Post

New Fake-Invoice Campaign Uncovered by Malwarebytes

Posted
By ictsec.pl
2 min read
New Fake-Invoice Campaign Uncovered by Malwarebytes

New Fake-Invoice Campaign Uncovered by Malwarebytes

🚨 A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together! The emails impersonate trusted brands like PayPal, Amazon, and Geek Squad, all aiming to scare you into calling a phone number where a fake “support agent” is waiting.

What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout! 🎯

This particular flavor is called a “phantom invoice” or “refund” scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there’s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call. If you didn’t make the purchase, there’s no need to call the number in the email to cancel it. From there, the conversation usually leads to one of a few outcomes:

  • They may ask you to install software so they can “fix” the charge, giving them access to your computer.
  • They may ask for your card or bank details to “process the refund.”
  • Or they may “accidentally” refund too much and ask you to send the difference back, usually by gift card or bank transfer.

We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete. Where a finished scam email would show a phone number, some of these showed the literal text #TFN# instead, which is just a placeholder. Others left the price as #PRICE#, the date as #DATE#, and the recipient as #EMAIL#. These are merge fields–the blanks a bulk-sending tool fills in automatically before a campaign goes out. Finding those placeholders still in place told us that the operation was still being assembled. The scammers use familiar brands such as PayPal, Amazon, and Geek Squad. The charges are also carefully chosen, with many messages adding urgency, telling recipients to call quickly to dispute or cancel the charge.

Warning Signs to Watch For

The good news is that these scams share warning signs. Watch for any of these:

  • A charge you don’t remember making
  • A ticking clock
  • Brands you trust, used as cover
  • Odd details that don’t quite fit
  • Pressure to keep you on the phone

The best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first. If you receive a suspicious invoice like the ones described here, don’t call the number, don’t reply or click anything, verify charges independently, and report it.

Indicators of Compromise

Indicators of compromise include domains:

  • invoicepdfin[.]xyz
  • invoicepdfus[.]xyz
  • invoicepdfusa[.]xyz
  • invoicerep[.]xyz
  • invoicestatement[.]xyz
  • invoicestm[.]xyz

Callback numbers observed are 804-392-2793 and 801-640-8589.

For more details, check out the full article here: Read full article

CYBERSECURITY
SCAM FAKE-INVOICE MALWAREBYTES CYBERSECURITY
This post is licensed under CC BY 4.0 by the author.