Brought to you by

Reporting Phishing to Xero

If you suspect you’ve received a phishing or malicious email, which says it’s from Xero or uses Xero’s logo, and it’s not already reported below on the Security Noticeboard – please report it by forwarding the email to phishing@xero.com.

A genuine Xero email will always come from a xero.com domain or sub-domain address, e.g. @xero.com, @post.xero.com, @send.xero.com, @sendnz.xero.com, @support.xero.com.  So if it’s not from a xero.com address, be suspicious.  But please also be aware that some phishing emails attempt to spoof (impersonate) our sending addresses, so they appear to come from a xero.com address but are actually sent from a different domain.

Do not click on any links or attachments in suspicious emails.  You can find out more about how to identify phishing and other malicious emails, and how to stay safe online, on our Security page.

Notices

Sept 19th, 2017 – Another Xero Billing Notification phishing variant

Today we have seen another variant of the Xero Billing Notification phishing email that we posted about several times in August, as well as on September 7th and 13th. This time the sending address is subscription.notifications@post.xerobank.org.

Please be aware that subscription.notifications@post.xerobank.org is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

Sept 18th, 2017 – Xero phishing email claiming to be an invoice from Spark

We’ve had reports that people have received a phishing email with the sending address of info@billingxero.co.nz and an email subject that reads ‘Your spark invoice available now’.

Please be aware that info@billingxero.co.nz is not a sending address used by Xero, and this email has not been sent by Xero, nor by Spark New Zealand.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

Sept 13th, 2017 – Another Xero Billing Notification phishing variant

Today we’ve seen another variant of the Xero Billing Notification phishing email that we posted about on August 16th, 24th, 30th and September 7th. This time it’s from the sender address of subscription.notifications@ffx2.net. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

Sept 7th, 2017 – Another Xero Billing Notification phishing variant

Today we’ve seen another variant of the Xero Billing Notification phishing email that we posted about on August 16th, 24th and 30th.  This time it’s from the sender address of subscription.notifications@ukays.com. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us.  Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

Sept 5th, 2017 – Phishing emails spoofing messaging-service@post.xero.com

We’ve had reports of a phishing email spoofing our sending address of messaging-service@post.xero.com with a subject of: Invoice INV-000*** from Property Lagoon Limited for Gleneagles Equestrian Centre, where *** is a 2 or 3 digit number.  The invoice amount in the email also varies.  In some instances a single email address has received many copies of this email.

While this email appears to have a legitimate Xero sending address it is malicious and it was not sent by Xero.  Nor has it been sent by Property Lagoon Ltd or Gleneagles Equestrian Centre.  The scammer sending the email has exploited the names of these legitimate businesses to try to make their email more convincing.  

An example of the phishing email is shown below:

The ‘View your bill online’ bill link in these phishing emails will take you to a website where you’ll be asked to download a zip file.  This file is a Visual Basic malware dropper that will download ransomware to your device.

Always check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

This campaign is using multiple servers to host their malware file so the first part of the link URL isn’t consistent.  In the samples we’ve seen the URL for the bill link consistently ends with the filename of INV-00022.7z

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 30th, 2017 – Another Xero Billing Notification phishing variant

Today we’ve seen another variant of the Xero Billing Notification phishing email that we posted about on August 16th and 24th.  This time it’s from the sender address of subscription.notifications@xerobank.net. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us.  Here’s an example of this new phishing email:

 

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 29th, 2017 – Fake Xero Invoice emails

We’ve had reports of a yet another version of the fake invoice reminder phishing email we posted about yesterday, previously reported in June and July.  This time the email is spoofing the sending address of info@xero.net.nz.  As noted above, this is not a sending address or domain used by Xero.

An example of this new phishing email is shown below:

There’s a small difference to the previous campaigns in that this latest variant has ‘Your invoice available now.’ in the subject line, and the bill amount is now $371.75, due on 28 Aug 2017.  This could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

In this variant the malicious URL for the bill link and PDF attachment start with bit.ly or  

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 28th, 2017 – Fake Xero Invoice emails

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in June and July.  The email is spoofing the sending address so it appears to come from no-reply@xero.net.  This is not a sending address or domain used by Xero.  This email was not sent by us.

