A new variant of the banking trojan Dridex is part of a sophisticated phishing attack targeting users of the cloud-based accounting firm Xero.
The global campaign is the latest in what security experts at Trustwave said is a wave of phishing attacks against Xero and other financial and accounting services such as Intuit.
The subject line of messages is typically “Xero Billing Notifications” with the originating email address displaying “xeronet.org” instead of the legit business “xero.com.” The domain was registered in China the same day the campaign started (Aug. 16). The message body attempts to spoof a legitimate inquiry from Xero, requesting the recipient to follow a set of malicious URLs. (see below)