Hackers Using Free QuickBooks Account to Create, Send Fake Invoices
This phishing attack brings a one-two punch to victims.
Shutterstock
In the QuickBooks phishing scheme, the hackers require the end-user to call to see what’s going on. The hackers then harvest the phone number. They can then use the phone number for future attacks. Avanan calls this tactic phone number harvesting.
“This attack then presents a one-two punch,” Fuchs said. “The hackers receive money and have a phone number for future attacks, whether it’s via text message or WhatsApp.”
To guard against these attacks, Avanan suggests security professionals do the following:
BEC attacks try to trick employees into taking a high-risk action, like sending money or sensitive information, without verifying the request. Implementing policies for these actions that require independent verification from a second employee can help decrease the probability of a successful attack.
Google phone numbers.
Educate employees on this new variant.
Andrew Barratt, vice president of Coalfire, a provider of cybersecurity advisory services, said these attacks have taken many forms over the years.
“Rogue invoice fraud is a threat that requires the business teams to operate the correct checks and balances,” he said. “These can’t always be solved with a quick tech solution. The challenge is that this is going to be more impactful to small businesses who might not cross-check purchase orders against an invoice before paying it. It does require an attacker to try invoicing for a mass market service so I’d expect to see these going out posing as Office 365 subscription payments or something else that there is a high probability of being a service consumed by a business. Part of the defense here is, in some cases, just good accounts payable hygiene. Make sure the invoice has the correct purchase order, that the renewal dates are known, and that the request for payment matches the expected time frame for an invoice.”
Patrick Harr, SlashNext‘s CEO, said BEC 3.0 is trusted services compromise.
“It happens with all threats, not just BEC,” he said. “It’s very popular with BEC, malicious HTML attachment attacks and credential phishing attacks, which is why training is only one piece of a cybersecurity strategy. Hackers use SharePoint, OneDrive, Amazon Web Services (AWS), Hubspot, QuickBooks and PayPal to deliver attacks because they are coming from trusted domains and this increases the likelihood they will bypass traditional email technology that relies on blocklist and domain reputation. Plus, it will look legitimate to employees with security training.”
These threats move fast, Harr said. That’s because some technology can detect it, but it might take hours or days to make it to a threat database. Therefore, it’s important to have technology that has anti-evasion technology and can perform real-time scans to ensure these threats are stopped before wreaking havoc on an organization.
Mika Aalto, Hoxhunt‘s co-founder and CEO, said the BEC 3.0 attack is particularly sophisticated, “but basically just a page from the BEC playbook, and provides us another example of a preventable breach.”
“I say preventable because any person who, if compromised can cause outsized damage, should also receive specialized training to defend against such attacks,” he said. “There’s clearly a behavior element involved that can be addressed with even more sophisticated training to encourage attacked people to further identify illegitimate requests.”
Humans didn’t evolve to spot dangers in the digital world while attackers continue to get better, Aalto said.
“The school system doesn’t teach people defense against the dark arts of cyberattack,” he said. “It’s on us. Human risk is an organizational problem.”
Jim Kelly, regional vice president of endpoint security at Tanium, said technological solutions are only one layer of security defense. As attackers gain access to either free services or fully compromised accounts from legitimate domains, it is becoming harder to spot the markers that something is amiss with the communication.
“The fact remains that in the face of some threats, technology is insufficient, and you need human intelligence, awareness and education coupled with a little common sense,” he said. “A key element of successful phish is the fear and urgency they inspire in the victim. The sticker shock of the invoice is what the attacker is counting on to get you to click that link or make the phone call to contest the amount, at which point they start the process of attempting to snare the victim’s credentials. The goal is to get you to call before you think, which allows them to prey upon your fear. Once you’re on the phone with them, they have an arsenal of psychological strategies to convince you of their legitimacy and be successful in extorting credentials, money or both from you.”