An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.’ in the subject line, but the bill amount is now $325.79, due on 28 Aug 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with the IP address 166.78.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 24th, 2017 – New Xero Billing Notification phishing variant

We’ve had reports of a new variant of the Xero Billing Notification phishing email that we posted about on August 16th.  This time it’s from the sender address of subscription.notifications@xeromc.net.  This is not a sending address or domain used by Xero, and this email was not sent by us.  Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 16th, 2017 – Xero Billing Notification phishing email

We’ve had reports from people who have received a phishing email with the sender address of subscription.notifications@xeronet.org. This is not a sending address or domain used by Xero, and this email was not sent by us.  Here’s an example of that phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve had reported to us.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  Do not click on any links or attachments.  The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.  

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

August 8th, 2017 – Fake Xero Invoice emails

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in June and July. The email claims to originate from bill@xero.co.nz but is spoofing this sending address. An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.’ in the subject line, but the bill amount is now $498.75, due on 07 Aug 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

July 27th, 2017 – Fake Xero Invoice emails

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported on June 20th.  The email claims to originate from bill@xero.com but is spoofing this address.  An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file.  The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.‘ in the subject line, but the bill amount has increased to $377.15, due on 27 Jul 2017.  This could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

July 5th, 2017 – Xero user lists scam email

We’ve had reports of Xero accounting partners receiving emails offering a list of Xero users’ email addresses for sale.  This is an example of the emails being received:

This is yet another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer lists.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  We recommend you delete these emails without opening them, and do not reply.  If you use an email service that offers a spam reporting feature (such as Gmail), we recommend you report any emails like this as spam.

_________________________________________________________________________________________________________________________________________________________

June 28th, 2017 – NotPetya Ransomware outbreak

You may have seen today’s news about another large ransomware campaign called NotPetya (originally reported as Petya) that’s impacted numerous organisations, initially across Europe.  Unlike the recent  WannaCry ransomware, NotPetya encrypts the filesystem’s master file table (MFT) rather than just the files, effectively locking the disk as the operating system isn’t able to locate files.

Computers infected by NotPetya will display a ransom note demanding that $300 in bitcoins is paid for the decryption key to recover files.  However, the email address used to pay the ransom has been shut down so there’s currently no way to pay the ransom to obtain the decryption key.

Details are still coming to light, but there are indications that the initial infection is via .doc and .xls files that exploit a vulnerability in Microsoft Office (CVE-2017-0199).  Once a single computer in a network is infected with NotPetya, the program looks for other computers on the network vulnerable to a Microsoft Windows SMB Server vulnerability (the same vulnerability exploited by the WannaCry ransomware) and infects them as well.  NotPetya may also exploit Windows Management Instrumentation Command-line (WMIC) execution with local privileges to move laterally to infect other computers.  

There are reports that a ‘kill file’ can be created that will prevent the NotPetya ransomware from executing.  The kill file is reported to be called perfc.  To implement this, create a file in c:\windows called “perfc”.

Microsoft released a patch for the SMB Server vulnerability in March (MS17-010 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).  The patch for  CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API) has also been available since March.  Make sure you have patched to remove these vulnerabilities from your systems.  

Microsoft have also released SMB Server vulnerability protection for out-of-support products Windows XP, Windows 8 and Windows Server 2003.  Additional information can be found on their blog here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

It’s a timely reminder to not click on links or attachments is suspicious emails, from sources you don’t trust or with strange/unexpected subject lines. Make sure your staff understand the need to be vigilant, including with their personal email.  You can find more information about how to protect yourself from email phishing attacks here.

Keep all of your software up to date with the latest security patches, including your anti-malware (anti-virus, anti-spyware) software.  You should also make sure you have recent backups of your system and data stored securely, off-network.

We’ve posted this advisory to support our online community.  Xero has not been impacted by NotPetya ransomware.

__________________________________________________________________________________________________________________________________________________________

June 27th, 2017 – Fake Xero subscription invoice email

We’ve had reports from Xero customers and non-customers alike who have received a phishing email with the sender address of subscription.notifications@open-e-mail.com. This is not a sending address used by Xero, nor has this email been sent by us.

