“NSS CMS Invoice” Dropbox Invite Malware Email

Email claims that “Megan” has invited you to view the file “NSS CMS Invoice 2016-07.zip” on file hosting service Dropbox.

Brief Analysis:
The email is not a legitimate invoice notification and the download link does not go to Dropbox. Clicking the link downloads a .zip file that harbours a malicious JavaScript file inside. If opened, the JavaScrip file can download and install malware.

CMS Invoice Malware Email

Detailed Analysis:
According to this email, which purports to be from the Dropbox Team, “Megan” wants you to click a download button to view a file called “NSS CMS Invoice 2016-07.zip”. Supposedly, the file is an invoice for “Northern Support Services CMS”. The message claims that the invoice can be downloaded from the file hosting service Dropbox.

However, the email is not a legitimate invoice notification and it has no connection to Northern Support Services. Nor is the file hosted on Dropbox as claimed. Instead, the email is a criminal ruse designed to trick you into installing malware on your computer.

If you click the download button, a .zip file will be downloaded to your computer. If you then unzip the file, you will find that it contains a file called “NSS CMS Invoice 2016-07.js”.  The .js file extension means that the file is a JavaScript file. If you click this .js file, a malicious JavaScript will download and install further malware components on your computer.

The exact nature of this malware may vary. However, JavaScript is often used to install various types of ransomware.  Once installed, ransomware can lock all of the important files on your computer and then demand that you pay a fee to online criminals to receive an unlock key. Malicious JavaScript may also be used to install malware designed to steal online banking login credentials and other personal information from infected computers.

Details, such as the name of the supposed sender and the file names, may vary in different versions of these emails.

If you receive one of these emails, do not click any links or open any attachments that it contains.

Last updated: August 9, 2016
First published: August 9, 2016
By Brett M. Christensen
About Hoax-Slayer

Malware Threat Articles
Fake ‘Order Status’ Emails Contain Locky Malware