Advert.

Do NOT tell your scammer he is posted here, or report their accounts as it puts others at risk!

invoicereminders@post.xerostatic.com

DO NOT click on any links in these emails.

invoicereminders@post.xerostatic.com

Unread postby firefly » Thu Dec 14, 2017 7:25 pm

Warning about the sender:

Don't pay the fake #Xero invoice. Email links to a compromised SharePoint site, hosting a Javascript file executing a malicious trojan.


Warning posted by the real Xero on their site - https://www.xero.com/blog/security-noticeboard/:

December 14th, 2017 – Fake Invoice phishing email

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to those we reported about in June, July, August and November. The sending address of the email is invoicereminders@post.xerostatic.com with a subject of ‘Bill INV-0906 from Enquip Pty Ltd is due soon’. The invoice amount in the email also varies.

Please be aware that invoicereminders@post.xerostatic.com is not a sending address nor a domain used by Xero, and this email was not sent by us. Nor was it sent by Enquip Pty Ltd. The criminal sending the email has exploited the name of this legitimate business to try to make their email more convincing.

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.


Email - forwarded to us by one of the targeted victims:

From: Xero
Sent: Thursday, December 14, 2017
To:
Subject: Bill INV-0906 from Enquip Pty Ltd is due soon

Dear Client

Thanks for working with us. This is a gentle reminder that your bill for $286.88 is due on 18 Dec 2017.

If you've already paid it, thank you for your prompt payment we are sorry for bothering you and please ignore this email.

To view your bill visit https: / / in.xero.com/COvlbwFbVKzZrYjYHmKqmAPkhZddNUHYXjNTljUB

If you've got any questions, or want to arrange alternative payment don't hesitate to get in touch.

Thank you

Donna
Accounts & Administration
Enquip Pty Ltd


The email has a pdf attachment for download.

Header:

X-From_: invoicereminders@post.xerostatic.com Thu Dec 14 2017
Return-Path: <invoicereminders@post.xerostatic.com>
X-Greylist: Passed host: 54.37.161.37
Received: from email13.post.xerostatic.com
(email13.post.xerostatic.com
[54.37.161.37])
Date: Wed, 13 Dec 2017
Message-Id: <20171213160148.930.2714ebfce4331dfad@post.xerostatic.com>
To: <xxx>
From: "Xero" <invoicereminders@post.xerostatic.com>
Subject: Bill INV-0906 from Enquip Pty Ltd is due soon
List-Unsubscribe: <mailto: unsubscribe@post.xerostatic.com ? subject=unsubscribe>

Originating IP: 54.37.161.37
Originating ISP: Ovh Sas
Country of Origin: France

The fake site used in the phishing attack was created on the same day as the one when the above email was sent:

Domain name: xerostatic.com
Update Date: 2017-12-13
Creation Date: 2017-12-13
Registrar Registration Expiration Date: 2018-12-13
Registrar: ERANET INTERNATIONAL LIMITED

Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Wun Seng
Registrant Organization: n.a.
Registrant Street: 16 Main road
Registrant City: Xiamen
Registrant Province/state: FJ
Registrant Postal Code: 361327
Registrant Country: CN
Registrant Phone: +86.5925763227
Registrant Fax: +86.5925763227
Registrant Email: whois-protect@hotmail.com
Name Server: ns1.post.xerostatic.com
Name Server: ns2.post.xerostatic.com
Help yourself by helping others - report your scammer here.
Google can be your best friend;use it if you have doubts about someone met online. If someone met online only asks for money, no matter what reason, it´s 100% scam.
viewtopic.php?f=11&t=26504
Image
User avatar
firefly
"Nut job" admin.
 
Posts: 48678
Joined: Sun Apr 22, 2012 12:27 am
Location: in a parallel universe

Return to No clicky clicky. Sites that try to install a virus on your PC.

Who is online

Users browsing this forum: No registered users and 3 guests