Ah, invoices. Those delightful pieces of paper (or pixels) that remind us business is booming until one day you receive an invoice that feels just a little…fishy. Today, we’re diving into the world of fake invoice phishing campaigns, where cybercriminals craft invoices so polished they could put your favorite accounting software to shame. But don’t worry , we’re here to help you spot the tricks, share a laugh (or two), and keep your company’s funds safely out of the clutches of these digital scoundrels.

The Anatomy of a Deceptively Legitimate Invoice

Picture this: You open your inbox, and there it is, a pristine invoice for services you vaguely remember discussing. It is adorned with logos, professional fonts, and even that convincing "due by" date. But wait... something's off. Fake invoice phishing campaigns operate on this very premise, preying on human tendencies to trust what appears professional. Instead of rendering an actual service, these bogus invoices are nothing more than digital traps designed to make your finance team sign away your hard earned cash.

Let’s take a closer look:

“Look at that subtle off-white coloring. The tasteful thickness of it. Oh my God, it even has a watermark QR Code”

The attackers have truly mastered the art of deception. They blend in seamlessly with everyday communications, exploiting our natural inclination to act on what seems routine. It is like receiving a birthday card from a "long lost relative" who suddenly demands payment for a surprise party, charming on paper but disastrous in practice, Lets see Paul Allen’s card the attached PDF:

Something wrong, Patrick? You’re sweating


Yes, A lot..Maybe?

In this case, our detection system in the background raised a red flag that made us pause and take a second look, yet with just a minuscule enough discrepancy to warrant deeper investigation. It was like being in the middle of an elite business card exchange and suddenly spotting one card that just didn’t measure up:

Why such a delicate, well crafted, allegedly expected and totally legitimate invoice come from a newly generated domain?

Launch the CAPTURE:

Using our “proprietary” CAPTURE system (Centralized Analysis for Phishing Tactics Uncovering Red hErrings), we intercepted an official invoice?!. And yes, the QR code was official too sourced directly from Pix.

You heard that right. So where's the catch? Well, just follow the money: the payment destination details were altered, rerouting funds to our dear friends. A deeper dive into the indicators of compromise revealed the following:

A centralized phishing operation based in Eastern Europe that is actively impersonating multiple trusted brands to distribute fraudulent invoices. One of their latest templates impersonates a well known Brazilian hosting company and uses Santander Bank accounts along with the Pix payment application to route payments through a legitimate QR code. If a cautious user attempts to investigate further, the fake website quickly redirects them to the legitimate site, reinforcing the illusion of authenticity. The domain itself appears to be DGA-generated a hallmark of automated, ever changing phishing campaigns.

This isn’t their first rodeo. The same campaign has previously posed as the Czech Postage Service (Česká pošta), Australia Post (Aus Post), UPS, various delivery tracking services, and even Netflix. Adding insult to injury, the servers behind these scams are operated by the Moldavian company ALEXHOST SRL. These servers have a history of distributing malware such as the Trojan Downloader Morila, which remains active in the wild today. What a plot twist huh?

But I look so impeccably professional!


Conclusion: Stay Sharp and Scrutinize Everything

In our ever evolving digital landscape, fake invoice phishing campaigns remind us that a polished exterior does not guarantee legitimacy. Just like that unforgettable business card scene , it’s essential to scrutinize every detail before handing over your hard earned money. Next time you receive an invoice that seems flawless, take a moment to review every element because a little vigilance goes a long way in keeping your finances safe.

Keep your eyes sharp, your skepticism high, and remember: in the world of phishing, every detail counts even if it means channeling your inner Patrick Bateman.

Happy (and secure) invoicing!

IOCs

8b7078d1598b4a61fb5caf9f676bfa5fa0b4e0807ad3bb3f27795c7fbbe9a4a9			ecdf0573ee874850cddec849079f1443a69fad9b7378ad6c530af65f65c3509a			91.208.184.248	
registrodewesite[.]shop
contato@registrodewesite[.]shop

References

• AlienVault OTX - Quetzal Team original intelligence pulse