Intuit has warned QuickBooks customers that they are being targeted by an ongoing phishing campaign masquerading as the company and trying to lure potential victims with fake renewal fees.
The company said it has received reports from customers that they received an email and told them their QuickBooks plans have expired.
“This email is not from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit and its use of Intuit trademarks is not authorized by Intuit,” Intuit explained.
The financial software company advises all customers who have received any of these phishing messages not to click any embedded links in the emails or open any attachments.
The recommended way to deal with them is to delete them to avoid getting infected with malware or redirected to a phishing landing page designed to harvest credentials.
Customers who have already opened attachments or clicked links in phishing emails should:
- Immediately delete all downloaded files.
- Scan their systems with an up-to-date anti-malware solution.
- Change their passwords.
Intuit also provides information on how customers can protect themselves against phishing attempts on its support website.
QuickBooks customers also targeted by scammers
In July, Intuit also alerted its customers to phishing emails, asking them to call a phone number to upgrade to QuickBooks 2021 until the end of the month to prevent their databases from being corrupted or that company backup files are automatically deleted.
TechToSee found similar emails sent to Intuit customers this month, using a very similar template with the upgrade deadline extended to the end of October.
While Intuit hasn’t explained how the upgrade program works, based on TechToSee’s previous encounters with similar scam attempts, crooks will attempt to take over callers’ QuickBooks accounts.
They do this by asking victims to install remote access software like TeamViewer or AnyDesk while posing as QuickBooks support staff.
Then they log in and ask victims to provide the information needed to reset their QuickBooks password and take over their accounts to siphon their money by making payments on their behalf.
If the victims have also enabled two-factor authentication, the crooks will ask for the unique authorization code they need to proceed with the upgrade.
Copyright scams and account hijacking attacks
Besides these two active campaigns, Intuit is also being emulated by other threat actors in a fake copyright phishing scam, like SlickRockWeb CEO Eric Ellason. said today.
The recipients targeted by these emails may get infected with Hancitor malware downloader (aka Chanitor) or deploy Cobalt Strike beacons on their systems.
Embedded links send potential victims through advanced redirect chains using various security evasion tactics and victim fingerprint malspam.
In June, Intuit also informed TurboTax customers that some of their personal and financial information had been accessed by attackers following a series of account hack attacks. The company also said it was not a “systemic Intuit data breach.”
The company’s investigation revealed that the attackers used credentials obtained from a “non-Intuit source” to gain access to customers’ accounts and their name, social security number, address (es), date of birth, driver’s license number, financial information, etc. .
TurboTax customers were targeted in at least three other account hack attack campaigns in 2014/2015 and 2019.
- Hacker-made Linux Cobalt Strike beacon used in ongoing attacks
- Trojan horse masquerading as computer refund attacks bank customers with Android phones
- Intuit plans $ 10 billion acquisition of email marketing service Mailchimp
- Hackers Steal Thousands of Coinbase Customers Using MFA Flaw
- DocuSign phishing campaign targets lower-ranking employees