Here is an example of one of these emails:

The link in this phishing email will prompt you to download a malicious file. You should report the email to your mail provider or mark it as spam and delete it. Do not click on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

June 20th, 2017 – Fake Xero Invoice emails

We’ve had reports from Xero customers and non customers alike who have received the phishing email below. The email claims to originate from Xero but is likely sent from a compromised email address, not Xero’s real mail sending address of messaging-service@post.xero.com.

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file.  The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

All of the examples we’ve seen so far have ‘Your xero invoice available now.‘ in the subject line and a bill amount of $373.75.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

__________________________________________________________________________________________________________________________________________________________

June 6th, 2017 – Stolen credentials being tested against Xero

Over the weekend we detected a “credentials stuffing” attack against Xero.  This is when hackers try to login using usernames and passwords that they’ve stolen from another website.  The hackers “crack” the passwords in the stolen credentials database and then try these against other websites to see if they’re valid there, in the hope of gaining unauthorised access to accounts in other services.

Just to be clear, there has been no breach or security incident at Xero.  This attack is the result of another site or sites being breached.

The hackers can only successfully compromise a Xero account if the owner of that account has used the same password for Xero and the site that the credentials were stolen from.  This highlights the importance of using a unique password for Xero, and each website that you login to.

We also strongly recommend that you have 2SA enabled on your Xero account as this adds another layer of protection, significantly reducing the risk of unauthorised access even if your password is compromised. The Xero help centre has step-by-step instructions for setting up 2SA on your account. If you’d like to know more about two-step authentication in Xero, check out our blog.

__________________________________________________________________________________________________________________________________________________________

May 25th, 2017 – Spam campaign spoofing Xero email address

Xero have been advised of emails being received that spoof (impersonate) Xero’s ‘support@xero.com’ email address. While ‘support@xero.com’ is a legitimate Xero email address, please be assured that these emails have not been sent by Xero. This email campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them.  But if your email provider has not blocked them you may receive a spam email that looks like this:

The link in this email takes you to a site where you’ll be asked a series of questions before you can “claim” your gift card prize. We recommend deleting the email if you have received it, and please do not click on any of the links.

You can find more information about how to protect yourself from phishing and malicious emails here.

__________________________________________________________________________________________________________________________________________________________

May 23rd, 2017 – Xero user details scam

We’ve had reports of Xero accounting partners receiving emails offering Xero users’ contact details for sale.  This is an example of the emails being received:

This is another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  We recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

__________________________________________________________________________________________________________________________________________________________

May 19th, 2017 – Xero Phishing Site

We’ve had reports of a Xero branded phishing email currently in circulation, this is an example of one of these phishing emails:

The link in this phishing email directs you to a fraudulent replica of the Xero login page, where the offenders are hoping to trick Xero customers into disclosing their login credentials.

This is an example of the fraudulent website (note the fraudulent web address highlighted in red):

Xero’s legitimate web address is https://www.xero.com and our login page is https://login.xero.com.  We recommend always checking that you are logging into the genuine Xero site before entering your login credentials.

If you were to enter login credentials on the phishing page above, you’d be taken to this page and asked to enter your phone number:

If you have entered your Xero login credentials to the phishing page, please change your password immediately and advise our support team at support@xero.com.

We also strongly recommend having Two-Step Authentication (2SA) enabled for your Xero account. 2SA provides an additional layer of security for your Xero account that significantly reduces the risk of it being compromised if your password is stolen by phishing or malware.  To find out more about two-step authentication, please review our Help Center.

You can find more information about how to protect yourself from phishing and malicious emails here.

__________________________________________________________________________________________________________________________________________________________

May 18th, 2017 – Fake Xero Invoice emails

We’ve had reports of fake Xero invoice emails being received with a sender address of message-service@xeroaccounting.org.  This is an example of one of those emails:

The online bill link in these phishing emails will take you to a Sharepoint site and ask you to download a zip file.  The zip file contains a javascript malware dropper that we assume will download ransomware to your device.  

Xero’s real invoice sending address is messaging-service@post.xero.com.   If you receive an email from message-service@xeroaccounting.org, you should report it as phishing and delete it without clicking on any links or attachments.
You can find more information about how to protect yourself from email phishing attacks here.

