Advisories

The phishing emails appear to be invoice notifications. They use accounting software brands and have links to download an invoice.

The malware infects the browser and adds malicious plugins. These plugins are used to steal login credentials, as well as two-factor authentication codes. Attackers are using these stolen credentials to access the bank account and transfer money to overseas accounts.

The security of the accounting software and the banks is not affected by this campaign.

If you are a business banking customer of a New Zealand bank, keep an eye out for unexpected emails from common accounting software companies.

Below is an example of the phishing email:

CERT NZ has been working with MYOB and affected parties about this issue.

You can tell if your business is affected if:

• you’ve downloaded a file from the emails. These files contain malware that infects the machine. We’ve confirmed the malware downloads and installs plugins to the user’s browser.
• you are redirected when you accesses business online banking. The plugin redirect the user to a malicious IP address that has a page that looks very similar to the bank’s business login page. Once the user logs in, the page says the website is currently undergoing maintenance. Meanwhile, the credentials and two-factor authentication codes are sent to the attacker.
• you see unauthorised transactions in your business account.

Some anti-malware or system scans are not identifying the malware, so if you believe you’ve been affected and your anti-virus is not detecting anything, CERT NZ still strongly recommends taking these mitigation steps.

Banks will notify their business customers if they know you’re affected.

To prevent this malware from being installed, CERT NZ recommends not opening or downloading any invoices that are unexpected or appear illegitimate.

The emails are using familiar accounting software brands. If you’re unsure if an email is legitimate, contact the company that sent the invoice to confirm, using a different method.

If you’ve been affected by this campaign, you’ll need to secure your online accounts, and clean the infected machines.

For online security, CERT NZ recommends:

• contacting your bank immediately if they have not already contacted you. You can flag your account as affected and this prevent funds from being transferred overseas.
• changing your passwords immediately for your online banking. This should be done from a machine that has not been affected.
• changing passwords to any other account that was accessed from the affected machine. This could include other financial or accounting accounts, or your business email account.
• monitoring your bank accounts for any unexpected or unauthorised transactions.

To clean your affected machines of this malware, CERT NZ recommends:

• wipe the machine and reinstall the operating system. The malware can be difficult to remove because the infected files look like normal system files, so it hides in plain sight. The best thing to do is to reinstall the operating system and build the machine from scratch.
• if that is not possible, we recommend you:
  • restore from a backup. The restore should back up the machine to a time before the phishing email was received.  However, the phishing email with the malware may have been delivered to victims up to three months ago.
  • enable the operating system firewall and remove any previous firewall rules that were set for software on the machine. If a file requests permissions to connect to a destination that you’re unfamiliar with, deny the access.