Story image

Fake eWAY invoice contains malicious macro attachments

10 Apr 17

MailGuard has detected a new email malware scam that masquerades as an Australian online payments company.

The email contains a fake transaction confirmation from eWAY, an online payment company. The confirmation document contains a malicious macro that can download and run malware.

MailGuard states that the email was sent from estoreway.info, a newly registered domain very different to the genuine eway.com.au domain.

The scam persuades victims to open a Word attachment by stating that a purchase has been approved. 

The item will apparently be delivered to the address in the invoice/attachment. The attachment is password-protected to help it look legitimate, however it contains a macro that downloads macro malware.

MailGuard states there are a few key giveaways that the otherwise genuine-looking email is a scam:

The subject line “Receipt of APPROVED order!!!” uses excessive exclamation marks and capital letters. Dodgy grammar means it’s probably not a reputable brand.

The domain name and sender address informdesk@estoreway.info should also be double checked and compared to the genuine eWAY email and domain.

The attackers also instruct victims to ‘enable editing’, which should also serve as a warning that something is not right. Doing this launches the macro, which can then download malware.

The company says macros can automatically install malware and harmful files such as keyloggers, which track input and mouse clicks and trojans, which can delete, steal or copy a victim’s data.

They can remain undetected for months - only made discoverable when a breach has occurred.

MailGuard says there are simple ways to protect yourself from email scams.

  • Delete emails that seem suspicious or contain attachments that you were not expecting
  • Contain macro-enabled Word files that require you to enable or run the macro
  • Ask users to click a link in the email body to access the website.
  • MailGuard says if you are unsure, contact the company and ask if the email is genuine.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.