_______________________________________________________________________________________

May 15th, 2017 – WannaCry Ransomware Campaign

You’ve probably already seen the news about the massive international ransomware campaign hitting the computer systems of private companies and public organisations around the world.  This incident is being reported as the largest ransomware campaign to date. The ransomware in question has been identified as a variant of WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’), because the encrypted files extension is .wcry. Like other ransomware, WannaCry blocks access to your data by encrypting it and demands money to decrypt it.

It’s understood that the initial attack is via a phishing email with either a malicious attachment or link. The attack exploits computers running unpatched versions of Windows (XP through 2008 R2) through a vulnerability in Microsoft Windows SMB Server. Once a single computer in a network is infected with WannaCry, the program looks for other vulnerable computers on the network and infects them as well.

Microsoft released a patch for the vulnerability in March (MS17-010 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).  Make sure you have patched your systems. If you’ve not patched, consider disabling SMBv1 until you’ve applied the patch (this will stop some file sharing).

Microsoft have also released protection for out-of-support products Windows XP, Windows 8 and Windows Server 2003.  Additional information can be found on their blog here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

It’s a timely reminder to be vigilant with email, and not to click on suspicious links or attachments in emails from people you don’t know or with strange/unexpected subject lines. You should also make sure you have recent backups of your system and data stored securely, off-network.

We’ve posted this advisory to support our online community.  Xero has not been impacted by WannaCry ransomware.

  


April 6th, 2017 – Spark Invoice Reminder phishing email

We’ve had reports from people who have received the phishing email below.  These emails look like an invoice reminder generated from Xero that has been sent by Spark, spoofing the sending address of sales@spark.com.  These emails are being sent out indiscriminately and are not from Spark New Zealand.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

Always check the sending email address, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.  Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

  


Mar 28th, 2017 – Xero Remittance Advice phishing email

We’ve had reports from people who have received the phishing email below.  These emails have a sending address of payments@xero-payments.co.uk.  This is not a legitimate Xero domain and we are working to have the xero-payments.co.uk domain taken down.

Clicking on the pay slip image  will take you to a OneDrive page where you’ll be asked to download a ZIP folder.  The ZIP folder contains a malicious JAR file.

 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it.  DO NOT click on the image.

You can find more information about how to protect yourself from email phishing attacks here.

 


Mar 17th, 2017 – Xero Billing phishing email

We’ve had reports of a phishing email that purports to come from the billing team at Xero.  You can see an example of this below.  The emails we’ve seen have all been sent from a btconnect.com address.  The senders address always starts with ‘xero’, but the remainder of the address has not been consistent.

 

The supposed attached invoice is actually an HTML document.  Clicking on the attachment takes you to a fake login page designed to steal your email account name and password.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the attachment.  If you have clicked the attachment and input your user name and password into the fake login page, please change your password immediately.  We also recommend that you use two-factor or multi-factor authentication (2FA/MFA) on your email account if this is available.

You can find more information about how to protect yourself from email phishing attacks here.

 


Mar 14th, 2017 – Xero Invoice phishing email

We’ve had reports from Xero customers and non customers alike who have received the phishing email below.  These emails are spoofing the sending address of invoice@xero.co.nz and being sent out indiscriminately.  Xero’s real invoice sending address is messaging-service@post.xero.com.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

 

 

Check the sending email address, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.  Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Dec 6th, 2016 – Xero customer lists scam

We’re seeing some more instances of emails offering Xero customer lists for sale.  There’s an example of these emails below, and we’re also seeing them with the subject “Xero reseller contacts”.  The sending email address and signature also vary.

xero-updated-directory

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Dec 2nd, 2016 – Xero Invoice phishing email

We’ve had reports from customers who have received the phishing email below, or one similar.  These emails are sent from messaging-service@post-xero.org, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @post-xero.org domain taken down.

