QuickBooks users have been warned by Intuit that they are being targeted by a phishing campaign masquerading the firm and attempting to entice possible victims with fraudulent renewal charges.
According to the company, it received reports from customers who were emailed and informed that their QuickBooks plans had expired.
"This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit," Intuit explained.
All customers who got one of these phishing emails are advised not to click any links included in the emails or open files. To avoid getting attacked with malware or being redirected to a phishing landing page meant to gather credentials, it is advisable to delete them.
Customers who have already opened attachments or followed links in the phishing emails should do the following:
- Delete any downloaded files as soon as possible.
- Scan their systems with an updated anti-malware solution.
- Reset their passwords.
- On its support page, Intuit also provides guidance on how customers may defend themselves against phishing attacks.
To avoid having their databases damaged or corporate backup files automatically deleted, Intuit also warned users in July about phishing emails that asked them to contact a phone number to update to QuickBooks 2021 by the end of the month.
According to BleepingComputer, identical emails were sent to Intuit customers this month, using a very similar style, with the update deadline switched to the end of October.
While Intuit did not clarify how the upgrade scheme worked, past encounters with similar scam efforts have led BleepingComputer to believe that the fraudsters will attempt to take over the callers' QuickBooks accounts.
To accomplish this, they pose as QuickBooks support employees and encourage victims to install remote access software such as TeamViewer or AnyDesk.
Then they communicate with the victims and ask for the information needed to change their QuickBooks passwords and take control of their accounts in order to drain their money by making payments in their names.
If the victims have two-factor authentication activated, the fraudsters will request the one-time permission code required to proceed with the upgrade.
Copyright scams and account takeover attacks
In addition to these two active campaigns, Intuit is also being impersonated by other threat actors in a bogus copyright phishing scheme, according to SlickRockWeb's CEO Eric Ellason.
Recipients of these emails face the risk of becoming infected with the Hancitor (aka Chanitor) malware downloader or having Cobalt Strike beacons installed on their computers.
The embedded URLs send potential victims through sophisticated redirection chains that employ different security evasion tactics and victim fingerprinting malicious spam.
In June, Intuit also alerted TurboTax customers that intruders got entry to some of their personal and financial information as a result of a series of account takeover assaults. According to the firm, there was not a "systemic data breach of Intuit."
As per the company's investigation, the attackers used credentials acquired from "a non-Intuit source" to obtain entry to the customers' accounts, including their name, Social Security number, address(es), date of birth, driver's licence number, financial information, and other personal information.
