Cyberattackers Abuse QuickBooks Cloud Service in ‘Double-Spear’ Campaign

Cyber-attackers hide behind the QuickBooks brand to hide their malicious activity, researchers warn. The bet is a “double-spear” approach that packs a one-to-punch: Stealing phone numbers and getting away with cash via fake credit card payments.

The popular accounting software allows customers to sign up for cloud accounts from which they can send payment requests, invoices and bank statements, all from the domain. According to an analysis by Avanan, cybercriminals use this to send out malicious versions of QuickBooks documents – and email security filters, after determining that the address is not intimidated and coming from a “allowed” domain, forwards the messages. for inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email text falsifies brands like Norton or Microsoft 365 (formerly Office 365) and often claims that the targets are financially damaging. The offensive casts a broad net and targets companies across all industry segments, according to the company.

“It presents an invoice and encourages you to call if you think there are questions,” Avanan researchers noted in their analysis. “When they call the specified number, they will ask for credit card information to cancel the transaction. Note that the number is one associated with such fraudulent numbers and the address is not correlated with a real one.”

When the end user calls to see what is going on, the hackers then collect the phone number so they can use it for subsequent attacks via SMS or WhatsApp. They also receive the credit card payment, so the campaign is two-pronged in terms of victim pain.

“On this one, we are dealing with a rather sophisticated level, as hackers have found a way to know that this attack will work and to make a double spear and get money and credentials,” says Jeremy Fuchs, cyber security analyst at Avanan . Dark reading.

He adds, “Like any social-engineering scam, the likelihood of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it’s an invoice for what looks like a legitimate business, it can catch some users unprepared. “

Phishing, shrouded in legitimacy

Of course, using the legitimacy of cloud domains to reach your inbox is not a new approach. But especially as many companies continue to support teleworkers with cloud services and software-as-a-service apps, the influx has been increasing as these channels are less protected than traditional email gambits.

“In terms of broader trends that this falls under, we’ve seen hackers use legitimate sites for illegitimate purposes,” Fuchs said. “Exploiting the reputation of a legitimate company is a great way to get into the inbox. In addition, we’ve seen an increase in hackers grabbing money and harvesting phone numbers for future attacks.”

While other cloud services like Evernote, Dropbox, Microsoft, DHL and many more have been misused in this way by phishers, malicious types have particularly taken advantage of Google over the last few months.

For example, in January, a threat actor used the comment feature in Google Docs to dupe targets to click on malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using “@”. This action automatically sends the target an email with a link to the Google Docs file. The email shows the entire comment, including the bad links and other text added by the attacker.

“Organizations can’t block Google, so Google-related domains are allowed in the inbox,” according to Avanan. “These static lists are constantly being stolen by hackers. This has been shown in hackers who host phishing content on sites like Milanote.”

To protect against attacks like these, Avanan recommends the following:

  • Before calling an unknown service, Google the number and check your accounts to see if there were any charges.
  • Implement advanced security that looks at more than one indicator to determine in an email whether it is clean or not.
  • Encourage users to ask IT if they are in doubt about the legitimacy of an email.

Leave a Reply

Your email address will not be published.