Even though consumers’ annual tax day has long passed, savvy cybercriminals are still focused on fleecing business accounting software users with a new wave of tricky phishing scams.
According to a notice at the Intuit website, customers of its popular QuickBooks accounting program have received phishing emails warning users their accounts have supposedly been “suspended.” The realistic-looking emails are aimed at duping QuickBooks users to share their financial data or provide access to their accounts.
The notification from the long-established financial software giant explained how phishing works, and advised QuickBooks users not to click links or open attachments from potentially suspicious emails. It also went on to say: “Intuit has recently received reports from customers that they have received emails similar to the one below. This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit.”
Typical phishing emails sent out by attackers falsely representing the accounting software’s support team have gone out to QuickBooks users as recently as last month, reading: “We’re writing to let you know that after conducting a review of your business, we have been unable to verify some information on your account. For that reason, we have put a temporary hold on your account.”
"If you believe that we've made a mistake, we'd like to remedy the situation as quickly as possible,” the scam email said. “To help us effectively revisit your account please complete the below verification form. Once verification has been completed, we will re-review your account within 24-48 hours.”
QuickBooks users who did fall for the ruse and clicked the "Complete Verification" button in the fake email were redirected to a phishing site designed to harvest their financial information or infect their systems with malware.
In a blog post on these attacks, Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, a Check Point software company, observed that bad actors have been using the QuickBooks domain and website to send fake invoices and request payments since May 2022. Increasingly, threat actors are finding new schemes to target business as well as consumer-accounting users and taxpayers throughout the year with increasingly advanced attacks.
“Hackers continually impersonate trusted brands to get into the inbox. By leveraging the legitimacy of a trusted domain, security solutions are more likely to view the email itself as legitimate,” according to Fuchs’s research. “The content of the email may differ from the services that the domain offers. That’s not necessarily important; what is important is leveraging the legitimate service. We call this The Static Expressway.”
In other words, cybercriminals are exploiting well-known website domains — like QuickBooks — that are typically on “static” whitelists, and therefore allowed into inboxes automatically.
Bad actors start off by signing up for and creating a free QuickBooks account, and then proceed to send emails from this domain, typically spoofing other common software like Office 365. In essence, attackers are leveraging the long-time legitimacy and popularity of QuickBooks (or other common types of software) to trick busy business users (QuickBooks has been around nearly four decades).
In addition to the “account suspension” scam, QuickBooks tricksters will email what appears to be a legitimate invoice for Norton Utilities from their QuickBooks domain, and urge business users to call them with any questions. Once the accounting software user calls the given number, cyber-thieves will ask for credit card information or other financial details.
Avanan’s Fuchs pointed out that over the years this technique — often combining social engineering with emails sent from well-established domains to access to funds and financial data — has targeted users from other static, trusted brands including Microsoft, Google and Adobe. “The idea is to take advantage of the fact that these popular websites are on static Allow Lists,” according to Fuchs’s blog.
“Organizations can’t block Google, so Google-related domains are allowed to come into the inbox. These static lists are continually pilfered by hackers.”