.  These emails are sent from messaging-service@postxero.com, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @postxero.com domain taken down.

Clicking on the invoice link in these emails will download a ransom-ware dropper on to your computer.

postxero-invoice-phishing

All of the examples we’ve seen so far have ‘Invoice INV-0860’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 5th, 2016 – Xero customer lists “for sale”

We’ve been advised of another email going around that’s offering a Xero customer list for sale.

Here’s an example of the email:

Xero customer list sales_phishing

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Aug 30th, 2016 – Fake Invoice Reminder emails

We’ve had several reports from people who have received the phishing email below.  This email is not sent from Xero servers and spoofs the invoicereminders@post.xero.com email address.

All of the examples we’ve seen so far have been for the same dollar amount of $137.50, and the subject lines all contain an organisation name ending in “AG”.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

The ‘Download PDF’ link in this email takes you to a compromised Microsoft Sharepoint site.  The destination file appears to have been removed so we are unable to confirm what was being hosted, but we assume it was malicious.

Invoice Reminder Phishing Email example

 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Jun 22nd, 2016 – More fake Xero emails

We’ve had a few reports from customers who have received the spam email below.  This email is not sent from Xero servers and spoofs the no-reply@xero.com email address.

All of the links contained in the email sample we received directed to the ‘evil.com’ web site, which currently contains no malicious content.  But future variants of the email may contain more malicious content or links.

 

Evil_com-phishing email

If one of these emails makes it as far as your inbox, you should delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


May 20th, 2016 – Invoice Fraud using hacked email accounts

A few of our customers have reported having their email account credentials compromised and their email accounts being used for invoice fraud.  The attackers have found recently sent Xero invoices in their mail boxes and have copied these, updating the payment bank account numbers.  Then they send another email to those same customers with the modified invoice attached, advising them that the supplier has changed their bank account number for some reason and asking the customer to make payment to the new, fraudulent account number.

The recent reports we’ve received have all been from New Zealand customers, but with different email providers in each case.  There’s been no access to their Xero account, just their email.  This could happen anywhere and using any invoice system so everyone needs to be vigilant.  If your email provider offers two-factor or multi-factor authentication we recommend you use it to reduce the risk of account compromise, just as we recommend using Xero’s 2SA to protect your Xero account.

If you ever receive an updated invoice from a supplier advising of a new payment bank account number, we strongly advise that you confirm with your supplier that the payment bank account details are really theirs before making payment.  Do not use email to do this, please make contact by phone or in person.

 


Mar 3rd, 2016 – The DROWN attack

“DROWN” is the acronym given to a security vulnerability affecting secure websites. You can find out more Information about DROWN at https://drownattack.com/

We have checked all of our services to make sure that we are not affected by this vulnerability. We did discover 3 mis-configured servers in a test environment, but these have been quickly fixed. At no time was any Xero customer or their information at risk.

 


Feb 4th, 2016 – Emails spoofing Xero’s message service address

Our monitoring shows a large number of emails being sent that are trying to spoof Xero’s message-service@post.xero.com email address.   message-service@post.xero.com is a legitimate Xero email address, but please be assured that these emails are not being sent by Xero.  This email ‘spoofing’ campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them.  But if your email provider doesn’t block them you may get a message in your Spam bin, or a notification of an email received with a virus attachment.

The email will look something like this:
Untitled presentation
The attachment contains malware (malicious software) that appears to be a generic Trojan, not specifically targeting Xero or our customers.

If you are receiving spoofed emails, we encourage you to ask your email service provider to configure SPF, DKIM and DMARC checking on your mail server so that you stop receiving them.

 


Jan 13th, 2016 – Scam operating from www.xeronline.com

A fraudulent website hosted at www.xeronline.com is pretending to be Xero. We recommend that you do not enter any personal details into this site, and report any emails received to our support team.

If you have entered any passwords into this site, we recommend changing passwords on any other systems that you use the same password on.

 

 


 

Dec 2nd, 2015 – Scam operating from xerocorp.co.uk domain

Some people have received communications purporting to be from members of Xero’s leadership team using the domain names xerocorp.co.uk and xerocorp.com.

These domain names are not owned by Xero, and the communications received are not on our behalf.

Please do not pay any money to these people or reply to their messages. Instead “Report as Spam” within your mail client and ignore the communications.

 


 

Nov 24th, 2015 – Xero user lists “for sale”

Some Xero accounting, bookkeeper or add-on partners have received unsolicited messages offering a “Xero User List” for sale.

Two examples of these messages are below:

 

UserList1

 

UserList2

These emails are examples of a common internet scam where lists of email addresses are offered for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random email addresses that have been harvested off the internet.  

Xero has not been hacked, and these scammers do not have access to any Xero user lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory, but in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail for example), we also recommend that you report any emails like this as spam.

 


 

Nov 4th, 2015 – Fake Xero emails

In the most recent Xero-branded scam on the internet, we have had reports of upwards of ten million emails spoofing the post.xero.com domain name and sending a virus-infected xlsx spreadsheet attachment.

The messages are not sent from our servers, but are designed to look like a regular invoice sent from a Xero customer to someone who owes them money:security-email-update

These fake emails are being sent from thousands of home computers that are infected with malware, so it is impractical to stop the emails being sent.

If one of these emails makes it as far as your inbox, you should delete it without opening the attachment.

Other actions you might want to take:

  • If the email has not been deleted or quarantined by your anti-malware, check that your anti-malware is up to date, and that it is set to automatically scan all incoming emails.
  • If you use Microsoft Office, configure it to block the running of Office macros within documents and spreadsheets. (If you need to use macros, make sure at least that Office prompts you every time before running them, and only run macros that you know and trust.)
  • Xero uses email security controls (SPF, DKIM and DMARC) to identify legitimate emails from us. If you have received a malicious email that appears to be from a xero.com address it means that your email provider hasn’t done the proper checks on incoming mail. You may want to contact them to ask if they are planning to implement SPF, DKIM and DMARC checking.

Finally, if you suspect that you may have opened a malicious file, you will need to carry out a thorough clean up.  This should include a complete scan of your computer for malware and removal of any malicious code, then changing any passwords that you might have typed in during the time your computer was infected.

You can find more information about how to protect yourself from email phishing attacks here.