Clicking on the invoice link in these emails will take you to a malicious web site, possibly containing ransom-ware.

post-xero_org-phishing-email

 

All of the examples we’ve seen so far have ‘Invoice INV-01823 (Amended)‘ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the sending email domain, and check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Nov 2nd, 2016 – Fake Xero Customer Service Phone Number

We’ve been advised of web pages claiming to offer Xero support and providing a phone number for Xero customers to call.  The number given is not in any way associated with Xero.  The same phone number is also listed on pages on these sites supposedly offering support for other accounting software.  We’re told that if you call this number you’ll be asked for your credit card details.

The urls for these web pages are:

 xero-customer-care_url

xero-get-customer-service_url

This is what the web pages look like:

xero-customer-care

 

xero-get-customer-service

 

Please do not go to these pages and do not phone the number provided.  If you have called the number on these sites and provided your credit card details, please contact your bank and take action to prevent fraudulent transactions.

 


Sept 21st, 2016 – Update on Xero Invoice phishing emails

We’re now seeing phishing emails being sent from the @post-xero.com domain.  The full From address is messaging-service@post-xero.com, rather than Xero’s legitimate messaging-service@post.xero.com address.  We’ve started the process to get the @post-xero.com domain taken down.

Here’s an example of one of these latest phishing emails:post-xero_example

All of the examples we’ve seen so far from this latest phishing campaign have ‘Invoice INV00249’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t have this invoice number.  They’re also using a variety of company names.

Check any Xero invoice email you receive to ensure it came from our messaging-service@post.xero.com email address.  Also check the destination URL for the online invoice before you click on the link.  You can do this by hovering your mouse over the link in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 12th, 2016 – Fake Xero Invoice email

We’ve had several reports from people who have received the phishing email below, or one similar.  These emails are sent from messaging-service@postxero.com, rather than Xero’s legitimate messaging-service@post.xero.com email address.  We’re working to get the @postxero.com domain taken down.

Clicking on the invoice link in these emails will download a ransom-ware dropper on to your computer.

postxero-invoice-phishing

All of the examples we’ve seen so far have ‘Invoice INV-0860’ in the subject line.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Sept 5th, 2016 – Xero customer lists “for sale”

We’ve been advised of another email going around that’s offering a Xero customer list for sale.

Here’s an example of the email:

Xero customer list sales_phishing

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.  

These scammers do not have access to any Xero customer data.  We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory.  But in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

 


Aug 30th, 2016 – Fake Invoice Reminder emails

We’ve had several reports from people who have received the phishing email below.  This email is not sent from Xero servers and spoofs the invoicereminders@post.xero.com email address.

All of the examples we’ve seen so far have been for the same dollar amount of $137.50, and the subject lines all contain an organisation name ending in “AG”.  But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern.  Check the destination URL before you click on a link.  You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL.  This will be displayed at the bottom of your browser window.

The ‘Download PDF’ link in this email takes you to a compromised Microsoft Sharepoint site.  The destination file appears to have been removed so we are unable to confirm what was being hosted, but we assume it was malicious.

Invoice Reminder Phishing Email example

 

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


Jun 22nd, 2016 – More fake Xero emails

We’ve had a few reports from customers who have received the spam email below.  This email is not sent from Xero servers and spoofs the no-reply@xero.com email address.

All of the links contained in the email sample we received directed to the ‘evil.com’ web site, which currently contains no malicious content.  But future variants of the email may contain more malicious content or links.

 

Evil_com-phishing email

If one of these emails makes it as far as your inbox, you should delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

 


May 20th, 2016 – Invoice Fraud using hacked email accounts

A few of our customers have reported having their email account credentials compromised and their email accounts being used for invoice fraud.  The attackers have found recently sent Xero invoices in their mail boxes and have copied these, updating the payment bank account numbers.  Then they send another email to those same customers with the modified invoice attached, advising them that the supplier has changed their bank account number for some reason and asking the customer to make payment to the new, fraudulent account number.

The recent reports we’ve received have all been from New Zealand customers, but with different email providers in each case.  There’s been no access to their Xero account, just their email.  This could happen anywhere and using any invoice system so everyone needs to be vigilant.  If your email provider offers two-factor or multi-factor authentication we recommend you use it to reduce the risk of account compromise, just as we recommend using Xero’s 2SA to protect your Xero account.