Having multiple points of approval and verification before invoices are paid, as well as a trusted roster of things like account numbers, account points-of-contact to verify, and checking historical payment and vendor records to “gut check” if things look out of place are good steps, Kelly said.
“A general rule of thumb is that if it’s dumb, different or dangerous, you should raise a flag for additional verification,” he said. “While these communications may come from legitimate vendors and domains, they’re not going to be in the pattern of normal business transactions for your organization. No matter how scary an email may seem, it is always worth getting a second opinion. And if there’s any doubt or any indicator that this is a shock-based tactic, you should immediately engage your organization’s security team for additional review before calling.”
Training around BEC tactics should be given alongside the same education and awareness of things like tailgating (where someone physically follows an authorized employee into a secured area), vishing, or other human-centric social engineering techniques, Kelly said.
Jim Kelly, regional vice president of endpoint security at Tanium, said technological solutions are only one layer of security defense. As attackers gain access to either free services or fully compromised accounts from legitimate domains, it is becoming harder to spot the markers that something is amiss with the communication.
“The fact remains that in the face of some threats, technology is insufficient, and you need human intelligence, awareness and education coupled with a little common sense,” he said. “A key element of successful phish is the fear and urgency they inspire in the victim. The sticker shock of the invoice is what the attacker is counting on to get you to click that link or make the phone call to contest the amount, at which point they start the process of attempting to snare the victim’s credentials. The goal is to get you to call before you think, which allows them to prey upon your fear. Once you’re on the phone with them, they have an arsenal of psychological strategies to convince you of their legitimacy and be successful in extorting credentials, money or both from you.”
Having multiple points of approval and verification before invoices are paid, as well as a trusted roster of things like account numbers, account points-of-contact to verify, and checking historical payment and vendor records to “gut check” if things look out of place are good steps, Kelly said.
“A general rule of thumb is that if it’s dumb, different or dangerous, you should raise a flag for additional verification,” he said. “While these communications may come from legitimate vendors and domains, they’re not going to be in the pattern of normal business transactions for your organization. No matter how scary an email may seem, it is always worth getting a second opinion. And if there’s any doubt or any indicator that this is a shock-based tactic, you should immediately engage your organization’s security team for additional review before calling.”
Training around BEC tactics should be given alongside the same education and awareness of things like tailgating (where someone physically follows an authorized employee into a secured area), vishing, or other human-centric social engineering techniques, Kelly said.
A new phishing scheme has surfaced during the 2023 tax season in which hackers are creating a free QuickBooks account and using it to send fake invoices.
That’s according to Avanan, a Check Point Software Technologies company. It refers to the scheme as business email compromise (BEC) 3.0. It already uncovered this scheme in PayPal, Google and more.
QuickBooks is an accounting software package developed and marketed by Intuit.
In this attack, hackers send a fake invoice from a legitimate QuickBooks domain. This email comes directly from QuickBooks and has a QuickBooks email address. It will pass all standard email authentication checks, domain checks and more. There’s nothing inherently wrong with the text and no malicious links.
Avanan’s Jeremy Fuchs
Jeremy Fuchs, Avanan‘s marketing content manager, said in BEC 3.0, “all the typical phishing hygiene tricks are thrown out the window.” He provided as an example a fake invoice for Norton Lifelock.
“You can’t see a discrepancy in the sender’s address,” he said. “The links are legitimate. The spelling and grammar are on point. You may question why they’re asking for a Norton Lifelock payment, but plenty of people use Norton Lifelock. And that goes for both consumers and businesses. In short, users have to scrutinize this email incredibly carefully. And let’s be honest, how many end-users do that? This requires a new wave of education for users. Hovering over links isn’t as helpful. Now users have to be wary of all links. This requires a whole new approach.”
It’s “super easy” to create and send an invoice using a free account in QuickBooks, Fuchs said.
Scroll through our slideshow above for more about this QuickBooks invoice phishing scheme.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like