Malware targeting business customers of New Zealand banks
A phishing campaign containing malware is specifically targeting business customers of some New Zealand banks.
The phishing emails are branded to look like invoice notifications from common accounting software. Once a user clicks on the attachments or links in the email, malware is downloaded onto the user’s machine.
CERT NZ understands that banks have been notifying their business customers if they are affected.
Note: The malware is on the infected computer. The bank’s and the accounting software’s security is unaffected.
Clicking on links or attachments in the email installs malware onto your browser and adds malicious plugins.
These plugins record what you’re entering to steal:
- login details
- passwords, and
- two-factor authentication codes.
Attackers use these stolen login details to access the business’ bank account and transfer money to overseas accounts.
What to look for
How to tell if you're at risk
If you don’t recall receiving or clicking on an unexpected email from an accounting software company, or are not contacted by your bank, you have probably not been affected by this malware.
However, CERT NZ recommends monitoring your bank accounts for signs of unauthorised transactions.
The phishing emails may have been sent up to three months ago.
Below is an example of the phishing email:
CERT NZ has been working with MYOB and affected parties on this issue.
How to tell if you're affected
Businesses can tell if they’re affected if:
- you received the email and clicked on the invoice.
- the files downloaded and opened from the email don’t look like invoice documents.
- when you navigate to your bank’s business login page, you’re redirected to a different website. Look at the URL in your browser to see if the bank website URL has changed to something else.
- you see a message saying business online banking is unavailable when you log in.
- you see transactions in your bank accounts that you did not authorise or expect.
If you are affected by this, it most likely means that at some point someone in your business received the phishing email, and followed the steps detailed in the email.
What to do
Keep an eye out for invoices that come via email that you were not expecting, or look illegitimate.
If you receive one, do not click on it and then report it to CERT NZ. If you’ve clicked on the email, follow the mitigations below.
If you think you might be affected, and your bank has not contacted you, CERT NZ recommends immediately contacting your bank. They will put a flag on your account to monitor for suspicious activity.
If your bank has contacted you, CERT NZ recommends:
- from a different computer, change all the passwords you’ve used since clicking in the email. This includes your online banking password as well as any other system you’ve logged into – your email, for example.
- wiping the infected computer and reinstalling your operating system. This will ensure the malware is removed. You may need an IT professional to do this. If you don’t have IT support, review our technical advice.
- report it to us, even if you don’t need advice. The more incidents we know of, the better we can advise and help others
- contact your bank and advise them that your machine has been cleaned.