If you ever receive an updated invoice from a supplier advising of a new payment bank account number, we strongly advise that you confirm with your supplier that the payment bank account details are really theirs before making payment.  Do not use email to do this, please make contact by phone or in person.

 


Mar 3rd, 2016 – The DROWN attack

“DROWN” is the acronym given to a security vulnerability affecting secure websites. You can find out more Information about DROWN at https://drownattack.com/

We have checked all of our services to make sure that we are not affected by this vulnerability. We did discover 3 mis-configured servers in a test environment, but these have been quickly fixed. At no time was any Xero customer or their information at risk.

 


Feb 4th, 2016 – Emails spoofing Xero’s message service address

Our monitoring shows a large number of emails being sent that are trying to spoof Xero’s message-service@post.xero.com email address.   message-service@post.xero.com is a legitimate Xero email address, but please be assured that these emails are not being sent by Xero.  This email ‘spoofing’ campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them.  But if your email provider doesn’t block them you may get a message in your Spam bin, or a notification of an email received with a virus attachment.

The email will look something like this:
Untitled presentation
The attachment contains malware (malicious software) that appears to be a generic Trojan, not specifically targeting Xero or our customers.

If you are receiving spoofed emails, we encourage you to ask your email service provider to configure SPF, DKIM and DMARC checking on your mail server so that you stop receiving them.

 


Jan 13th, 2016 – Scam operating from www.xeronline.com

A fraudulent website hosted at www.xeronline.com is pretending to be Xero. We recommend that you do not enter any personal details into this site, and report any emails received to our support team.

If you have entered any passwords into this site, we recommend changing passwords on any other systems that you use the same password on.

 

 


 

Dec 2nd, 2015 – Scam operating from xerocorp.co.uk domain

Some people have received communications purporting to be from members of Xero’s leadership team using the domain names xerocorp.co.uk and xerocorp.com.

These domain names are not owned by Xero, and the communications received are not on our behalf.

Please do not pay any money to these people or reply to their messages. Instead “Report as Spam” within your mail client and ignore the communications.

 


 

Nov 24th, 2015 – Xero user lists “for sale”

Some Xero accounting, bookkeeper or add-on partners have received unsolicited messages offering a “Xero User List” for sale.

Two examples of these messages are below:

 

UserList1

 

UserList2

These emails are examples of a common internet scam where lists of email addresses are offered for sale for “targeted marketing” purposes.  The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random email addresses that have been harvested off the internet.  

Xero has not been hacked, and these scammers do not have access to any Xero user lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory, but in any case we recommend you delete these emails without opening them or viewing any attachments.  If you use an email service that offers a spam reporting feature (such as Gmail for example), we also recommend that you report any emails like this as spam.

 


 

Nov 4th, 2015 – Fake Xero emails

In the most recent Xero-branded scam on the internet, we have had reports of upwards of ten million emails spoofing the post.xero.com domain name and sending a virus-infected xlsx spreadsheet attachment.

The messages are not sent from our servers, but are designed to look like a regular invoice sent from a Xero customer to someone who owes them money:security-email-update

These fake emails are being sent from thousands of home computers that are infected with malware, so it is impractical to stop the emails being sent.

If one of these emails makes it as far as your inbox, you should delete it without opening the attachment.

Other actions you might want to take:

  • If the email has not been deleted or quarantined by your anti-malware, check that your anti-malware is up to date, and that it is set to automatically scan all incoming emails.
  • If you use Microsoft Office, configure it to block the running of Office macros within documents and spreadsheets. (If you need to use macros, make sure at least that Office prompts you every time before running them, and only run macros that you know and trust.)
  • Xero uses email security controls (SPF, DKIM and DMARC) to identify legitimate emails from us. If you have received a malicious email that appears to be from a xero.com address it means that your email provider hasn’t done the proper checks on incoming mail. You may want to contact them to ask if they are planning to implement SPF, DKIM and DMARC checking.

Finally, if you suspect that you may have opened a malicious file, you will need to carry out a thorough clean up.  This should include a complete scan of your computer for malware and removal of any malicious code, then changing any passwords that you might have typed in during the time your computer was infected.

You can find more information about how to protect yourself from email phishing attacks here.