Cyberattackers abuse QuickBooks cloud service in ‘Double-Spear’ campaign


Cyber ​​attackers hide behind the QuickBooks brand to conceal their malicious activity, researchers warn. The effort is a “twin-spear” approach that packs a punch: Steal phone numbers and get away with cash via bogus credit card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send payment requests, invoices and statements, all from the domain. According to an analysis by Avanan, cybercriminals take advantage of this to send malicious versions of QuickBooks documents – and email security filters – after determining that the address is not scared and is from an “allowed” domain. “, pass messages directly to inboxes.

The campaign began in May, the researchers noted in a blog post on Thursday. The body of the email impersonates brands like Norton or Microsoft 365 (formerly Office 365) and often claims that the targets owe damages. The offensive casts a wide net, targeting businesses in all industry segments, according to the firm.

“It presents a bill and encourages you to call if you think there are questions,” the Avanan researchers said. noted in their analysis. “When they call the number provided, they ask for the credit card details to cancel the transaction. Note that the number is associated with such scams and the address does not correspond to a real one.”

Once the end user calls to see what’s going on, the hackers then collect the phone number, allowing them to use it for later attacks via SMS or WhatsApp. They also receive payment by credit card, so the campaign is two-pronged in terms of the pain of the victims.

“On this one, we’re dealing with a pretty sophisticated level because the hackers have figured out a way to know this attack will work and do a double spear, earning money and credentials,” says Jeremy Fuchs, cybersecurity research analyst at Avanan. Dark reading.

He adds, “Like any social engineering scam, the likelihood of someone falling for it depends on the user. Since the email is from a legitimate QuickBooks domain and is of an invoice for what looks like a legitimate business, it might catch some users off guard.”

Phishing, cover of legitimacy

Using the legitimacy of cloud domains to reach the inbox is of course not a new approach. But especially as many companies continue to support remote workers with cloud services and software-as-a-service applications, the approach has come to a head as these channels are less protected than traditional email gambits.

“In terms of the larger trends this fits into, we’ve seen hackers use legitimate sites for illegitimate purposes,” Fuchs says. “Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we’ve seen an increase in hackers grabbing money and harvesting phone numbers for future attacks.”

While other cloud services like Evernote, Dropbox, Microsoft, DHL and many more have been abused in this way by phishers, nefarious types have been exploiting Google in particular over the past few months.

For example, in January, a malicious actor used the comments feature of Google Docs to trick targets into clicking on malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using “@”. This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including bad links and any other text added by the attacker.

“Organizations can’t block Google, so Google-related domains are allowed to enter the inbox,” according to Avanan. “These static lists are continually being stolen by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote.”

To guard against such attacks, Avanan recommends the following:

  • Before calling an unknown service, Google the number and check your accounts to see if there were indeed charges.
  • Implement advanced security that examines more than one indicator to determine if an email is clean or not.
  • Encourage users to ask IT if they are unsure whether an email is legitimate.

About Author

Comments are closed.